summaryrefslogtreecommitdiff
path: root/usr/src
diff options
context:
space:
mode:
authorgww <none@none>2008-02-21 17:17:41 -0800
committergww <none@none>2008-02-21 17:17:41 -0800
commit499fd60129a966ad9d9e752e65f591c3a6a1c697 (patch)
tree81345eeff0f75d26b841b2684b02bd8c90458b27 /usr/src
parent10b955899caccfba75ec0814d07b64204863e54e (diff)
downloadillumos-joyent-499fd60129a966ad9d9e752e65f591c3a6a1c697.tar.gz
PSARC/2008/034 Defining Workstation Owner Infrastructure
6650907 Implement PSARC/2008/034 Defining Workstation Owner Infrastructure 6655423 configd:rc_node.c:perm_granted() uses perm_lock which is no longer needed.
Diffstat (limited to 'usr/src')
-rw-r--r--usr/src/cmd/auths/auths.c53
-rw-r--r--usr/src/cmd/pfexec/pfexec.c19
-rw-r--r--usr/src/cmd/profiles/profiles.c26
-rw-r--r--usr/src/cmd/svc/configd/rc_node.c64
-rw-r--r--usr/src/head/prof_attr.h8
-rw-r--r--usr/src/head/secdb.h10
-rw-r--r--usr/src/lib/libsecdb/common/chkauthattr.c156
-rw-r--r--usr/src/lib/libsecdb/common/getexecattr.c54
-rw-r--r--usr/src/lib/libsecdb/common/mapfile-vers6
-rw-r--r--usr/src/lib/libsecdb/help/profiles/Makefile1
-rw-r--r--usr/src/lib/libsecdb/help/profiles/RtConsUser.html44
-rw-r--r--usr/src/lib/libsecdb/policy.conf8
-rw-r--r--usr/src/lib/libsecdb/prof_attr.txt1
-rw-r--r--usr/src/pkgdefs/SUNW0on/prototype_com1
-rw-r--r--usr/src/pkgdefs/SUNWcsu/prototype_com1
-rw-r--r--usr/src/pkgdefs/common_files/i.policyconf25
16 files changed, 301 insertions, 176 deletions
diff --git a/usr/src/cmd/auths/auths.c b/usr/src/cmd/auths/auths.c
index ce48619fd9..930cec08ca 100644
--- a/usr/src/cmd/auths/auths.c
+++ b/usr/src/cmd/auths/auths.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -56,10 +56,10 @@
static int show_auths(char *, char **, int, int);
static int list_auths(userattr_t *, char **, int *);
-static char *get_default_auths(char **, int *);
+static void get_default_auths(char *, char **, int *);
static void getProfiles(char *, char **, int *, char **, int *);
static void add_auths(char *, char **, int *);
-
+static void free_auths(char **, int *);
static char *progname = "auths";
@@ -70,35 +70,34 @@ main(int argc, char *argv[])
int status = EXIT_OK;
char *defauths[MAXAUTHS];
int defauth_cnt = 0;
- int i;
(void) setlocale(LC_ALL, "");
(void) textdomain(TEXT_DOMAIN);
- (void) get_default_auths(defauths, &defauth_cnt);
-
switch (argc) {
case 1:
+ get_default_auths(NULL, defauths, &defauth_cnt);
status = show_auths(NULL, defauths, defauth_cnt, 0);
break;
case 2:
+ get_default_auths(argv[argc-1], defauths, &defauth_cnt);
status = show_auths(argv[argc-1], defauths, defauth_cnt, 0);
break;
default:
while (*++argv) {
+ get_default_auths(*argv, defauths, &defauth_cnt);
status = show_auths(*argv, defauths, defauth_cnt, 1);
if (status == EXIT_FATAL) {
break;
}
+ /* free memory allocated for default authorizations */
+ free_auths(defauths, &defauth_cnt);
}
break;
}
/* free memory allocated for default authorizations */
- for (i = 0; i < defauth_cnt; i++) {
- free(defauths[i]);
- }
-
+ free_auths(defauths, &defauth_cnt);
status = (status == EXIT_OK) ? status : EXIT_FATAL;
return (status);
@@ -198,9 +197,7 @@ show_auths(char *username, char **defauths, int defauth_cnt, int print_name)
}
/* free memory allocated for authorizations */
- for (i = 0; i < userauth_cnt; i++) {
- free(userauths[i]);
- }
+ free_auths(userauths, &userauth_cnt);
return (status);
