--- smf_security.5.orig	Thu Mar 15 11:56:58 2007
+++ smf_security.5	Thu Mar 15 12:15:41 2007
@@ -24,11 +24,11 @@
 
      solaris.smf.modify  Authorized to  add,  delete,  or  modify
                          services,  service  instances,  or their
-                         properties.
+                         properties, and to read sensitive
+                         property values.
 
 
 
-
   Property Group Authorizations
      The smf(5)  configuration  subsystem  associates  properties
      with  each  service and service instance. Related properties
@@ -79,8 +79,9 @@
 
 
 
-     solaris.smf.modify.application  Authorized to change  values
-                                     or create, delete, or modify
+     solaris.smf.modify.application  Authorized to change values,
+                                     read sensitive values, and
+                                     create, delete, or modify
                                      a  property  group  of  type
                                      application.
 
@@ -98,7 +99,8 @@
      solaris.smf.modify              Authorized to  add,  delete,
                                      or  modify services, service
                                      instances, or their  proper-
-                                     ties.
+                                     ties, and to read sensitive
+                                     property values.
 
 
 
@@ -110,7 +112,9 @@
 
      modify_authorization  Authorizations  allow  the   addition,
                            deletion,  or  modification of proper-
-                           ties within the property group.
+                           ties within the property group, and
+                           the retrieval of property values from
+                           the property group if sensitive.
 
 
 
@@ -117,15 +121,30 @@
 
      value_authorization   Authorizations  allow   changing   the
                            values of any property of the property
-                           group except modify_authorization.
+                           group except modify_authorization, and
+                           the retrieval of any property values
+                           except modify_authorization from the
+                           property group if sensitive.
 
 
 
 
+     read_authorization    Authorizations  allow  the   retrieval
+                           of property values within the property
+                           group.  The presence of a string-
+                           valued property with this name
+                           identifies the containing property
+                           group as sensitive.  This property has
+                           no effect on property groups of types
+                           other than application.  See Sensitive
+                           Property Groups below.
 
 
 
 
+
+
+
 SunOS 5.11            Last change: 2 Dec 04                     2
 
 
@@ -144,7 +163,20 @@
      values are used.
 
 
+  Sensitive Property Groups
+     Normally, all property values in the repository may be
+     read by any user without explicit authorization.  However,
+     property groups of type application may be used to store
+     properties with values which are sensitive; that is, they
+     must not be revealed except upon proper authorization.  A
+     property group's status as Sensitive is indicated by the
+     presence of a string-valued read_authorization property.  If
+     this property is present, the values of all properties in
+     the property group will be considered sensitive, and will be
+     retrievable only as described in Property Group
+     Authorizations above.
 
+
   Service Action Authorization
      Certain actions on service instances may result  in  service
      interruption  or  deactivation.  These  actions  require  an