PSARC/2008/034 Defining Workstation Owner Infrastructure

6650907 Implement PSARC/2008/034 Defining Workstation Owner Infrastructure
6655423 configd:rc_node.c:perm_granted() uses perm_lock which is no longer needed.

16 files changed, 301 insertions, 176 deletions

diff --git a/usr/src/cmd/auths/auths.c b/usr/src/cmd/auths/auths.c
index ce48619fd9..930cec08ca 100644
--- a/usr/src/cmd/auths/auths.c
+++ b/usr/src/cmd/auths/auths.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -56,10 +56,10 @@
 
 static int show_auths(char *, char **, int, int);
 static int list_auths(userattr_t *, char **, int *);
-static char *get_default_auths(char **, int *);
+static void get_default_auths(char *, char **, int *);
 static void getProfiles(char *, char **, int *, char **, int *);
 static void add_auths(char *, char **, int *);
-
+static void free_auths(char **, int *);
 
 static char *progname = "auths";
 
@@ -70,35 +70,34 @@ main(int argc, char *argv[])
 	int		status = EXIT_OK;
 	char		*defauths[MAXAUTHS];
 	int		defauth_cnt = 0;
-	int		i;
 
 	(void) setlocale(LC_ALL, "");
 	(void) textdomain(TEXT_DOMAIN);
 
-	(void) get_default_auths(defauths, &defauth_cnt);
-
 	switch (argc) {
 	case 1:
+		get_default_auths(NULL, defauths, &defauth_cnt);
 		status = show_auths(NULL, defauths, defauth_cnt, 0);
 		break;
 	case 2:
+		get_default_auths(argv[argc-1], defauths, &defauth_cnt);
 		status = show_auths(argv[argc-1], defauths, defauth_cnt, 0);
 		break;
 	default:
 		while (*++argv) {
+			get_default_auths(*argv, defauths, &defauth_cnt);
 			status = show_auths(*argv, defauths, defauth_cnt, 1);
 			if (status == EXIT_FATAL) {
 				break;
 			}
+			/* free memory allocated for default authorizations */
+			free_auths(defauths, &defauth_cnt);
 		}
 		break;
 	}
 
 	/* free memory allocated for default authorizations */
-	for (i = 0; i < defauth_cnt; i++) {
-		free(defauths[i]);
-	}
-
+	free_auths(defauths, &defauth_cnt);
 	status = (status == EXIT_OK) ? status : EXIT_FATAL;
 
 	return (status);
@@ -198,9 +197,7 @@ show_auths(char *username, char **defauths, int defauth_cnt, int print_name)
 	}
 
 	/* free memory allocated for authorizations */
-	for (i = 0; i < userauth_cnt; i++) {
-		free(userauths[i]);
-	}
+	free_auths(userauths, &userauth_cnt);
 
 	return (status);
 }
@@ -237,30 +234,35 @@ list_auths(userattr_t *user, char **authArray, int *authcnt)
 }
 
 
-static char *
-get_default_auths(char **authArray, int *authcnt)
+static void
+get_default_auths(char *user, char **authArray, int *authcnt)
 {
 	char *auths = NULL;
 	char *profs = NULL;
 	char *profArray[MAXPROFS];
 	int profcnt = 0;
 
-	if (defopen(AUTH_POLICY) == NULL) {
-		auths = defread(DEF_AUTH);
+	if (user == NULL) {
+		struct passwd *pw;
+
+		if ((pw = getpwuid(getuid())) != NULL) {
+			user = pw->pw_name;
+		}
+	}
+
+	if (_get_user_defs(user, &auths, &profs) == 0) {
 		if (auths != NULL) {
 			add_auths(auths, authArray, authcnt);
 		}
 
