PSARC/2010/003 EOL and removal of audit_user(4) and getauusernam(3bsm)

6914742 remove audit_user phase 1 PSARC/2010/003 EOL and removal of audit_user(4) and getauusernam(3bsm)

10 files changed, 67 insertions, 346 deletions

diff --git a/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c b/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c
deleted file mode 100644
index 7a17b58af9..0000000000
--- a/usr/src/lib/libbc/libc/gen/common/getfaudflgs.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 1992 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
-#include <sys/types.h>
-#include <sys/label.h>
-#include <sys/audit.h>
-
-#define MAXSTRLEN 360
-
-/*	getfaudflgs.c */
-
-/*
- * getfauditflags() - combines system event flag mask with user event
- *                               flag masks.
- *
- * input: usremasks->as_success - always audit on success
- *        usremasks->as_failure - always audit on failure
- *        usrdmasks->as_success - never audit on success
- *        usrdmasks->as_failure - never audit on failure
- *
- * output: lastmasks->as_success - audit on success
- *         lastmasks->as_failure - audit on failure
- *
- * returns:  0 - ok
- *          -1 - error
- */
-
-int
-getfauditflags(audit_state_t *usremasks, audit_state_t *usrdmasks,
-    audit_state_t *lastmasks)
-{	 
-	int len = MAXSTRLEN, retstat = 0;
-	char s_auditstring[MAXSTRLEN];
-	audit_state_t masks;
- 
-	masks.as_success = 0;
-	masks.as_failure = 0;
-	/* 
-	 * get system audit mask and convert to bit mask 
-	 */
-	if ((getacflg(s_auditstring, len)) >= 0)  {
-		if ((getauditflagsbin(s_auditstring, &masks)) != 0)
-	        	retstat = -1;
-	} else
-		retstat = -1;
- 
-	/* 
-	 * combine system and user event masks 
-	 */
-	if (retstat == 0) {
-		lastmasks->as_success = masks.as_success;
-		lastmasks->as_failure = masks.as_failure;
- 
-		lastmasks->as_success |= usremasks->as_success;
-		lastmasks->as_failure |= usremasks->as_failure;
- 
-		lastmasks->as_success &= ~(usrdmasks->as_success);
-		lastmasks->as_failure &= ~(usrdmasks->as_failure);
-	}
-	return (retstat);
-}
diff --git a/usr/src/lib/libbc/sparc/Makefile b/usr/src/lib/libbc/sparc/Makefile
index b36c5a35ab..a0c3098dfc 100644
--- a/usr/src/lib/libbc/sparc/Makefile
+++ b/usr/src/lib/libbc/sparc/Makefile
@@ -19,8 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 #
@@ -61,7 +60,7 @@ clock.o closedir.o crypt.o ctime.o ctype_.o\
 drand48.o dysize.o errlst.o execvp.o exit.o exportent.o ecvt.o\
 fabs.o fmod.o frexp.o\
 fstab.o ftok.o ftw.o getacinfo.o getauid.o getauditflags.o \
-getcwd.o getenv.o getfaudflgs.o getgraent.o getlogin.o \
+getcwd.o getenv.o getgraent.o getlogin.o \
 getopt.o getsubopt.o getpwaent.o  getttyent.o\
 getttynam.o getusershell.o grpauth.o hsearch.o\
 ieee_globals.o index.o isatty.o \
diff --git a/usr/src/lib/libbsm/Makefile b/usr/src/lib/libbsm/Makefile
index e437475e3b..9b522bff9e 100644
--- a/usr/src/lib/libbsm/Makefile
+++ b/usr/src/lib/libbsm/Makefile
@@ -19,8 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../Makefile.lib
@@ -71,7 +70,7 @@ clean clobber delete: $(SUBDIRS)
 ROOTETCSECURITY = 	$(ROOT)/etc/security
 $(ROOTETCSECURITY) := 	DIRMODE = 0755
 
