diff options
| author | Casper H.S. Dik <Casper.Dik@Sun.COM> | 2009-06-19 17:45:11 +0200 |
|---|---|---|
| committer | Casper H.S. Dik <Casper.Dik@Sun.COM> | 2009-06-19 17:45:11 +0200 |
| commit | 06d0f3f39e2f7b67190578d7277d559c32191d6c (patch) | |
| tree | eb96f0c906bc30b046b13d39c9b63060f8e96679 /usr/src | |
| parent | ee8143cb5c45d521d6600e82791abc3978b9e9a7 (diff) | |
| download | illumos-joyent-06d0f3f39e2f7b67190578d7277d559c32191d6c.tar.gz | |
6851603 IPS needs a bit of help for RBAC
5100566 lib/libsecdb/Makefile uses non-unique temp files
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/lib/libsecdb/Makefile | 37 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/rbac.xml | 93 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/svc-rbac | 82 | ||||
| -rw-r--r-- | usr/src/pkgdefs/SUNWcsr/prototype_com | 2 | ||||
| -rw-r--r-- | usr/src/pkgdefs/common_files/i.rbac | 18 | ||||
| -rw-r--r-- | usr/src/pkgdefs/common_files/r.rbac | 35 |
6 files changed, 242 insertions, 25 deletions
diff --git a/usr/src/lib/libsecdb/Makefile b/usr/src/lib/libsecdb/Makefile index 6dbeb3267d..8743e5b9bb 100644 --- a/usr/src/lib/libsecdb/Makefile +++ b/usr/src/lib/libsecdb/Makefile @@ -19,11 +19,9 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" -# include ../Makefile.lib @@ -55,6 +53,18 @@ ESSRC = $(ESFILES:%=%) ETCSECURITYFILES = $(ESFILES:%=$(ROOTETCSECURITY)/%) $(ETCSECURITYFILES) := GROUP = sys +MFSTFILES = rbac.xml +MANIFESTDIR = $(ROOT)/var/svc/manifest/system +MANIFEST = $(MFSTFILES:%=$(MANIFESTDIR)/%) +$(MANIFEST) := FILEMODE = 0444 +$(MANIFEST) := GROUP = sys + +METHODFILES = svc-rbac +METHODDIR = $(ROOT)/lib/svc/method +METHOD = $(METHODFILES:%=$(METHODDIR)/%) +$(METHOD) := FILEMODE = 0555 +$(METHOD) := GROUP = bin + SCRIPTS = i.rbac r.rbac CLASS_SCR_SRC_DIR = $(SRC)/pkgdefs/common_files INSTALL_DIR = $(ROOT)/usr/sadm/install @@ -67,21 +77,18 @@ CLASS_SCR_FILES = $(SCRIPTS:%=$(CLASS_SCR_DIR)/%) $(CLASS_SCR_FILES) := FILEMODE = 0555 $(CLASS_SCR_FILES) := GROUP = sys -TMPDIR = /tmp - all clean clobber delete install lint package: $(SUBDIRS) _msg: $(MSGSUBDIRS) install: install_data -install_data: $(ETCSECURITYFILES) $(ETCFILES) $(CLASS_SCR_FILES) +install_data: $(ETCSECURITYFILES) $(ETCFILES) $(CLASS_SCR_FILES) \ + $(MANIFESTDIR) $(MANIFEST) $(METHODDIR) $(METHOD) ATTR_FILES = auth_attr exec_attr prof_attr user_attr ${ATTR_FILES}: $$@.txt - $(CP) $@.txt ${TMPDIR}/$@ > $@ - $(ECHO) ${TMPDIR}/$@ $@ | $(SHELL) ${CLASS_SCR_SRC_DIR}/i.rbac - @$(RM) ${TMPDIR}/$@ + $(ECHO) $@.txt $@ | $(SHELL) ${CLASS_SCR_SRC_DIR}/i.rbac $(ETCSECURITYFILES) $(ETCFILES): $(ETCSECURITY) $(ROOTETCSECURITY) @@ -97,6 +104,18 @@ $(ROOTETCSECURITY)/%: % $(ROOTETC)/% : % $(INS.file) +$(MANIFESTDIR): + $(INS.dir) + +$(MANIFESTDIR)/% : % + $(INS.file) + +$(METHODDIR): + $(INS.dir) + +$(METHODDIR)/% : % + $(INS.file) + $(CLASS_SCR_FILES): $(INSTALL_DIR) $(CLASS_SCR_DIR) $(INSTALL_DIR): diff --git a/usr/src/lib/libsecdb/rbac.xml b/usr/src/lib/libsecdb/rbac.xml new file mode 100644 index 0000000000..2ee3294fd3 --- /dev/null +++ b/usr/src/lib/libsecdb/rbac.xml @@ -0,0 +1,93 @@ +<?xml version="1.0"?