 		/* get authorizations from default profiles */
-		profs = defread(DEF_PROF);
 		if (profs != NULL) {
 			getProfiles(profs, profArray, &profcnt,
 			    authArray, authcnt);
 			free_proflist(profArray, profcnt);
 		}
+		_free_user_defs(auths, profs);
 	}
-
-	return (auths);
 }
 
 void
@@ -297,6 +299,17 @@ add_auths(char *auths, char **authArray, int *authcnt)
 }
 
 static void
+free_auths(char *auths[], int *auth_cnt)
+{
+	int i;
+
+	for (i = 0; i < *auth_cnt; i++) {
+		free(auths[i]);
+	}
+	*auth_cnt = 0;
+}
+
+static void
 getProfiles(char *profiles, char **profArray, int *profcnt,
 	char **authArray, int *authcnt)
 {
diff --git a/usr/src/cmd/pfexec/pfexec.c b/usr/src/cmd/pfexec/pfexec.c
index 84b36c0b6a..7d8eba49d1 100644
--- a/usr/src/cmd/pfexec/pfexec.c
+++ b/usr/src/cmd/pfexec/pfexec.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -60,7 +60,7 @@ static uid_t get_uid(char *);
 static gid_t get_gid(char *);
 static priv_set_t *get_privset(const char *);
 static priv_set_t *get_granted_privs(uid_t);
-static void get_default_privs(priv_set_t *);
+static void get_default_privs(const char *, priv_set_t *);
 static void get_profile_privs(char *, char **, int *, priv_set_t *);
 
 static int isnumber(char *);
@@ -145,8 +145,8 @@ main(int argc, char *argv[])
 			}
 			if (setppriv(PRIV_ON, PRIV_INHERITABLE, wanted) != 0) {
 				(void) fprintf(stderr,
-						gettext("setppriv(): %s\n"),
-						strerror(errno));
+				    gettext("setppriv(): %s\n"),
+				    strerror(errno));
 				exit(EXIT_FAILURE);
 			}
 			/* Trick exec into thinking we're not suid */
@@ -305,7 +305,7 @@ set_attrs:
 	if (lset != NULL && setppriv(PRIV_SET, PRIV_LIMIT, lset) != 0 ||
 	    iset != NULL && setppriv(PRIV_ON, PRIV_INHERITABLE, iset) != 0) {
 		(void) fprintf(stderr, gettext("%s: can't set privileges\n"),
-			cmd_realpath);
+		    cmd_realpath);
 		return (0);
 	}
 	if (setreuid(uid, euid) == -1) {
@@ -452,7 +452,7 @@ get_granted_privs(uid_t uid)
 		free_proflist(profArray, profcnt);
 	}
 
-	get_default_privs(res);
+	get_default_privs(pwent->pw_name, res);
 
 	if (ua != NULL)
 		free_userattr(ua);
@@ -461,21 +461,20 @@ get_granted_privs(uid_t uid)
 }
 
 static void
-get_default_privs(priv_set_t *pset)
+get_default_privs(const char *user, priv_set_t *pset)
 {
 	char *profs = NULL;
 	char *profArray[MAXPROFS];
 	int profcnt = 0;
 
-	if (defopen(AUTH_POLICY) == 0) {
+	if (_get_user_defs(user, NULL, &profs) == 0) {
 		/* get privileges from default profiles */
-		profs = defread(DEF_PROF);
 		if (profs != NULL) {
 			get_profile_privs(profs, profArray, &profcnt, pset);
 			free_proflist(profArray, profcnt);
+			_free_user_defs(NULL, profs);
 		}
 	}
-	(void) defopen(NULL);
 }
 
 static void
diff --git a/usr/src/cmd/profiles/profiles.c b/usr/src/cmd/profiles/profiles.c
index 8086494fb8..087a6aa855 100644
--- a/usr/src/cmd/profiles/profiles.c
+++ b/usr/src/cmd/profiles/profiles.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -64,7 +64,7 @@ static void print_profs_long(char *, void *, int);
 static void print_profs(char *, char **, int, int);
 static void format_attr(int *, int, char *);
 static void getProfiles(char *, char **, int *);
-static void getDefaultProfiles(char **, int *);
+static void getDefaultProfiles(char *, char **, int *);
 
 static char *progname = "profiles";
 
@@ -93,10 +93,10 @@ main(int argc, char *argv[])
 	argv += optind;
 