}
@@ -237,30 +234,35 @@ list_auths(userattr_t *user, char **authArray, int *authcnt)
}
-static char *
-get_default_auths(char **authArray, int *authcnt)
+static void
+get_default_auths(char *user, char **authArray, int *authcnt)
{
char *auths = NULL;
char *profs = NULL;
char *profArray[MAXPROFS];
int profcnt = 0;
- if (defopen(AUTH_POLICY) == NULL) {
- auths = defread(DEF_AUTH);
+ if (user == NULL) {
+ struct passwd *pw;
+
+ if ((pw = getpwuid(getuid())) != NULL) {
+ user = pw->pw_name;
+ }
+ }
+
+ if (_get_user_defs(user, &auths, &profs) == 0) {
if (auths != NULL) {
add_auths(auths, authArray, authcnt);
}
/* get authorizations from default profiles */
- profs = defread(DEF_PROF);
if (profs != NULL) {
getProfiles(profs, profArray, &profcnt,
authArray, authcnt);
free_proflist(profArray, profcnt);
}
+ _free_user_defs(auths, profs);
}
-
- return (auths);
}
void
@@ -297,6 +299,17 @@ add_auths(char *auths, char **authArray, int *authcnt)
}
static void
+free_auths(char *auths[], int *auth_cnt)
+{
+ int i;
+
+ for (i = 0; i < *auth_cnt; i++) {
+ free(auths[i]);
+ }
+ *auth_cnt = 0;
+}
+
+static void
getProfiles(char *profiles, char **profArray, int *profcnt,
char **authArray, int *authcnt)
{
diff --git a/usr/src/cmd/pfexec/pfexec.c b/usr/src/cmd/pfexec/pfexec.c
index 84b36c0b6a..7d8eba49d1 100644
--- a/usr/src/cmd/pfexec/pfexec.c
+++ b/usr/src/cmd/pfexec/pfexec.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -60,7 +60,7 @@ static uid_t get_uid(char *);
static gid_t get_gid(char *);
static priv_set_t *get_privset(const char *);
static priv_set_t *get_granted_privs(uid_t);
-static void get_default_privs(priv_set_t *);
+static void get_default_privs(const char *, priv_set_t *);
static void get_profile_privs(char *, char **, int *, priv_set_t *);
static int isnumber(char *);
@@ -145,8 +145,8 @@ main(int argc, char *argv[])
}
if (setppriv(PRIV_ON, PRIV_INHERITABLE, wanted) != 0) {
(void) fprintf(stderr,
- gettext("setppriv(): %s\n"),
- strerror(errno));
+ gettext("setppriv(): %s\n"),
+ strerror(errno));
exit(EXIT_FAILURE);
}
/* Trick exec into thinking we're not suid */
@@ -305,7 +305,7 @@ set_attrs:
if (lset != NULL && setppriv(PRIV_SET, PRIV_LIMIT, lset) != 0 ||
iset != NULL && setppriv(PRIV_ON, PRIV_INHERITABLE, iset) != 0) {
(void) fprintf(stderr, gettext("%s: can't set privileges\n"),
- cmd_realpath);
+ cmd_realpath);
return (0);
}
if (setreuid(uid, euid) == -1) {
@@ -452,7 +452,7 @@ get_granted_privs(uid_t uid)
free_proflist(profArray, profcnt);
}
- get_default_privs(res);
+ get_default_privs(pwent->pw_name, res);
if (ua != NULL)
free_userattr(ua);
@@ -461,21 +461,20 @@ get_granted_privs(uid_t uid)
}
static void
-get_default_privs(priv_set_t *pset)
+get_default_privs(const char *user, priv_set_t *pset)
{
char *profs = NULL;
char *profArray[MAXPROFS];
int profcnt = 0;
- if (defopen(AUTH_POLICY) == 0) {
+ if (_get_user_defs(user, NULL, &profs) == 0) {
/* get privileges from default profiles */
- profs = defread(DEF_PROF);
if (profs != NULL) {
get_profile_privs(profs, profArray, &profcnt, pset);
free_proflist(profArray, profcnt);
+ _free_user_defs(NULL, profs);
}
}
- (void) defopen(NULL);
}
static void
diff --git a/usr/src/cmd/profiles/profiles.c b/usr/src/cmd/profiles/profiles.c
index 8086494fb8..087a6aa855 100644
--- a/usr/src/cmd/profiles/profiles.c