> +<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> +<!-- + + + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + + Copyright 2009 Sun Microsystems, Inc. All rights reserved. + Use is subject to license terms. + + NOTE: This service manifest is not editable; its contents will + be overwritten by package or patch operations, including + operating system upgrade. Make customizations in a different + file. +--> + +<service_bundle type='manifest' name='SUNWcsr:rbac'> + +<service + name='system/rbac' + type='service' + version='1'> + + <create_default_instance enabled='true' /> + + <single_instance /> + + <dependency + name='usr' + type='service' + grouping='require_all' + restart_on='none'> + <service_fmri value='svc:/system/filesystem/minimal' /> + </dependency> + + <exec_method + type='method' + name='start' + exec='/lib/svc/method/svc-rbac start' + timeout_seconds='300'> + </exec_method> + + <exec_method + type='method' + name='refresh' + exec='/lib/svc/method/svc-rbac refresh' + timeout_seconds='300'> + </exec_method> + + <exec_method + type='method' + name='stop' + exec=':true' + timeout_seconds='300'> + </exec_method> + + <property_group name='startd' type='framework'> + <propval name='duration' type='astring' + value='transient' /> + </property_group> + + <property_group name='options' type='application'> + </property_group> + + <stability value='Unstable' /> + + <template> + <common_name> + <loctext xml:lang='C'> + Assemble the RBAC *attr files. + </loctext> + </common_name> + </template> +</service> + +</service_bundle> diff --git a/usr/src/lib/libsecdb/svc-rbac b/usr/src/lib/libsecdb/svc-rbac new file mode 100644 index 0000000000..1fc4359ea7 --- /dev/null +++ b/usr/src/lib/libsecdb/svc-rbac @@ -0,0 +1,82 @@ +#! /usr/bin/sh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +. /lib/svc/share/smf_include.sh + +files='/etc/user_attr /etc/security/auth_attr /etc/security/exec_attr + /etc/security/prof_attr' + +PKGINST= +export PKGINST + +irbac=/usr/sadm/install/scripts/i.rbac + +if [ ! -x $irbac ] +then + echo "${irbac}: not found." + exit $SMF_EXIT_ERR_FATAL +fi + +case "$1" in +start|refresh) + ;; +stop) + exit $SMF_EXIT_OK;; +*) + echo "Usage: $0 { start | refresh | stop }" + exit $SMF_EXIT_ERR_FATAL;; +esac + +for f in $files +do + d=${f}.d + if [ ! -d ${d} ] + then + # No directory, nothing to do + continue + fi + # + # List all the files in the directory and the destination file + # in the order of their timestamp. Most recent files are + # displayed first. When we find the destination file, we're + # done as the rest of the files are older and they are already + # incorporated. + # + for frag in `ls -t $f $d/* 2> /dev/null` + do + if [ "$frag" = "$f" ] + then + break + fi + if [ -f "$frag" ] + then + echo $frag $f | $irbac + fi + done +done + +exit $SMF_EXIT_OK diff --git a/usr/src/pkgdefs/SUNWcsr/prototype_com b/usr/src/pkgdefs/SUNWcsr/prototype_com index bb9ce2b28e..eb68e238bb 100644 --- a/usr/src/pkgdefs/SUNWcsr/prototype_com +++ b/usr/src/pkgdefs/SUNWcsr/prototype_com @@ -377,6 +377,7 @@ f none lib/svc/method/svc-forwarding 0555 root bin f none lib/svc/method/svc-legacy-routing 