 	if (*argv == NULL) {
-		status = show_profs((char *)NULL, print_flag);
+		status = show_profs(NULL, print_flag);
 	} else {
 		do {
-			status = show_profs(*argv, print_flag);
+			status = show_profs((char *)*argv, print_flag);
 			if (status == EXIT_FATAL) {
 				break;
 			}
@@ -136,7 +136,7 @@ show_profs(char *username, int print_flag)
 		if ((user = getusernam(username)) != NULL) {
 			status = list_profs(user, print_flag);
 		} else {
-			getDefaultProfiles(profArray, &profcnt);
+			getDefaultProfiles(username, profArray, &profcnt);
 			if (profcnt == 0) {
 				status = EXIT_NON_FATAL;
 			} else {
@@ -183,7 +183,7 @@ list_profs(userattr_t *user, int print_flag)
 			getProfiles(proflist, profArray, &profcnt);
 		}
 		/* Also get any default profiles */
-		getDefaultProfiles(profArray, &profcnt);
+		getDefaultProfiles(user->name, profArray, &profcnt);
 		if (profcnt == 0) {
 			status = EXIT_NON_FATAL;
 		}
@@ -324,16 +324,14 @@ print_profs(char *user, char **profnames, int print_flag, int profcnt)
  * Get the list of default profiles from /etc/security/policy.conf
  */
 static void
-getDefaultProfiles(char **profArray, int *profcnt)
+getDefaultProfiles(char *user, char **profArray, int *profcnt)
 {
 	char *profs = NULL;
 
-	if (defopen(AUTH_POLICY) == NULL) {
-		profs = defread(DEF_PROF);
-	}
-
-	if (profs != NULL) {
-		getProfiles(profs, profArray, profcnt);
+	if (_get_user_defs(user, NULL, &profs) == 0) {
+		if (profs != NULL) {
+			getProfiles(profs, profArray, profcnt);
+			_free_user_defs(NULL, profs);
+		}
 	}
-
 }
diff --git a/usr/src/cmd/svc/configd/rc_node.c b/usr/src/cmd/svc/configd/rc_node.c
index 8182c709b6..c7b77349ea 100644
--- a/usr/src/cmd/svc/configd/rc_node.c
+++ b/usr/src/cmd/svc/configd/rc_node.c
@@ -351,6 +351,7 @@
 #include <libscf_priv.h>
 #include <prof_attr.h>
 #include <pthread.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <strings.h>
@@ -491,8 +492,6 @@ static pthread_mutex_t	rc_pg_notify_lock = PTHREAD_MUTEX_INITIALIZER;
 static pthread_cond_t	rc_pg_notify_cv = PTHREAD_COND_INITIALIZER;
 static uint_t		rc_notify_in_use;	/* blocks removals */
 
-static pthread_mutex_t	perm_lock = PTHREAD_MUTEX_INITIALIZER;
-
 /*
  * Some combinations of property group/property name require a special
  * audit event to be generated when there is a change.
@@ -1515,38 +1514,11 @@ perm_granted(permcheck_t *pcp)
 	uid_t uid;
 	userattr_t *uap;
 	char *authlist, *userattr_authlist, *proflist, *def_prof = NULL;
-
-	/*
-	 * Get generic authorizations from policy.conf
-	 *
-	 * Note that _get_auth_policy is not threadsafe, so we single-thread
-	 * access to it.
-	 */
-	(void) pthread_mutex_lock(&perm_lock);
-	ret = _get_auth_policy(&authlist, &def_prof);
-	(void) pthread_mutex_unlock(&perm_lock);
-
-	if (ret != 0)
-		return (-1);
-
-	if (authlist != NULL) {
-		ret = check_auth_list(pcp, authlist);
-
-		if (ret) {
-			_free_auth_policy(authlist, def_prof);
-			return (ret);
-		}
-	}
-
-	/*
-	 * Put off checking def_prof for later in an attempt to consolidate
-	 * prof_attr accesses.
-	 */
+	struct passwd pw;
+	char pwbuf[1024];	/* XXX should be NSS_BUFLEN_PASSWD */
 
 	/* Get the uid */
 	if ((uc = get_ucred()) == NULL) {
-		_free_auth_policy(authlist, def_prof);
-
 		if (errno == EINVAL) {
 			/*
 			 * Client is no longer waiting for our response (e.g.,
@@ -1569,7 +1541,33 @@ perm_granted(permcheck_t *pcp)
 	uid = ucred_geteuid(uc);
 	assert(uid != (uid_t)-1);
 