+++ b/usr/src/cmd/profiles/profiles.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -64,7 +64,7 @@ static void print_profs_long(char *, void *, int);
static void print_profs(char *, char **, int, int);
static void format_attr(int *, int, char *);
static void getProfiles(char *, char **, int *);
-static void getDefaultProfiles(char **, int *);
+static void getDefaultProfiles(char *, char **, int *);
static char *progname = "profiles";
@@ -93,10 +93,10 @@ main(int argc, char *argv[])
argv += optind;
if (*argv == NULL) {
- status = show_profs((char *)NULL, print_flag);
+ status = show_profs(NULL, print_flag);
} else {
do {
- status = show_profs(*argv, print_flag);
+ status = show_profs((char *)*argv, print_flag);
if (status == EXIT_FATAL) {
break;
}
@@ -136,7 +136,7 @@ show_profs(char *username, int print_flag)
if ((user = getusernam(username)) != NULL) {
status = list_profs(user, print_flag);
} else {
- getDefaultProfiles(profArray, &profcnt);
+ getDefaultProfiles(username, profArray, &profcnt);
if (profcnt == 0) {
status = EXIT_NON_FATAL;
} else {
@@ -183,7 +183,7 @@ list_profs(userattr_t *user, int print_flag)
getProfiles(proflist, profArray, &profcnt);
}
/* Also get any default profiles */
- getDefaultProfiles(profArray, &profcnt);
+ getDefaultProfiles(user->name, profArray, &profcnt);
if (profcnt == 0) {
status = EXIT_NON_FATAL;
}
@@ -324,16 +324,14 @@ print_profs(char *user, char **profnames, int print_flag, int profcnt)
* Get the list of default profiles from /etc/security/policy.conf
*/
static void
-getDefaultProfiles(char **profArray, int *profcnt)
+getDefaultProfiles(char *user, char **profArray, int *profcnt)
{
char *profs = NULL;
- if (defopen(AUTH_POLICY) == NULL) {
- profs = defread(DEF_PROF);
- }
-
- if (profs != NULL) {
- getProfiles(profs, profArray, profcnt);
+ if (_get_user_defs(user, NULL, &profs) == 0) {
+ if (profs != NULL) {
+ getProfiles(profs, profArray, profcnt);
+ _free_user_defs(NULL, profs);
+ }
}
-
}
diff --git a/usr/src/cmd/svc/configd/rc_node.c b/usr/src/cmd/svc/configd/rc_node.c
index 8182c709b6..c7b77349ea 100644
--- a/usr/src/cmd/svc/configd/rc_node.c
+++ b/usr/src/cmd/svc/configd/rc_node.c
@@ -351,6 +351,7 @@
#include <libscf_priv.h>
#include <prof_attr.h>
#include <pthread.h>
+#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
@@ -491,8 +492,6 @@ static pthread_mutex_t rc_pg_notify_lock = PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t rc_pg_notify_cv = PTHREAD_COND_INITIALIZER;
static uint_t rc_notify_in_use; /* blocks removals */
-static pthread_mutex_t perm_lock = PTHREAD_MUTEX_INITIALIZER;
-
/*
* Some combinations of property group/property name require a special
* audit event to be generated when there is a change.
@@ -1515,38 +1514,11 @@ perm_granted(permcheck_t *pcp)
uid_t uid;
userattr_t *uap;
char *authlist, *userattr_authlist, *proflist, *def_prof = NULL;
-
- /*
- * Get generic authorizations from policy.conf
- *
- * Note that _get_auth_policy is not threadsafe, so we single-thread
- * access to it.
- */
- (void) pthread_mutex_lock(&perm_lock);
- ret = _get_auth_policy(&authlist, &def_prof);
- (void) pthread_mutex_unlock(&perm_lock);
-
- if (ret != 0)
- return (-1);
-
- if (authlist != NULL) {
- ret = check_auth_list(pcp, authlist);
-
- if (ret) {
- _free_auth_policy(authlist, def_prof);
- return (ret);
- }
- }
-
- /*
- * Put off checking def_prof for later in an attempt to consolidate
- * prof_attr accesses.