0555 root bin f none lib/svc/method/svc-dlmgmtd 0555 root bin f none lib/svc/method/svc-nscd 0555 root bin +f none lib/svc/method/svc-rbac 0555 root bin f none lib/svc/method/svc-utmpd 0555 root bin f none lib/svc/method/system-log 0555 root bin f none lib/svc/method/vtdaemon 0555 root bin @@ -553,6 +554,7 @@ f manifest var/svc/manifest/system/idmap.xml 0444 root sys f manifest var/svc/manifest/system/keymap.xml 0444 root sys f manifest var/svc/manifest/system/manifest-import.xml 0444 root sys f manifest var/svc/manifest/system/name-service-cache.xml 0444 root sys +f manifest var/svc/manifest/system/rbac.xml 0444 root sys f manifest var/svc/manifest/system/rmtmpfiles.xml 0444 root sys f manifest var/svc/manifest/system/sac.xml 0444 root sys f manifest var/svc/manifest/system/system-log.xml 0444 root sys diff --git a/usr/src/pkgdefs/common_files/i.rbac b/usr/src/pkgdefs/common_files/i.rbac index d172c2bf9e..7573aa70bb 100644 --- a/usr/src/pkgdefs/common_files/i.rbac +++ b/usr/src/pkgdefs/common_files/i.rbac @@ -29,7 +29,7 @@ # # Files in "rbac" class: # -# /etc/security{prof_attr,exec_attr,auth_attr} +# /etc/security/{prof_attr,exec_attr,auth_attr} # /etc/user_attr # # Allowable exit codes @@ -324,10 +324,24 @@ exit_status=0 # main while read newfile oldfile ; do + if [ -n "$PKGINST" ] + then + # Install the file in the "fragment" directory. + mkdir -m 755 -p ${oldfile}.d + rm -f ${oldfile}.d/"$PKGINST" + cp $newfile ${oldfile}.d/"$PKGINST" + + # Make sure that it is marked read-only. + chmod a-w,a+r ${oldfile}.d/"$PKGINST" + + # We also execute the rest of the i.rbac script. + fi + if [ ! -f $oldfile ]; then cp $newfile $oldfile else - set_type_and_outfile $newfile + set_type_and_outfile $newfile || + set_type_and_outfile $oldfile if [ $? -ne 0 ]; then echo "$0 : $newfile not one of" \ " prof_attr, exec_attr, auth_attr, user_attr" diff --git a/usr/src/pkgdefs/common_files/r.rbac b/usr/src/pkgdefs/common_files/r.rbac index 4c3eea468d..3b761bb73a 100644 --- a/usr/src/pkgdefs/common_files/r.rbac +++ b/usr/src/pkgdefs/common_files/r.rbac @@ -1,15 +1,15 @@ -#ident "%Z%%M% %I% %E% SMI" +#!/bin/sh +# # r.rbac # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -29,19 +29,26 @@ # # Files in "rbac" class: # -# /etc/security{prof_attr,exec_attr,auth_attr} +# /etc/security/{prof_attr,exec_attr,auth_attr} # /etc/user_attr # # Allowable exit codes # # 0 - success # 2 - warning or possible error condition. Installation continues. A warning -# message is displayed at the time of completion. -# -# This script intentionally does nothing. -# It is not safe to try and undo what i.rbac has done. -# This script must exist since pkgadd will -# do its default "install" the pkg *_attr file into /etc/security -# clobbering the existing file, in the absence of a r.rbac script. -# +# message is displayed at the time of completion. +# +# This script removes the fragment installed for this particular package +# instance. But it is not safe to unmerge the entries installed. +# +PATH=/usr/bin:/usr/sbin +export PATH +if [ -n "$PKGINST" ] +then + while read file + do + rm -f ${file}.d/"$PKGINST" + done +fi + exit 0 |