I feel obliged to point out that this blog post is roughly 5 years and 1 month old. People change, opinions evolve. In just a few years, vast technological landscapes can shift. And don't get me started on config files. Please consider this text in the context of its time.
Another addition to svcbundle was the ability to set
- user
- group
- privileges
to directly create manifests for SMF that didn’t need manual editing to adhere to the best practice that you should always run services at the least necessary privileges.
svcbundle -s service-name=site/narf \
-s start-method="/lib/svc/method/narf %m" \
-s stop-method="/lib/svc/method/narf %m" \
-s refresh-method="/lib/svc/method/narf %m" \
-s model=daemon \
-s user=webserv \
-s group=webgrp \
-s privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr'
[..]
<method_context>
<method_credential user="webserv" group="webgrp"
privileges="basic,!proc_session,!proc_info,!file_link_any,net_privaddr"
/>
</method_context>
Please keep in mind that svcbundle doesn’t check if the user or group actually exists on your system, because most often you will create a manifest in development and the user and group on your production systems may be totally different ones.