-	uap = getuseruid(uid);
+	if (getpwuid_r(uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
+		return (-1);
+	}
+
+	/*
+	 * Get user's default authorizations from policy.conf
+	 */
+	ret = _get_user_defs(pw.pw_name, &authlist, &def_prof);
+
+	if (ret != 0)
+		return (-1);
+
+	if (authlist != NULL) {
+		ret = check_auth_list(pcp, authlist);
+
+		if (ret) {
+			_free_user_defs(authlist, def_prof);
+			return (ret);
+		}
+	}
+
+	/*
+	 * Put off checking def_prof for later in an attempt to consolidate
+	 * prof_attr accesses.
+	 */
+
+	uap = getusernam(pw.pw_name);
 	if (uap != NULL) {
 		/* Get the authorizations from user_attr. */
 		userattr_authlist = kva_match(uap->attr, USERATTR_AUTHS_KW);
@@ -1589,7 +1587,7 @@ perm_granted(permcheck_t *pcp)
 			ret = check_prof_list(pcp, proflist);
 	}
 
-	_free_auth_policy(authlist, def_prof);
+	_free_user_defs(authlist, def_prof);
 	if (uap != NULL)
 		free_userattr(uap);
 
diff --git a/usr/src/head/prof_attr.h b/usr/src/head/prof_attr.h
index 2acac51cc7..42ff2d8534 100644
--- a/usr/src/head/prof_attr.h
+++ b/usr/src/head/prof_attr.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 1999,2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -52,6 +51,7 @@ extern "C" {
 #define	PROFATTR_COL4_KW		"attr"
 
 #define	DEF_PROF			"PROFS_GRANTED="
+#define	DEF_CONSUSER			"CONSOLE_USER="
 
 #define	MAXPROFS			4096
 
diff --git a/usr/src/head/secdb.h b/usr/src/head/secdb.h
index 716faacb2c..fad64204e2 100644
--- a/usr/src/head/secdb.h
+++ b/usr/src/head/secdb.h
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -82,14 +82,14 @@ extern char *_argv_to_csl(char **strings);
 extern char **_csl_to_argv(char *csl);
 extern char *_do_unescape(char *src);
 extern void _free_argv(char **p_argv);
-extern int _get_auth_policy(char **, char **);
-extern void _free_auth_policy(char *, char *);
 extern int _insert2kva(kva_t *, char *, char *);
 extern int _kva2str(kva_t *, char *, int, char *, char *);
 extern kva_t *_kva_dup(kva_t *);
 extern void _kva_free(kva_t *);
 extern kva_t *_new_kva(int size);
 extern kva_t *_str2kva(char *, char *, char *);
+extern int _get_user_defs(const char *, char **, char **);
+extern void _free_user_defs(char *, char *);
 
 #else				/* not __STDC__ */
 
@@ -100,14 +100,14 @@ extern char *_argv_to_csl();
 extern char **_csl_to_argv();
 extern char *_do_unescape();
 extern void _free_argv();
-extern int _get_auth_policy();
-extern void _free_auth_policy();
 extern int  _insert2kva();
 extern int _kva2str();
 extern kva_t *_kva_dup();
 extern void _kva_free(kva_t *);
 extern kva_t *_new_kva();
 extern int _str2kva();
+extern int _get_user_defs();
+extern void _free_user_defs();
 #endif				/* __STDC__ */
 
 #ifdef	__cplusplus
diff --git a/usr/src/lib/libsecdb/common/chkauthattr.c b/usr/src/lib/libsecdb/common/chkauthattr.c
index 6e41e99723..04b1fe8846 100644
--- a/usr/src/lib/libsecdb/common/chkauthattr.c
+++ b/usr/src/lib/libsecdb/common/chkauthattr.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -33,6 +33,8 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <limits.h>
+#include <pwd.h>
+#include <nss_dbdefs.h>
 #include <deflt.h>
 #include <auth_attr.h>
 #include <prof_attr.h>
@@ -40,10 +42,8 @@
 
 
 static int _is_authorized(const char *, char *);
-static int _chk_policy_auth(const char *, char **, int *);
+static int _chk_policy_auth(const char *, const char *, char **, int *);
 static int _chkprof_for_auth(const char *, const char *, char **, int *);
-
-
 int
 chkauthattr(const char *authname, const char *username)
 {
@@ -59,7 +59,8 @@ chkauthattr(const char *authname, const char *username)
 		return (0);
 
 	/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
-	auth_granted = _chk_policy_auth(authname, chkedprof, &chkedprof_cnt);
+	auth_granted = _chk_policy_auth(authname, username, chkedprof,
+	    &chkedprof_cnt);
 	if (auth_granted)
 		goto exit;
 
