7 files changed, 145 insertions, 6 deletions
diff --git a/usr/src/lib/libc/port/gen/ttyname.c b/usr/src/lib/libc/port/gen/ttyname.c
index 24f2725199..01a4ea8cb7 100644
--- a/usr/src/lib/libc/port/gen/ttyname.c
+++ b/usr/src/lib/libc/port/gen/ttyname.c
@@ -124,6 +124,7 @@ static const entry_t dev_dir =
 
 static const entry_t def_srch_dirs[] = {	/* default search list */
 	{ "/dev/pts", MATCH_ALL },
+	{ "/dev/vt", MATCH_ALL },
 	{ "/dev/term", MATCH_ALL },
 	{ "/dev/zcons", MATCH_ALL },
 	{ NULL, 0 }
@@ -537,6 +538,9 @@ srch_dir(const entry_t path,	/* current path */
 		if (stat64(file_name, &tsb) < 0)
 			continue;
 
+		if (strcmp(file_name, "/dev/vt/active") == 0)
+			continue;
+
 		/*
 		 * skip "/dev/syscon" because it may be an invalid link after
 		 * single user mode.
diff --git a/usr/src/lib/libdevinfo/devinfo_devperm.c b/usr/src/lib/libdevinfo/devinfo_devperm.c
index 3f7380a2de..e2716af8d3 100644
--- a/usr/src/lib/libdevinfo/devinfo_devperm.c
+++ b/usr/src/lib/libdevinfo/devinfo_devperm.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #define	_POSIX_PTHREAD_SEMANTICS	/* for getgrnam_r */
 #ifdef lint
 #define	_REENTRANT			/* for strtok_r */
@@ -56,9 +54,12 @@
 #include <strings.h>
 #include <libdevinfo.h>
 #include <zone.h>
+#include <fcntl.h>
+#include <utmpx.h>
 
 extern int is_minor_node(const char *, const char **);
 
+static int is_login_user(uid_t);
 static int logindevperm(const char *, uid_t, gid_t, void (*)());
 static int dir_dev_acc(char *, char *, uid_t, gid_t, mode_t, char *line,
 	void (*)());
@@ -192,8 +193,21 @@ logindevperm(const char *ttyn, uid_t uid, gid_t gid, void (*errmsg)(char *))
 		if (console == NULL)
 			continue;	/* ignore blank lines */
 
-		if (strcmp(console, ttyn) != 0)
-			continue;	/* not our tty, skip */
+		/*
+		 * If "console" read from /dev/logindevperm is
+		 * "/dev/vt/active", then the first user who logged into
+		 * consoles (/dev/vt/# or /dev/console) takes ownership.
+		 * Otherwise the first user who logged into "console"
+		 * takes owership.
+		 */
+		if (strcmp(console, ttyn) != 0) {
+			if (strcmp(console, "/dev/vt/active") != 0)
+				continue;	/* not our tty, skip */
+			if (strncmp(ttyn, "/dev/vt/",
+			    strlen("/dev/vt/")) != 0 && strcmp(ttyn,
+			    "/dev/console") != 0)
+				continue;	/* not our tty, skip */
+		}
 
 		mode_str = strtok_r(last, field_delims, &last);
 		if (mode_str == NULL) {
@@ -372,6 +386,38 @@ check_driver_match(char *path, char *line)
 }
 
