Solaris

Even more new options for svcbundle

Joerg Moellenkamp
Joerg Moellenkamp

Another addition to svcbundle was the addition to set

  • user
  • group
  • privileges

to directly create manifests for SMF that didn’t need manual editing to adhere to the best practice that you should run services always at the least nescesarry privileges.

svcbundle -s service-name=site/narf \
 -s start-method="/lib/svc/method/narf %m" \
 -s stop-method="/lib/svc/method/narf %m" \
 -s refresh-method="/lib/svc/method/narf %m" \
 -s model=daemon \
 -s user=webserv \
 -s group=webgrp \
 -s privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr'
[..]
        <method_context>
            <method_credential user="webserv" group="webgrp"
                privileges="basic,!proc_session,!proc_info,!file_link_any,net_privaddr"
            />
        </method_context>

Please keep in mind, that svcbundle doesn’t check if the user or group actually exists on your system, because most often you will create a manifest in development and the user and group on you production systems may be totally different ones.

Joerg Moellenkamp
Written by

Joerg Moellenkamp

Grey-haired, sometimes grey-bearded Windows dismissing Unix guy.

You may also like...

Solaris

Solaris 11: Network Condition Simulator

A long time ago i wrote about a driver for Opensolaris called `hitbox` or `htbx`. This driver enabled a Solaris system to simulate properties of a network li...

Solaris

Solaris 10/11: Account locking and passwordless SSH

One of the nice things about SSH is passwordless login. However that doesn't mean that passwords can't ruin your day. Let's assume you have an account on a s...

Solaris

Solaris 11.4 SRU 60: Sample separation in iostat

As i had quite a fight with a larger IKEA PAX closet for my bedroom, i hadn't quite the time to complete the ZFS retention article so far. Thus today a small...