@@ -203,45 +204,6 @@ _is_authorized(const char *authname, char *auths)
 }
 
 
-int
-_get_auth_policy(char **def_auth, char **def_prof)
-{
-	char *cp;
-
-	if (defopen(AUTH_POLICY) != 0)
-		return (-1);
-
-	cp = defread(DEF_AUTH);
-	if (cp != NULL) {
-		*def_auth = strdup(cp);
-		if (*def_auth == NULL)
-			return (-1);
-	} else {
-		*def_auth = NULL;
-	}
-
-	cp = defread(DEF_PROF);
-	if (cp != NULL) {
-		*def_prof = strdup(cp);
-		if (*def_prof == NULL) {
-			free(*def_auth);
-			return (-1);
-		}
-	} else {
-		*def_prof = NULL;
-	}
-
-	(void) defopen(NULL);
-	return (0);
-}
-
-void
-_free_auth_policy(char *def_auth, char *def_prof)
-{
-	free(def_auth);
-	free(def_prof);
-}
-
 /*
  * read /etc/security/policy.conf for AUTHS_GRANTED.
  * return 1 if found matching authname.
@@ -249,12 +211,14 @@ _free_auth_policy(char *def_auth, char *def_prof)
  * default profiles.
  */
 static int
-_chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
+_chk_policy_auth(const char *authname, const char *username, char **chkedprof,
+    int *chkedprof_cnt)
 {
-	char	*auths, *profs;
+	char	*auths = NULL;
+	char	*profs = NULL;
 	int	ret = 1;
 
-	if (_get_auth_policy(&auths, &profs) != 0)
+	if (_get_user_defs(username, &auths, &profs) != 0)
 		return (0);
 
 	if (auths != NULL) {
@@ -270,6 +234,102 @@ _chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
 	ret = 0;
 
 exit:
-	_free_auth_policy(auths, profs);
+	_free_user_defs(auths, profs);
 	return (ret);
 }
+
+#define	CONSOLE "/dev/console"
+
+static int
+is_cons_user(const char *user)
+{
+	struct stat	cons;
+	struct passwd	pw;
+	char		pwbuf[NSS_BUFLEN_PASSWD];
+
+	if (user == NULL) {
+		return (0);
+	}
+	if (stat(CONSOLE, &cons) == -1) {
+		return (0);
+	}
+	if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
+		return (0);
+	}
+
+	return (pw.pw_uid == cons.st_uid);
+}
+
+
+int
+_get_user_defs(const char *user, char **def_auth, char **def_prof)
+{
+	char *cp;
+	char *profs;
+
+	if (defopen(AUTH_POLICY) != 0) {
+		if (def_auth != NULL) {
+			*def_auth = NULL;
+		}
+		if (def_prof != NULL) {
+			*def_prof = NULL;
+		}
+		return (-1);
+	}
+
+	if (def_auth != NULL) {
+		if ((cp = defread(DEF_AUTH)) != NULL) {
+			if ((*def_auth = strdup(cp)) == NULL) {
+				(void) defopen(NULL);
+				return (-1);
+			}
+		} else {
+			*def_auth = NULL;
+		}
+	}
+	if (def_prof != NULL) {
+		if (is_cons_user(user) &&
+		    (cp = defread(DEF_CONSUSER)) != NULL) {
+			if ((*def_prof = strdup(cp)) == NULL) {
+				(void) defopen(NULL);
+				return (-1);
+			}
+		}
+		if ((cp = defread(DEF_PROF)) != NULL) {
+			int	prof_len;
+
+			if (*def_prof == NULL) {
+				if ((*def_prof = strdup(cp)) == NULL) {
+					(void) defopen(NULL);
+					return (-1);
+				}
+				(void) defopen(NULL);
+				return (0);
+			}
+
+			/* concatenate def profs with "," separator */
+			prof_len = strlen(*def_prof) + strlen(cp) + 2;
+			if ((profs = malloc(prof_len)) == NULL) {
+				free(*def_prof);
+				*def_prof = NULL;
+				(void) defopen(NULL);
+				return (-1);
+			}
+			(void) snprintf(profs, prof_len, "%s,%s", *def_prof,
+			    cp);
+			free(*def_prof);
+			*def_prof = profs;
+		}
+	}
+
+	(void) defopen(NULL);
+	return (0);
+}
+
+
+void
+_free_user_defs(char *def_auth, char *def_prof)
+{
+	free(def_auth);
+	free(def_prof);
+}
diff --git a/usr/src/lib/libsecdb/common/getexecattr.c b/usr/src/lib/libsecdb/common/getexecattr.c
index 1e1ab20ffd..93d05e9706 100644
--- a/usr/src/lib/libsecdb/common/getexecattr.c
+++ b/usr/src/lib/libsecdb/common/getexecattr.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -74,8 +74,8 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 	int		err = 0;
 	char		unique[NSS_BUFLEN_EXECATTR];
 	char		buf[NSS_BUFLEN_EXECATTR];
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev = NULL;
 	execstr_t	exec;
 	execstr_t	*tmp;
 