 /*
+ * Check whether the user has logged onto "/dev/console" or "/dev/vt/#".
+ */
+static int
+is_login_user(uid_t uid)
+{
+	int changed = 0;
+	struct passwd pwd, *ppwd;
+	char pwd_buf[NSS_BUFLEN_PASSWD];
+	struct utmpx *utx;
+
+	if ((getpwuid_r(uid, &pwd, pwd_buf, NSS_BUFLEN_PASSWD, &ppwd))) {
+		return (0);
+	}
+
+	setutxent();
+	while ((utx = getutxent()) != NULL) {
+		if (utx->ut_type == USER_PROCESS &&
+		    strncmp(utx->ut_user, ppwd->pw_name,
+		    strlen(ppwd->pw_name)) == 0 && (strncmp(utx->ut_line,
+		    "console", strlen("console")) == 0 || strncmp(utx->ut_line,
+		    "vt", strlen("vt")) == 0)) {
+
+			changed = 1;
+			break;
+		}
+	}
+	endutxent();
+
+	return (changed);
+}
+
+/*
  * Apply owner/group/perms to all files (except "." and "..")
  * in a directory.
  * This function is recursive. We start with "/" and the rest of the pathname
@@ -423,6 +469,17 @@ dir_dev_acc(char *path, char *left_to_do, uid_t uid, gid_t gid, mode_t mode,
 			if (strlen(left_to_do) == 0) {
 				/* finally check the driver matches */
 				if (check_driver_match(path, line) == 0) {
+					/*
+					 * if the owner of device has been
+					 * login, the ownership and mode
+					 * should be set already. in
+					 * this case, do not set the
+					 * permissions.
+					 */
+					if (is_login_user(stat_buf.st_uid)) {
+
+						return (0);
+					}
 					/* we are done, set the permissions */
 					if (setdevaccess(path,
 					    uid, gid, mode, errmsg)) {
diff --git a/usr/src/lib/libsecdb/auth_attr.txt b/usr/src/lib/libsecdb/auth_attr.txt
index 6c671a5d75..42ec91a1b1 100644
--- a/usr/src/lib/libsecdb/auth_attr.txt
+++ b/usr/src/lib/libsecdb/auth_attr.txt
@@ -141,6 +141,7 @@ solaris.smf.manage.system-log:::Manage Syslog Service States::help=SmfSyslogStat
 solaris.smf.manage.tnctl:::Manage Refresh of Trusted Network Parameters::help=TNctl.html
 solaris.smf.manage.tnd:::Manage Trusted Network Daemon::help=TNDaemon.html
 solaris.smf.manage.vscan:::Manage VSCAN Service States::help=SmfVscanStates.html
+solaris.smf.manage.vt:::Manage Virtual Console Service States::help=SmfVtStates.html
 solaris.smf.manage.wpa:::Manage WPA Service States::help=SmfWpaStates.html
 solaris.smf.manage.ndmp:::Manage NDMP Service States::help=SmfNDMPStates.html
 solaris.smf.value.:::Change Values of SMF Service Properties::help=SmfValueHeader.html
@@ -158,6 +159,7 @@ solaris.smf.read.smb:::Read permission for protected SMF SMB Service Properties:
 solaris.smf.value.routing:::Change Values of SMF Routing Properties::help=SmfValueRouting.html
 solaris.smf.value.tnd:::Change Trusted Network Daemon Service Property Values::help=ValueTND.html
 solaris.smf.value.vscan:::Change Values of VSCAN Properties::help=SmfValueVscan.html
+solaris.smf.value.vt:::Change Values of Virtual Console Service Properties::help=SmfValueVt.html
 solaris.smf.value.ndmp:::Change Values of SMF NDMP Service Properties::help=SmfValueNDMP.html
 solaris.smf.read.ndmp:::Read permission for protected SMF NDMP Service Properties::help=AuthReadNDMP.html
 #
diff --git a/usr/src/lib/libsecdb/help/auths/Makefile b/usr/src/lib/libsecdb/help/auths/Makefile
index f279119a4d..af16336769 100644
--- a/usr/src/lib/libsecdb/help/auths/Makefile
+++ b/usr/src/lib/libsecdb/help/auths/Makefile
@@ -91,6 +91,7 @@ HTMLENTS = \
 	SmfValueExAcctFlow.html \
 	SmfValueExAcctProcess.html \
 	SmfValueExAcctTask.html \
+	SmfVtStates.html \
 	SmfValueHeader.html \
 	SmfValueInetd.html \
 	SmfValueIPsec.html \
@@ -107,6 +108,7 @@ HTMLENTS = \
 	SmfSMBStates.html \
 	SmfValueVscan.html \
 	SmfVscanStates.html \
+	SmfValueVt.html	\
 	SmfWpaStates.html \
 	NetworkAutoconf.html \
 	NetworkHeader.html \
diff --git a/usr/src/lib/libsecdb/help/auths/SmfValueVt.html b/usr/src/lib/libsecdb/help/auths/SmfValueVt.html
new file mode 100644
index 0000000000..8ff346cbbc
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/auths/SmfValueVt.html
@@ -0,0 +1,37 @@
+<HTML>
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+Use is subject to license terms.
+-->
+<!--
+   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+-->
+<BODY>
+When Value Virtual Console Properties is in the Authorizations Include
+column, it grants the the authorization to change virtual console service
+property values.
+<P> 
+If Value Virtual Console Properties is grayed, then you are not entitled to
+Add or Remove this authorization.
+<BR>&nbsp;
+</BODY>
+</HTML>
diff --git a/usr/src/lib/libsecdb/help/auths/SmfVtStates.html b/usr/src/lib/libsecdb/help/auths/SmfVtStates.html
new file mode 100644
index 0000000000..33b660289c
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/auths/SmfVtStates.html
@@ -0,0 +1,37 @@
+<HTML>
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+Use is subject to license terms.
+-->
+<!--
+   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+-->
+<BODY>
+When Manage Virtual Console Service States is in the Authorizations Include
+column, it grants the authorization to enable, disable, or
+restart the virtual console daemon.
+<p>
+If Manage Virtual Console Service States is grayed, then you are not entitled
+to Add or Remove this authorization.
+<BR>&nbsp;
+</BODY>
+</HTML>
diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt
index 4c09ff6b49..2fb7504a67 100644
--- a/usr/src/lib/libsecdb/prof_attr.txt
+++ b/usr/src/lib/libsecdb/prof_attr.txt
@@ -39,7 +39,7 @@ Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.*,so
 Cron Management:::Manage at and cron jobs:auths=solaris.jobs.*,solaris.smf.manage.cron;help=RtCronMngmnt.html
 Log Management:::Manage log files:help=RtLogMngmnt.html
 Basic Solaris User:::Automatically assigned rights:auths=solaris.profmgr.read,solaris.jobs.user,solaris.mail.mailq,solaris.device.mount.removable;profiles=All;help=RtDefault.html
-Device Security:::Manage devices and Volume Manager:auths=solaris.device.*;help=RtDeviceSecurity.html
+Device Security:::Manage devices and Volume Manager:auths=solaris.device.*,solaris.smf.manage.vt;help=RtDeviceSecurity.html
 DHCP Management:::Manage the DHCP service:auths=solaris.dhcpmgr.*;help=RtDHCPMngmnt.html
 Extended Accounting Flow Management:::Manage the Flow Extended Accounting service:auths=solaris.smf.manage.extended-accounting.flow,solaris.smf.value.extended-accounting.flow;profiles=acctadm;help=RtExActtFlow.html
 Extended Accounting Process Management:::Manage the Process Extended Accounting service:auths=solaris.smf.manage.extended-accounting.process,solaris.smf.value.extended-accounting.process;profiles=acctadm;hep=RtExAcctProcess.html