- */
+ struct passwd pw;
+ char pwbuf[1024]; /* XXX should be NSS_BUFLEN_PASSWD */
/* Get the uid */
if ((uc = get_ucred()) == NULL) {
- _free_auth_policy(authlist, def_prof);
-
if (errno == EINVAL) {
/*
* Client is no longer waiting for our response (e.g.,
@@ -1569,7 +1541,33 @@ perm_granted(permcheck_t *pcp)
uid = ucred_geteuid(uc);
assert(uid != (uid_t)-1);
- uap = getuseruid(uid);
+ if (getpwuid_r(uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
+ return (-1);
+ }
+
+ /*
+ * Get user's default authorizations from policy.conf
+ */
+ ret = _get_user_defs(pw.pw_name, &authlist, &def_prof);
+
+ if (ret != 0)
+ return (-1);
+
+ if (authlist != NULL) {
+ ret = check_auth_list(pcp, authlist);
+
+ if (ret) {
+ _free_user_defs(authlist, def_prof);
+ return (ret);
+ }
+ }
+
+ /*
+ * Put off checking def_prof for later in an attempt to consolidate
+ * prof_attr accesses.
+ */
+
+ uap = getusernam(pw.pw_name);
if (uap != NULL) {
/* Get the authorizations from user_attr. */
userattr_authlist = kva_match(uap->attr, USERATTR_AUTHS_KW);
@@ -1589,7 +1587,7 @@ perm_granted(permcheck_t *pcp)
ret = check_prof_list(pcp, proflist);
}
- _free_auth_policy(authlist, def_prof);
+ _free_user_defs(authlist, def_prof);
if (uap != NULL)
free_userattr(uap);
diff --git a/usr/src/head/prof_attr.h b/usr/src/head/prof_attr.h
index 2acac51cc7..42ff2d8534 100644
--- a/usr/src/head/prof_attr.h
+++ b/usr/src/head/prof_attr.h
@@ -2,9 +2,8 @@
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License"). You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 1999,2002-2003 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -52,6 +51,7 @@ extern "C" {
#define PROFATTR_COL4_KW "attr"
#define DEF_PROF "PROFS_GRANTED="
+#define DEF_CONSUSER "CONSOLE_USER="
#define MAXPROFS 4096
diff --git a/usr/src/head/secdb.h b/usr/src/head/secdb.h
index 716faacb2c..fad64204e2 100644
--- a/usr/src/head/secdb.h
+++ b/usr/src/head/secdb.h
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -82,14 +82,14 @@ extern char *_argv_to_csl(char **strings);
extern char **_csl_to_argv(char *csl);
extern char *_do_unescape(char *src);
extern void _free_argv(char **p_argv);
-extern int _get_auth_policy(char **, char **);
-extern void _free_auth_policy(char *, char *);
extern int _insert2kva(kva_t *, char *, char *);
extern int _kva2str(kva_t *, char *, int, char *, char *);
extern kva_t *_kva_dup(kva_t *);
extern void _kva_free(kva_t *);
extern kva_t *_new_kva(int size);
extern kva_t *_str2kva(char *, char *, char *);
+extern int _get_user_defs(const char *, char **, char **);
+extern void _free_user_defs(char *, char *);
#else /* not __STDC__ */
@@ -100,14 +100,14 @@ extern char *_argv_to_csl();
extern char **_csl_to_argv();
extern char *_do_unescape();
extern void _free_argv();
-extern int _get_auth_policy();
-extern void _free_auth_policy();
extern int _insert2kva();
extern int _kva2str();
extern kva_t *_kva_dup();
extern void _kva_free(kva_t *);
extern kva_t *_new_kva();
extern int _str2kva();
+extern int _get_user_defs();
+extern void _free_user_defs();
#endif /* __STDC__ */
#ifdef __cplusplus
diff --git a/usr/src/lib/libsecdb/common/chkauthattr.c b/usr/src/lib/libsecdb/common/chkauthattr.c
index 6e41e99723..04b1fe8846 100644
--- a/usr/src/lib/libsecdb/common/chkauthattr.c
+++ b/usr/src/lib/libsecdb/common/chkauthattr.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -33,6 +33,8 @@
#include <fcntl.h>
#include <sys/mman.h>
#include <limits.h>
+#include <pwd.h>
+#include <nss_dbdefs.h>
#include <deflt.h>