@@ -83,7 +83,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 	(void) memset(&exec, 0, sizeof (execstr_t));
 
 	if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
 
 	if ((name == NULL) && (type == NULL) && (id == NULL)) {
@@ -101,7 +101,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 			};
 			break;
 		default:
-			head = (execattr_t *)NULL;
+			head = NULL;
 			break;
 		}
 		endexecattr();
@@ -129,12 +129,12 @@ getexecuser(const char *username, const char *type, const char *id,
 	char		buf[NSS_BUFLEN_USERATTR];
 	userstr_t	user;
 	userstr_t	*utmp;
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
-	execattr_t	*new = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev =  NULL;
+	execattr_t	*new = NULL;
 
 	if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
 
 	if (username == NULL) {
@@ -156,7 +156,7 @@ getexecuser(const char *username, const char *type, const char *id,
 				prev = get_tail(head);
 			}
 			while ((utmp = _getuserattr(&user,
-				    buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
+			    buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
 				if ((new =
 				    userprof((const char *)(utmp->name),
 				    type, id, search_flag)) != NULL) {
@@ -171,7 +171,7 @@ getexecuser(const char *username, const char *type, const char *id,
 			}
 			break;
 		default:
-			head = (execattr_t *)NULL;
+			head = NULL;
 			break;
 		}
 		enduserattr();
@@ -187,7 +187,7 @@ execattr_t *
 match_execattr(execattr_t *exec, const char *profname, const char *type,
     const char *id)
 {
-	execattr_t	*execp = (execattr_t *)NULL;
+	execattr_t	*execp = NULL;
 
 	for (execp = exec; execp != NULL; execp = execp->next) {
 		if ((profname && execp->name &&
@@ -218,7 +218,7 @@ endexecattr()
 void
 free_execattr(execattr_t *exec)
 {
-	if (exec != (execattr_t *)NULL) {
+	if (exec != NULL) {
 		free(exec->name);
 		free(exec->type);
 		free(exec->policy);
@@ -240,16 +240,16 @@ userprof(const char *username, const char *type, const char *id,
 	int		err = 0;
 	char		*last;
 	char		*sep = ",";
-	char		*proflist = (char *)NULL;
-	char		*profname = (char *)NULL;
+	char		*proflist = NULL;
+	char		*profname = NULL;
 	char		buf[NSS_BUFLEN_USERATTR];
 	char		pwdb[NSS_BUFLEN_PASSWD];
 	kva_t		*user_attr;
 	userstr_t	user;
 	userstr_t	*utmp;
 	execattr_t	*exec;
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev = NULL;
 	struct passwd	pwd;
 
 	char		*profArray[MAXPROFS];
@@ -265,7 +265,6 @@ userprof(const char *username, const char *type, const char *id,
 
 	utmp = _getusernam(username, &user, buf, NSS_BUFLEN_USERATTR, &err);
 	if (utmp != NULL) {
-		proflist = NULL;
 		user_attr = _str2kva(user.attr, KV_ASSIGN, KV_DELIMITER);
 		if ((proflist = kva_match(user_attr, "profiles")) != NULL) {
 			/* Get the list of profiles for this user */
@@ -278,16 +277,15 @@ userprof(const char *username, const char *type, const char *id,
 	}
 