-ESFILES =		audit_class audit_control audit_event audit_user
+ESFILES =		audit_class audit_control audit_event
 ESSRC =			$(ESFILES:%=%.txt)
 ETCSECURITYFILES =	$(ESFILES:%=$(ROOTETCSECURITY)/%)
 $(ETCSECURITYFILES) :=	FILEMODE = 0644
diff --git a/usr/src/lib/libbsm/Makefile.com b/usr/src/lib/libbsm/Makefile.com
index f3c98c8467..857b565826 100644
--- a/usr/src/lib/libbsm/Makefile.com
+++ b/usr/src/lib/libbsm/Makefile.com
@@ -19,8 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 LIBRARY =	libbsm.a
@@ -53,7 +52,6 @@ OBJECTS=	adr.o \
 		audit_rshd.o \
 		audit_settid.o \
 		audit_shutdown.o \
-		audit_user.o \
 		bsm.o \
 		generic.o \
 		getacinfo.o \
diff --git a/usr/src/lib/libbsm/audit_user.txt b/usr/src/lib/libbsm/audit_user.txt
deleted file mode 100644
index e951336a85..0000000000
--- a/usr/src/lib/libbsm/audit_user.txt
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
-#
-# User Level Audit User File
-#
-# File Format
-#
-#	username:always:never
-#
-root:lo:no
diff --git a/usr/src/lib/libbsm/common/au_usermask.c b/usr/src/lib/libbsm/common/au_usermask.c
index 4ab8313fe4..a693c1f4cb 100644
--- a/usr/src/lib/libbsm/common/au_usermask.c
+++ b/usr/src/lib/libbsm/common/au_usermask.c
@@ -20,83 +20,90 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
-#include <sys/types.h>
-#include <stdio.h>
-#include <bsm/audit.h>
+#include <errno.h>
+#include <nss.h>
+#include <secdb.h>
+#include <stdlib.h>
+#include <string.h>
+#include <user_attr.h>
+#include <zone.h>
+
 #include <bsm/libbsm.h>
 
-#define	AUDITSTRING_LEN 512
+#include <adt_xlate.h>		/* adt_write_syslog */
+
+/* ARGSUSED */
+static int
+audit_flags(const char *name, kva_t *kva, void *ctxt, void *pres)
+{
+	char *val;
+
+	if ((val = kva_match(kva, USERATTR_AUDIT_FLAGS_KW)) != NULL) {
+		if ((*(char **)ctxt = strdup(val)) == NULL) {
+			adt_write_syslog("au_user_mask strdup failed", errno);
+		}
+		return (1);
+	}
+	return (0);
+}
 
 /*
- * Initialize audit preselection mask. This function should be used
- * by applications like login that set the process preselection mask
- * when a connection or a session is created.
- *
- * First, the system wide default audit flags are obtained
- *	from the audit_control(5) file.
- *
- * Next, the "always audit" flags, obtained from the audit_user(5) database,
- *	are added.
- *
- * Finally, the "never audit" flags, also obtained from the audit_user(5)
- *	database, are subtracted.
+ * Build user's audit preselection mask.
  *
- * The mask returned can be expressed as:
+ * per-user audit flags are optional and may be missing.
+ * If global zone auditing is set, a local zone cannot reduce the default
+ * flags.
  *
- * (default audit flags + alway audit flags) - never audit flags
- *
- * If the lookup to audit_control(5) fails, then this function returns
- * an error.  If the lookup to audit_user(5), the function silently
- * continues.
+ * success flags = (system default success flags + per-user always success) -
+ *			per-user never success flags
+ * failure flags = (system default failure flags + per-user always failure) -
+ *			per-user never failure flags
  */
+
 int
-au_user_mask(char *username, au_mask_t *p_mask)
+au_user_mask(char *user, au_mask_t *mask)
 {
-	char auditstring[AUDITSTRING_LEN];
-	au_user_ent_t *p_user = NULL;
-	int retval = -1;
+	char		*last = NULL;
+	char		deflt[360];	/* matches stuff in getac*.c */
+	char		*user_flags = NULL;
 
-	if (p_mask == NULL)
+	if (mask == NULL) {
 		return (-1);
+	}
 
 	/*
-	 * Get the system wide default audit flags out of the audit_control(5)
-	 * file.
+	 * Get the default audit flags.
 	 */
+
 	setac();
-	if (getacflg(auditstring, AUDITSTRING_LEN) == 0) {
-		if (getauditflagsbin(auditstring, p_mask) == 0) {
-			retval = 0;
-		}
+	if (getacflg(deflt, sizeof (deflt)) != 0) {
+		endac();
+		return (-1);
 	}
 	endac();
+	(void) getauditflagsbin(deflt, mask);
 
 	/*
-	 * If you can't get the system wide flags, return an error code
-	 * now and don't bother trying to get the user specific flags.
+	 * Get per-user audit flags.
 	 */
-	if (retval != 0) {
-		return (-1);
-	}
+	(void) _enum_attrs(user, audit_flags, &user_flags, NULL);
+	if (user_flags != NULL) {
+		au_user_ent_t  per_user;
 