#include <auth_attr.h>
#include <prof_attr.h>
@@ -40,10 +42,8 @@
static int _is_authorized(const char *, char *);
-static int _chk_policy_auth(const char *, char **, int *);
+static int _chk_policy_auth(const char *, const char *, char **, int *);
static int _chkprof_for_auth(const char *, const char *, char **, int *);
-
-
int
chkauthattr(const char *authname, const char *username)
{
@@ -59,7 +59,8 @@ chkauthattr(const char *authname, const char *username)
return (0);
/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
- auth_granted = _chk_policy_auth(authname, chkedprof, &chkedprof_cnt);
+ auth_granted = _chk_policy_auth(authname, username, chkedprof,
+ &chkedprof_cnt);
if (auth_granted)
goto exit;
@@ -203,45 +204,6 @@ _is_authorized(const char *authname, char *auths)
}
-int
-_get_auth_policy(char **def_auth, char **def_prof)
-{
- char *cp;
-
- if (defopen(AUTH_POLICY) != 0)
- return (-1);
-
- cp = defread(DEF_AUTH);
- if (cp != NULL) {
- *def_auth = strdup(cp);
- if (*def_auth == NULL)
- return (-1);
- } else {
- *def_auth = NULL;
- }
-
- cp = defread(DEF_PROF);
- if (cp != NULL) {
- *def_prof = strdup(cp);
- if (*def_prof == NULL) {
- free(*def_auth);
- return (-1);
- }
- } else {
- *def_prof = NULL;
- }
-
- (void) defopen(NULL);
- return (0);
-}
-
-void
-_free_auth_policy(char *def_auth, char *def_prof)
-{
- free(def_auth);
- free(def_prof);
-}
-
/*
* read /etc/security/policy.conf for AUTHS_GRANTED.
* return 1 if found matching authname.
@@ -249,12 +211,14 @@ _free_auth_policy(char *def_auth, char *def_prof)
* default profiles.
*/
static int
-_chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
+_chk_policy_auth(const char *authname, const char *username, char **chkedprof,
+ int *chkedprof_cnt)
{
- char *auths, *profs;
+ char *auths = NULL;
+ char *profs = NULL;
int ret = 1;
- if (_get_auth_policy(&auths, &profs) != 0)
+ if (_get_user_defs(username, &auths, &profs) != 0)
return (0);
if (auths != NULL) {
@@ -270,6 +234,102 @@ _chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
ret = 0;
exit:
- _free_auth_policy(auths, profs);
+ _free_user_defs(auths, profs);
return (ret);
}
+
+#define CONSOLE "/dev/console"
+
+static int
+is_cons_user(const char *user)
+{
+ struct stat cons;
+ struct passwd pw;
+ char pwbuf[NSS_BUFLEN_PASSWD];
+
+ if (user == NULL) {
+ return (0);
+ }
+ if (stat(CONSOLE, &cons) == -1) {
+ return (0);
+ }
+ if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
+ return (0);
+ }
+
+ return (pw.pw_uid == cons.st_uid);
+}
+
+
+int
+_get_user_defs(const char *user, char **def_auth, char **def_prof)
+{
+ char *cp;
+ char *profs;
+
+ if (defopen(AUTH_POLICY) != 0) {
+ if (def_auth != NULL) {
+ *def_auth = NULL;
+ }
+ if (def_prof != NULL) {
+ *def_prof = NULL;
+ }
+ return (-1);
+ }
+
+ if (def_auth != NULL) {
+ if ((cp = defread(DEF_AUTH)) != NULL) {
+ if ((*def_auth = strdup(cp)) == NULL) {
+ (void) defopen(NULL);
+ return (-1);
+ }
+ } else {
+ *def_auth = NULL;
+ }
+ }
+ if (def_prof != NULL) {
+ if (is_cons_user(user) &&
+ (cp = defread(DEF_CONSUSER)) != NULL) {
+ if ((*def_prof = strdup(cp)) == NULL) {
+ (void) defopen(NULL);
+ return (-1);
+ }
+ }
+ if ((cp = defread(DEF_PROF)) != NULL) {
+ int prof_len;
+
+ if (*def_prof == NULL) {
+ if ((*def_prof = strdup(cp)) == NULL) {
+ (void) defopen(NULL);
+ return (-1);
+ }
+ (void) defopen(NULL);
+ return (0);
+ }
+
+ /* concatenate def profs with "," separator */
+ prof_len = strlen(*def_prof) + strlen(cp) + 2;
+ if ((profs = malloc(prof_len)) == NULL) {
+ free(*def_prof);