 	/* Get the list of default profiles */
-	if (defopen(AUTH_POLICY) == NULL) {
-		proflist = defread(DEF_PROF);
-		(void) defopen(NULL);
-	}
+	proflist = NULL;
+	(void) _get_user_defs(username, NULL, &proflist);
 	if (proflist != NULL) {
 		for (profname = _strtok_escape(proflist, sep, &last);
 		    profname != NULL;
 		    profname = _strtok_escape(NULL, sep, &last)) {
 			getproflist(profname, profArray, &profcnt);
 		}
+		_free_user_defs(NULL, proflist);
 	}
 
 	if (profcnt == 0) {
@@ -321,8 +319,8 @@ userprof(const char *username, const char *type, const char *id,
 static execattr_t *
 get_tail(execattr_t *exec)
 {
-	execattr_t *i_exec = (execattr_t *)NULL;
-	execattr_t *j_exec = (execattr_t *)NULL;
+	execattr_t *i_exec = NULL;
+	execattr_t *j_exec = NULL;
 
 	if (exec != NULL) {
 		if (exec->next == NULL) {
@@ -345,10 +343,10 @@ execstr2attr(execstr_t *es)
 	execattr_t	*newexec;
 
 	if (es == NULL) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
-	if ((newexec = (execattr_t *)malloc(sizeof (execattr_t))) == NULL) {
-		return ((execattr_t *)NULL);
+	if ((newexec = malloc(sizeof (execattr_t))) == NULL) {
+		return (NULL);
 	}
 
 	newexec->name = _do_unescape(es->name);
@@ -361,7 +359,7 @@ execstr2attr(execstr_t *es)
 	if (es->next) {
 		newexec->next = execstr2attr((execstr_t *)(es->next));
 	} else {
-		newexec->next = (execattr_t *)NULL;
+		newexec->next = NULL;
 	}
 	return (newexec);
 }
diff --git a/usr/src/lib/libsecdb/common/mapfile-vers b/usr/src/lib/libsecdb/common/mapfile-vers
index a6490cb988..8c401df535 100644
--- a/usr/src/lib/libsecdb/common/mapfile-vers
+++ b/usr/src/lib/libsecdb/common/mapfile-vers
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -64,8 +64,8 @@ SUNWprivate_1.1 {
 	_csl_to_argv;
 	_do_unescape;
 	_free_argv;
-	_free_auth_policy;
-	_get_auth_policy;
+	_free_user_defs;
+	_get_user_defs;
 	_insert2kva;
 	_kva2str;
 	_kva_dup;
diff --git a/usr/src/lib/libsecdb/help/profiles/Makefile b/usr/src/lib/libsecdb/help/profiles/Makefile
index 4a3c6e309f..41beab05fe 100644
--- a/usr/src/lib/libsecdb/help/profiles/Makefile
+++ b/usr/src/lib/libsecdb/help/profiles/Makefile
@@ -33,6 +33,7 @@ HTMLENTS = \
 	RtAuditCtrl.html \
 	RtAuditReview.html \
 	RtContractObserver.html \
+	RtConsUser.html \
 	RtCronMngmnt.html \
 	RtCryptoMngmnt.html \
 	RtLogMngmnt.html \
diff --git a/usr/src/lib/libsecdb/help/profiles/RtConsUser.html b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html
new file mode 100644
index 0000000000..7e7b956193
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html
@@ -0,0 +1,44 @@
+<HTML>
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+-- Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+-- Use is subject to license terms.
+-->
+<HEAD>
+	<TITLE> </TITLE>
+	 
+	
+</HEAD>
+<BODY>
+<!-- ident	"%Z%%M%	%I%	%E% SMI" -->
+
+
+When Console User is in the Rights Included column, it grants the right
+for a user or role to do operations often associated with ownership of a
+Solaris workstation or laptop.
+<p>
+These Rights are typically granted automatically through policy.conf(4)
+to the user logged in on the workstation console.  It can be, but is
+generally not directly assigned to a user or role.
+<p>
+If All is grayed, then you are not entitled to Add or Remove this right.
+</BODY>
+</HTML>
diff --git a/usr/src/lib/libsecdb/policy.conf b/usr/src/lib/libsecdb/policy.conf
index e148f4d2b0..bb5dc487f8 100644
--- a/usr/src/lib/libsecdb/policy.conf
+++ b/usr/src/lib/libsecdb/policy.conf
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # /etc/security/policy.conf
@@ -31,6 +30,7 @@
 #
 AUTHS_GRANTED=solaris.device.cdrw
 PROFS_GRANTED=Basic Solaris User
+CONSOLE_USER=Console User
 
