Hi Jason,
Jason Zhao said the following on Wednesday 13 May 2009 09:38 AM: > Hi, Srirama, > > Thank you very much for your comments, please see reply in line. > >> >> 3. In snort.xml, in 'start' exec_method do you require method_context >> to define user & group as noaccess and set basic privilege set ? >> AFAIK, the privs specified in the authorizations you have added >> into RBAC files should just be enough. Please check. > Since the snort SMF user and group is "noaccess:noaccess", and I think > the user doesn't have privilege to write SMF. So it needs "basic" > privilege. > In my test, If the user is "root", the basic privilege isn't > necessary. However > as for "noaccess" user, "basic" privilege is requiring. > > As following: > > 1. Run snort SMF service *without* "basic" privilege. > [root at beigai:/var/run]# svccfg import /var/svc/manifest/network/snort.xml > [root at beigai:/var/run]# svcadm disable snort > [root at beigai:/var/run]# svcadm enable snort > [root at beigai:/var/run]# svcs -a | grep snort > maintenance 10:49:57 svc:/network/snort:default > > 2. Run snort SMF service *with* "basic" privilege. > [root at beigai:/var/run]# svccfg import /var/svc/manifest/network/snort.xml > [root at beigai:/var/run]# svcadm disable snort > [root at beigai:/var/run]# svcadm enable snort > [root at beigai:/var/run]# svcs -a | grep snort > online 10:49:13 svc:/network/snort:default Okay. > Please review the 2nd version, thank you! > > http://cr.opensolaris.org/~jxzhao/snort/ The updated webrev looks good to me. Please do make sure that you resync your workspace so that you do not revert the recent changes made to sfw gate. Thanks, Srirama