+ *def_prof = NULL;
+ (void) defopen(NULL);
+ return (-1);
+ }
+ (void) snprintf(profs, prof_len, "%s,%s", *def_prof,
+ cp);
+ free(*def_prof);
+ *def_prof = profs;
+ }
+ }
+
+ (void) defopen(NULL);
+ return (0);
+}
+
+
+void
+_free_user_defs(char *def_auth, char *def_prof)
+{
+ free(def_auth);
+ free(def_prof);
+}
diff --git a/usr/src/lib/libsecdb/common/getexecattr.c b/usr/src/lib/libsecdb/common/getexecattr.c
index 1e1ab20ffd..93d05e9706 100644
--- a/usr/src/lib/libsecdb/common/getexecattr.c
+++ b/usr/src/lib/libsecdb/common/getexecattr.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -74,8 +74,8 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
int err = 0;
char unique[NSS_BUFLEN_EXECATTR];
char buf[NSS_BUFLEN_EXECATTR];
- execattr_t *head = (execattr_t *)NULL;
- execattr_t *prev = (execattr_t *)NULL;
+ execattr_t *head = NULL;
+ execattr_t *prev = NULL;
execstr_t exec;
execstr_t *tmp;
@@ -83,7 +83,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
(void) memset(&exec, 0, sizeof (execstr_t));
if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
- return ((execattr_t *)NULL);
+ return (NULL);
}
if ((name == NULL) && (type == NULL) && (id == NULL)) {
@@ -101,7 +101,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
};
break;
default:
- head = (execattr_t *)NULL;
+ head = NULL;
break;
}
endexecattr();
@@ -129,12 +129,12 @@ getexecuser(const char *username, const char *type, const char *id,
char buf[NSS_BUFLEN_USERATTR];
userstr_t user;
userstr_t *utmp;
- execattr_t *head = (execattr_t *)NULL;
- execattr_t *prev = (execattr_t *)NULL;
- execattr_t *new = (execattr_t *)NULL;
+ execattr_t *head = NULL;
+ execattr_t *prev = NULL;
+ execattr_t *new = NULL;
if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
- return ((execattr_t *)NULL);
+ return (NULL);
}
if (username == NULL) {
@@ -156,7 +156,7 @@ getexecuser(const char *username, const char *type, const char *id,
prev = get_tail(head);
}
while ((utmp = _getuserattr(&user,
- buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
+ buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
if ((new =
userprof((const char *)(utmp->name),
type, id, search_flag)) != NULL) {
@@ -171,7 +171,7 @@ getexecuser(const char *username, const char *type, const char *id,
}
break;
default:
- head = (execattr_t *)NULL;
+ head = NULL;
break;
}
enduserattr();
@@ -187,7 +187,7 @@ execattr_t *
match_execattr(execattr_t *exec, const char *profname, const char *type,
const char *id)
{
- execattr_t *execp = (execattr_t *)NULL;
+ execattr_t *execp = NULL;
for (execp = exec; execp != NULL; execp = execp->next) {
if ((profname && execp->name &&
@@ -218,7 +218,7 @@ endexecattr()
void
free_execattr(execattr_t *exec)
{
- if (exec != (execattr_t *)NULL) {
+ if (exec != NULL) {
free(exec->name);
free(exec->type);
free(exec->policy);
@@ -240,16 +240,16 @@ userprof(const char *username, const char *type, const char *id,
int err = 0;
char *last;
char *sep = ",";
- char *proflist = (char *)NULL;
- char *profname = (char *)NULL;
+ char *proflist = NULL;
+ char *profname = NULL;
char buf[NSS_BUFLEN_USERATTR];
char pwdb[NSS_BUFLEN_PASSWD];
kva_t *user_attr;
userstr_t user;
userstr_t *utmp;
execattr_t *exec;
- execattr_t *head = (execattr_t *)NULL;
- execattr_t *prev = (execattr_t *)NULL;
+ execattr_t *head = NULL;
+ execattr_t *prev = NULL;
struct passwd pwd;
char *profArray[MAXPROFS];
@@ -265,7 +265,6 @@ userprof(const char *username, const char *type, const char *id,
utmp = _getusernam(username, &user, buf, NSS_BUFLEN_USERATTR, &err);