 # crypt(3c) Algorithms Configuration
 #
diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt
index 0f379911ef..a5ec1a5680 100644
--- a/usr/src/lib/libsecdb/prof_attr.txt
+++ b/usr/src/lib/libsecdb/prof_attr.txt
@@ -34,6 +34,7 @@
 All:::Execute any command as the user or role:help=RtAll.html
 Audit Control:::Configure BSM auditing:auths=solaris.audit.config,solaris.jobs.admin;help=RtAuditCtrl.html
 Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditReview.html
+Console User:::Manage System as the Console User:help=RtConsUser.html
 Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html
 Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html
 Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.*,solaris.label.print,solaris.smf.manage.discovery.printers.*,solaris.smf.value.discovery.printers.*;help=RtPrntAdmin.html
diff --git a/usr/src/pkgdefs/SUNW0on/prototype_com b/usr/src/pkgdefs/SUNW0on/prototype_com
index 0b72ba0e34..f6f01a4208 100644
--- a/usr/src/pkgdefs/SUNW0on/prototype_com
+++ b/usr/src/pkgdefs/SUNW0on/prototype_com
@@ -316,6 +316,7 @@ f none usr/lib/help/profiles/locale/RtAuditCtrl.html 444 root bin
 f none usr/lib/help/profiles/locale/RtAuditReview.html 444 root bin
 f none usr/lib/help/profiles/locale/RtDeviceMngmnt.html 444 root bin
 f none usr/lib/help/profiles/locale/RtPrntAdmin.html 444 root bin
+f none usr/lib/help/profiles/locale/RtConsUser.html 444 root bin
 f none usr/lib/help/profiles/locale/RtContractObserver.html 444 root bin
 f none usr/lib/help/profiles/locale/RtCronMngmnt.html 444 root bin
 f none usr/lib/help/profiles/locale/RtCryptoMngmnt.html 444 root bin
diff --git a/usr/src/pkgdefs/SUNWcsu/prototype_com b/usr/src/pkgdefs/SUNWcsu/prototype_com
index d88e1c7aa3..225ceaa91e 100644
--- a/usr/src/pkgdefs/SUNWcsu/prototype_com
+++ b/usr/src/pkgdefs/SUNWcsu/prototype_com
@@ -528,6 +528,7 @@ d none usr/lib/help/profiles/locale/C 755 root bin
 f none usr/lib/help/profiles/locale/C/RtAll.html 444 root bin
 f none usr/lib/help/profiles/locale/C/RtAuditCtrl.html 444 root bin
 f none usr/lib/help/profiles/locale/C/RtAuditReview.html 444 root bin
+f none usr/lib/help/profiles/locale/C/RtConsUser.html 444 root bin
 f none usr/lib/help/profiles/locale/C/RtContractObserver.html 444 root bin
 f none usr/lib/help/profiles/locale/C/RtCronMngmnt.html 444 root bin
 f none usr/lib/help/profiles/locale/C/RtCryptoMngmnt.html 444 root bin
diff --git a/usr/src/pkgdefs/common_files/i.policyconf b/usr/src/pkgdefs/common_files/i.policyconf
index d884de48d7..b61c3caa68 100644
--- a/usr/src/pkgdefs/common_files/i.policyconf
+++ b/usr/src/pkgdefs/common_files/i.policyconf
@@ -3,9 +3,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -23,7 +22,7 @@
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -43,6 +42,7 @@ do
 		#
 		ag="AUTHS_GRANTED=solaris.device.cdrw"
 		pg="PROFS_GRANTED=Basic Solaris User"
+		wo="CONSOLE_USER=Console User"
 		sed -n -e '/^[^#]/q;p' < $src > $dest.$$
 		sed -n \
 		    -e "s/^#AUTHS_GRANTED=$/$ag/" \
@@ -51,13 +51,24 @@ do
 		    -e "s/  *$//" \
 		    -e '/^[^#]/,$p' < $dest >> $dest.$$
 
-		if grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
+		grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
+		if [ $? != 0 ] ; then
+			sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
+$pg"
+			cat $dest > $dest.$$
+		fi
+
+		if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1
 		then
 			cat $dest.$$ > $dest
 		else
-			sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
-$pg"
+			sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\
+$wo"
+			echo "${dest} updating entries for CONSOLE_USER," \
+			     "see policy.conf(4) for details." \
+			    >> ${CLEANUP_FILE}
 		fi
+
 		rm -f $dest.$$
 
 		grep 'CRYPT_' $dest > /dev/null 2>&1