-	/*
-	 * Get the always audit flags and the never audit flags from
-	 * the audit_user(5) database.
-	 */
-	setauuser();
-	if ((p_user = getauusernam(username)) != (au_user_ent_t *)NULL) {
-		/* Add always audit flags. */
-		p_mask->as_success |= p_user->au_always.as_success;
-		p_mask->as_failure |= p_user->au_always.as_failure;
-		/* Subtract never audit flags.  */
-		p_mask->as_success &= ~(p_user->au_never.as_success);
-		p_mask->as_failure &= ~(p_user->au_never.as_failure);
+		(void) getauditflagsbin(_strtok_escape(user_flags,
+		    KV_AUDIT_DELIMIT, &last), &(per_user.au_always));
+		(void) getauditflagsbin(_strtok_escape(NULL,
+		    KV_AUDIT_DELIMIT, &last), &(per_user.au_never));
+		/* merge default and per-user */
+		mask->as_success |= per_user.au_always.as_success;
+		mask->as_failure |= per_user.au_always.as_failure;
+		mask->as_success &= ~(per_user.au_never.as_success);
+		mask->as_failure &= ~(per_user.au_never.as_failure);
+		free(user_flags);
 	}
-	endauuser();
 
 	return (0);
 }
diff --git a/usr/src/lib/libbsm/common/audit_user.c b/usr/src/lib/libbsm/common/audit_user.c
deleted file mode 100644
index 8342687717..0000000000
--- a/usr/src/lib/libbsm/common/audit_user.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-/* Interfaces to audit_user(4) (/etc/security/audit_user) */
-
-#include <stdio.h>
-#include <limits.h>
-#include <sys/types.h>
-#include <string.h>
-#include <bsm/audit.h>
-#include <bsm/libbsm.h>
-#include <synch.h>
-#include <nss_dbdefs.h>
-#include <stdlib.h>
-#include <utmpx.h>
-
-#define	MAX_USERNAME	sizeof (((struct utmpx *)0)->ut_user)
-
-static mutex_t mutex_userfile = DEFAULTMUTEX;
-static au_user_ent_t *auuserstr2ent(au_user_ent_t *, au_user_str_t *);
-
-/* Externs from libnsl */
-extern void _setauuser(void);
-extern void _endauuser(void);
-extern au_user_str_t *_getauuserent(au_user_str_t *, char *, int, int *);
-extern au_user_str_t *_getauusernam(char *, au_user_str_t *, char *, int,
-    int *);
-
-void
-setauuser()
-{
-	(void) mutex_lock(&mutex_userfile);
-	_setauuser();
-	(void) mutex_unlock(&mutex_userfile);
-}
-
-void
-endauuser()
-{
-	(void) mutex_lock(&mutex_userfile);
-	_endauuser();
-	(void) mutex_unlock(&mutex_userfile);
-}
-
-au_user_ent_t *
-getauuserent()
-{
-	static au_user_ent_t au_user_entry;
-	static char	logname[MAX_USERNAME+1];
-
-	/* initialize au_user_entry structure */
-	au_user_entry.au_name = logname;
-
-	return (getauuserent_r(&au_user_entry));
-
-}
-
-au_user_ent_t *
-getauuserent_r(au_user_ent_t *au_user_entry)
-{
-	au_user_str_t	us;
-	au_user_str_t	*tmp;
-	char 		buf[NSS_BUFLEN_AUDITUSER];
-	int 		errp = 0;
-
-	(void) mutex_lock(&mutex_userfile);
-	(void) memset(buf, NULL, NSS_BUFLEN_AUDITUSER);
-	tmp = _getauuserent(&us, buf, NSS_BUFLEN_AUDITUSER, &errp);
-	(void) mutex_unlock(&mutex_userfile);
-
-	return (auuserstr2ent(au_user_entry, tmp));
-}
-
-au_user_ent_t *
-getauusernam(char *name)
-{
-	static au_user_ent_t u;
-	static char	logname[MAX_USERNAME+1];
-
-	/* initialize au_user_entry structure */
-	u.au_name = logname;
-
-	return (getauusernam_r(&u, name));
-}
-
-au_user_ent_t *
-getauusernam_r(au_user_ent_t *u, char *name)
-{
-	au_user_str_t	us;
-	au_user_str_t	*tmp;
-	char		buf[NSS_BUFLEN_AUDITUSER];
-	int		errp = 0;
-
-	if (name == NULL) {
-		return ((au_user_ent_t *)NULL);
-	}
-	tmp = _getauusernam(name, &us, buf, NSS_BUFLEN_AUDITUSER, &errp);
-
-	return (auuserstr2ent(u, tmp));
-}
-
-static au_user_ent_t *
-auuserstr2ent(au_user_ent_t *ue, au_user_str_t *us)
-{
-	if (us == NULL)
-		return (NULL);
-
-	if (getauditflagsbin(us->au_always, &ue->au_always) < 0) {
-		return (NULL);
-	}
-	if (getauditflagsbin(us->au_never, &ue->au_never) < 0) {
-		ue->au_never.am_success = AU_MASK_NONE;
-		ue->au_never.am_failure = AU_MASK_NONE;
-	}
-	(void) strncpy(ue->au_name, us->au_name, MAX_USERNAME);
-
-	return (ue);
-}
diff --git a/usr/src/lib/libbsm/common/libbsm.h b/usr/src/lib/libbsm/common/libbsm.h
index 54b1b4b152..b3f63e28b4 100644
--- a/usr/src/lib/libbsm/common/libbsm.h
+++ b/usr/src/lib/libbsm/common/libbsm.h
@@ -176,18 +176,6 @@ extern au_class_ent_t *getauclassnam(char *);
 extern au_class_ent_t *getauclassnam_r(au_class_ent_t *, char *);
 