if (utmp != NULL) {
- proflist = NULL;
user_attr = _str2kva(user.attr, KV_ASSIGN, KV_DELIMITER);
if ((proflist = kva_match(user_attr, "profiles")) != NULL) {
/* Get the list of profiles for this user */
@@ -278,16 +277,15 @@ userprof(const char *username, const char *type, const char *id,
}
/* Get the list of default profiles */
- if (defopen(AUTH_POLICY) == NULL) {
- proflist = defread(DEF_PROF);
- (void) defopen(NULL);
- }
+ proflist = NULL;
+ (void) _get_user_defs(username, NULL, &proflist);
if (proflist != NULL) {
for (profname = _strtok_escape(proflist, sep, &last);
profname != NULL;
profname = _strtok_escape(NULL, sep, &last)) {
getproflist(profname, profArray, &profcnt);
}
+ _free_user_defs(NULL, proflist);
}
if (profcnt == 0) {
@@ -321,8 +319,8 @@ userprof(const char *username, const char *type, const char *id,
static execattr_t *
get_tail(execattr_t *exec)
{
- execattr_t *i_exec = (execattr_t *)NULL;
- execattr_t *j_exec = (execattr_t *)NULL;
+ execattr_t *i_exec = NULL;
+ execattr_t *j_exec = NULL;
if (exec != NULL) {
if (exec->next == NULL) {
@@ -345,10 +343,10 @@ execstr2attr(execstr_t *es)
execattr_t *newexec;
if (es == NULL) {
- return ((execattr_t *)NULL);
+ return (NULL);
}
- if ((newexec = (execattr_t *)malloc(sizeof (execattr_t))) == NULL) {
- return ((execattr_t *)NULL);
+ if ((newexec = malloc(sizeof (execattr_t))) == NULL) {
+ return (NULL);
}
newexec->name = _do_unescape(es->name);
@@ -361,7 +359,7 @@ execstr2attr(execstr_t *es)
if (es->next) {
newexec->next = execstr2attr((execstr_t *)(es->next));
} else {
- newexec->next = (execattr_t *)NULL;
+ newexec->next = NULL;
}
return (newexec);
}
diff --git a/usr/src/lib/libsecdb/common/mapfile-vers b/usr/src/lib/libsecdb/common/mapfile-vers
index a6490cb988..8c401df535 100644
--- a/usr/src/lib/libsecdb/common/mapfile-vers
+++ b/usr/src/lib/libsecdb/common/mapfile-vers
@@ -19,7 +19,7 @@
# CDDL HEADER END
#
#
-# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
@@ -64,8 +64,8 @@ SUNWprivate_1.1 {
_csl_to_argv;
_do_unescape;
_free_argv;
- _free_auth_policy;
- _get_auth_policy;
+ _free_user_defs;
+ _get_user_defs;
_insert2kva;
_kva2str;
_kva_dup;
diff --git a/usr/src/lib/libsecdb/help/profiles/Makefile b/usr/src/lib/libsecdb/help/profiles/Makefile
index 4a3c6e309f..41beab05fe 100644
--- a/usr/src/lib/libsecdb/help/profiles/Makefile
+++ b/usr/src/lib/libsecdb/help/profiles/Makefile
@@ -33,6 +33,7 @@ HTMLENTS = \
RtAuditCtrl.html \
RtAuditReview.html \
RtContractObserver.html \
+ RtConsUser.html \
RtCronMngmnt.html \
RtCryptoMngmnt.html \
RtLogMngmnt.html \
diff --git a/usr/src/lib/libsecdb/help/profiles/RtConsUser.html b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html
new file mode 100644
index 0000000000..7e7b956193
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html
@@ -0,0 +1,44 @@
+<HTML>
+<!--
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+-- Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+-- Use is subject to license terms.
+-->
+<HEAD>
+ <TITLE> </TITLE>
+
+
+</HEAD>
+<BODY>
+<!-- ident "%Z%%M% %I% %E% SMI" -->
+
+
+When Console User is in the Rights Included column, it grants the right
+for a user or role to do operations often associated with ownership of a
+Solaris workstation or laptop.
+<p>
+These Rights are typically granted automatically through policy.conf(4)
+to the user logged in on the workstation console. It can be, but is
+generally not directly assigned to a user or role.
+<p>
+If All is grayed, then you are not entitled to Add or Remove this right.
