svc.configd should be less trusting of cross-zone callers
svc.configd will accept door calls from anyone with permission on the door, but its authentication scheme is based on the authorizations contained in the name service of the local zone. If the name service isn't synced, this will lead to confusion at best. At present, this is only a nit, but with Joyent's changes (#945/#947) it becomes much more obvious that a cross-zone call is something you can do, and we should probably fix it.
I propose that svc.configd should require that a caller have all privileges if it is coming from a zone other than that in which configd is running.
Due to this same basic issue with regard to the filesystem, by default only root may enter the zone root from the NGZ, so the GZ admin would have to put effort into getting themselves into this mess (giving at least file_dac_search and probably others to a GZ user), so I don't consider it pressing.