 /*
- * Functions that manipulate audit attributes of users
- */
-
-void	setauuser(void);
-void	endauuser(void);
-
-au_user_ent_t *getauuserent(void);
-au_user_ent_t *getauuserent_r(au_user_ent_t *);
-au_user_ent_t *getauusernam(char *);
-au_user_ent_t *getauusernam_r(au_user_ent_t *, char *);
-
-/*
  * Functions that manipulate the audit control file
  */
 
@@ -239,8 +227,6 @@ extern int	setaudit(auditinfo_t *);
 extern int	setaudit_addr(auditinfo_addr_t *, int);
 extern int	setauid(au_id_t *);
 
-#define	BSM_TEXTBUFSZ	256 /* size of string for generic text token */
-
 /*
  * Defines for au_preselect(3)
  */
diff --git a/usr/src/lib/libbsm/common/mapfile-vers b/usr/src/lib/libbsm/common/mapfile-vers
index 673d72efe6..671dd66d10 100644
--- a/usr/src/lib/libbsm/common/mapfile-vers
+++ b/usr/src/lib/libbsm/common/mapfile-vers
@@ -67,8 +67,6 @@ SYMBOL_VERSION SUNW_0.8 {
 	getauevent_r;
 	getauevnam_r;
 	getauevnum_r;
-	getauuserent_r;
-	getauusernam_r;
 } SUNW_0.7;
 
 SYMBOL_VERSION SUNW_0.7 {
@@ -99,7 +97,6 @@ SYMBOL_VERSION SUNW_0.7 {
 	endac;
 	endauclass;
 	endauevent;
-	endauuser;
 	getacdir;
 	getacflg;
 	getacmin;
@@ -114,15 +111,12 @@ SYMBOL_VERSION SUNW_0.7 {
 	getauevnonam;
 	getauevnum;
 	getauid;
-	getauuserent;
-	getauusernam;
 	getfauditflags;
 	setac;
 	setauclass;
 	setaudit;
 	setauevent;
 	setauid;
-	setauuser;
 };
 
 SYMBOL_VERSION SUNWprivate_1.1 {
diff --git a/usr/src/lib/libsecdb/user_attr.txt b/usr/src/lib/libsecdb/user_attr.txt
index ac804537c9..aa31d7373b 100644
--- a/usr/src/lib/libsecdb/user_attr.txt
+++ b/usr/src/lib/libsecdb/user_attr.txt
@@ -1,6 +1,5 @@
 #
-# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 # CDDL HEADER START
 #
@@ -26,7 +25,7 @@
 # user attributes. see user_attr(4)
 #
 #
-root::::auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
+root::::auths=solaris.*,solaris.grant;profiles=All;audit_flags=lo\:no;lock_after_retries=no;min_label=admin_low;clearance=admin_high
 lp::::profiles=Printer Management
 adm::::profiles=Log Management
 dladm::::auths=solaris.smf.manage.wpa,solaris.smf.modify