+</BODY>
+</HTML>
diff --git a/usr/src/lib/libsecdb/policy.conf b/usr/src/lib/libsecdb/policy.conf
index e148f4d2b0..bb5dc487f8 100644
--- a/usr/src/lib/libsecdb/policy.conf
+++ b/usr/src/lib/libsecdb/policy.conf
@@ -2,9 +2,8 @@
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License"). You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
# CDDL HEADER END
#
#
-# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
@@ -31,6 +30,7 @@
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
+CONSOLE_USER=Console User
# crypt(3c) Algorithms Configuration
#
diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt
index 0f379911ef..a5ec1a5680 100644
--- a/usr/src/lib/libsecdb/prof_attr.txt
+++ b/usr/src/lib/libsecdb/prof_attr.txt
@@ -34,6 +34,7 @@
All:::Execute any command as the user or role:help=RtAll.html
Audit Control:::Configure BSM auditing:auths=solaris.audit.config,solaris.jobs.admin;help=RtAuditCtrl.html
Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditReview.html
+Console User:::Manage System as the Console User:help=RtConsUser.html
Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html
Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html
Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.*,solaris.label.print,solaris.smf.manage.discovery.printers.*,solaris.smf.value.discovery.printers.*;help=RtPrntAdmin.html
diff --git a/usr/src/pkgdefs/SUNW0on/prototype_com b/usr/src/pkgdefs/SUNW0on/prototype_com
index 0b72ba0e34..f6f01a4208 100644
--- a/usr/src/pkgdefs/SUNW0on/prototype_com
+++ b/usr/src/pkgdefs/SUNW0on/prototype_com
@@ -316,6 +316,7 @@ f none usr/lib/help/profiles/locale/RtAuditCtrl.html 444 root bin
f none usr/lib/help/profiles/locale/RtAuditReview.html 444 root bin
f none usr/lib/help/profiles/locale/RtDeviceMngmnt.html 444 root bin
f none usr/lib/help/profiles/locale/RtPrntAdmin.html 444 root bin
+f none usr/lib/help/profiles/locale/RtConsUser.html 444 root bin
f none usr/lib/help/profiles/locale/RtContractObserver.html 444 root bin
f none usr/lib/help/profiles/locale/RtCronMngmnt.html 444 root bin
f none usr/lib/help/profiles/locale/RtCryptoMngmnt.html 444 root bin
diff --git a/usr/src/pkgdefs/SUNWcsu/prototype_com b/usr/src/pkgdefs/SUNWcsu/prototype_com
index d88e1c7aa3..225ceaa91e 100644
--- a/usr/src/pkgdefs/SUNWcsu/prototype_com
+++ b/usr/src/pkgdefs/SUNWcsu/prototype_com
@@ -528,6 +528,7 @@ d none usr/lib/help/profiles/locale/C 755 root bin
f none usr/lib/help/profiles/locale/C/RtAll.html 444 root bin
f none usr/lib/help/profiles/locale/C/RtAuditCtrl.html 444 root bin
f none usr/lib/help/profiles/locale/C/RtAuditReview.html 444 root bin
+f none usr/lib/help/profiles/locale/C/RtConsUser.html 444 root bin
f none usr/lib/help/profiles/locale/C/RtContractObserver.html 444 root bin
f none usr/lib/help/profiles/locale/C/RtCronMngmnt.html 444 root bin
f none usr/lib/help/profiles/locale/C/RtCryptoMngmnt.html 444 root bin
diff --git a/usr/src/pkgdefs/common_files/i.policyconf b/usr/src/pkgdefs/common_files/i.policyconf
index d884de48d7..b61c3caa68 100644
--- a/usr/src/pkgdefs/common_files/i.policyconf
+++ b/usr/src/pkgdefs/common_files/i.policyconf
@@ -3,9 +3,8 @@
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License"). You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
@@ -23,7 +22,7 @@
#
#ident "%Z%%M% %I% %E% SMI"
#
-# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
@@ -43,6 +42,7 @@ do
#
ag="AUTHS_GRANTED=solaris.device.cdrw"
pg="PROFS_GRANTED=Basic Solaris User"
+ wo="CONSOLE_USER=Console User"
sed -n -e '/^[^#]/q;p' < $src > $dest.$$
sed -n \
-e "s/^#AUTHS_GRANTED=$/$ag/" \
@@ -51,13 +51,24 @@ do
-e "s/ *$//" \
-e '/^[^#]/,$p' < $dest >> $dest.$$
- if grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
+ grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
+ if [ $? != 0 ] ; then
+ sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
+$pg"
+ cat $dest > $dest.$$
+ fi
+
+ if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1
then
cat $dest.$$ > $dest
else
- sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
-$pg"
+ sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\
+$wo"
+ echo "${dest} updating entries for CONSOLE_USER," \
+ "see policy.conf(4) for details." \
+ >> ${CLEANUP_FILE}
fi
+
rm -f $dest.$$
grep 'CRYPT_' $dest > /dev/null 2>&1