diff options
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/auths/auths.c | 53 | ||||
| -rw-r--r-- | usr/src/cmd/pfexec/pfexec.c | 19 | ||||
| -rw-r--r-- | usr/src/cmd/profiles/profiles.c | 26 | ||||
| -rw-r--r-- | usr/src/cmd/svc/configd/rc_node.c | 64 | ||||
| -rw-r--r-- | usr/src/head/prof_attr.h | 8 | ||||
| -rw-r--r-- | usr/src/head/secdb.h | 10 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/common/chkauthattr.c | 156 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/common/getexecattr.c | 54 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/common/mapfile-vers | 6 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/help/profiles/Makefile | 1 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/help/profiles/RtConsUser.html | 44 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/policy.conf | 8 | ||||
| -rw-r--r-- | usr/src/lib/libsecdb/prof_attr.txt | 1 | ||||
| -rw-r--r-- | usr/src/pkgdefs/SUNW0on/prototype_com | 1 | ||||
| -rw-r--r-- | usr/src/pkgdefs/SUNWcsu/prototype_com | 1 | ||||
| -rw-r--r-- | usr/src/pkgdefs/common_files/i.policyconf | 25 |
16 files changed, 301 insertions, 176 deletions
diff --git a/usr/src/cmd/auths/auths.c b/usr/src/cmd/auths/auths.c index ce48619fd9..930cec08ca 100644 --- a/usr/src/cmd/auths/auths.c +++ b/usr/src/cmd/auths/auths.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -56,10 +56,10 @@ static int show_auths(char *, char **, int, int); static int list_auths(userattr_t *, char **, int *); -static char *get_default_auths(char **, int *); +static void get_default_auths(char *, char **, int *); static void getProfiles(char *, char **, int *, char **, int *); static void add_auths(char *, char **, int *); - +static void free_auths(char **, int *); static char *progname = "auths"; @@ -70,35 +70,34 @@ main(int argc, char *argv[]) int status = EXIT_OK; char *defauths[MAXAUTHS]; int defauth_cnt = 0; - int i; (void) setlocale(LC_ALL, ""); (void) textdomain(TEXT_DOMAIN); - (void) get_default_auths(defauths, &defauth_cnt); - switch (argc) { case 1: + get_default_auths(NULL, defauths, &defauth_cnt); status = show_auths(NULL, defauths, defauth_cnt, 0); break; case 2: + get_default_auths(argv[argc-1], defauths, &defauth_cnt); status = show_auths(argv[argc-1], defauths, defauth_cnt, 0); break; default: while (*++argv) { + get_default_auths(*argv, defauths, &defauth_cnt); status = show_auths(*argv, defauths, defauth_cnt, 1); if (status == EXIT_FATAL) { break; } + /* free memory allocated for default authorizations */ + free_auths(defauths, &defauth_cnt); } break; } /* free memory allocated for default authorizations */ - for (i = 0; i < defauth_cnt; i++) { - free(defauths[i]); - } - + free_auths(defauths, &defauth_cnt); status = (status == EXIT_OK) ? status : EXIT_FATAL; return (status); @@ -198,9 +197,7 @@ show_auths(char *username, char **defauths, int defauth_cnt, int print_name) } /* free memory allocated for authorizations */ - for (i = 0; i < userauth_cnt; i++) { - free(userauths[i]); - } + free_auths(userauths, &userauth_cnt); return (status); } @@ -237,30 +234,35 @@ list_auths(userattr_t *user, char **authArray, int *authcnt) } -static char * -get_default_auths(char **authArray, int *authcnt) +static void +get_default_auths(char *user, char **authArray, int *authcnt) { char *auths = NULL; char *profs = NULL; char *profArray[MAXPROFS]; int profcnt = 0; - if (defopen(AUTH_POLICY) == NULL) { - auths = defread(DEF_AUTH); + if (user == NULL) { + struct passwd *pw; + + if ((pw = getpwuid(getuid())) != NULL) { + user = pw->pw_name; + } + } + + if (_get_user_defs(user, &auths, &profs) == 0) { if (auths != NULL) { add_auths(auths, authArray, authcnt); } /* get authorizations from default profiles */ - profs = defread(DEF_PROF); if (profs != NULL) { getProfiles(profs, profArray, &profcnt, authArray, authcnt); free_proflist(profArray, profcnt); } + _free_user_defs(auths, profs); } - - return (auths); } void @@ -297,6 +299,17 @@ add_auths(char *auths, char **authArray, int *authcnt) } static void +free_auths(char *auths[], int *auth_cnt) +{ + int i; + + for (i = 0; i < *auth_cnt; i++) { + free(auths[i]); + } + *auth_cnt = 0; +} + +static void getProfiles(char *profiles, char **profArray, int *profcnt, char **authArray, int *authcnt) { diff --git a/usr/src/cmd/pfexec/pfexec.c b/usr/src/cmd/pfexec/pfexec.c index 84b36c0b6a..7d8eba49d1 100644 --- a/usr/src/cmd/pfexec/pfexec.c +++ b/usr/src/cmd/pfexec/pfexec.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -60,7 +60,7 @@ static uid_t get_uid(char *); static gid_t get_gid(char *); static priv_set_t *get_privset(const char *); static priv_set_t *get_granted_privs(uid_t); -static void get_default_privs(priv_set_t *); +static void get_default_privs(const char *, priv_set_t *); static void get_profile_privs(char *, char **, int *, priv_set_t *); static int isnumber(char *); @@ -145,8 +145,8 @@ main(int argc, char *argv[]) } if (setppriv(PRIV_ON, PRIV_INHERITABLE, wanted) != 0) { (void) fprintf(stderr, - gettext("setppriv(): %s\n"), - strerror(errno)); + gettext("setppriv(): %s\n"), + strerror(errno)); exit(EXIT_FAILURE); } /* Trick exec into thinking we're not suid */ @@ -305,7 +305,7 @@ set_attrs: if (lset != NULL && setppriv(PRIV_SET, PRIV_LIMIT, lset) != 0 || iset != NULL && setppriv(PRIV_ON, PRIV_INHERITABLE, iset) != 0) { (void) fprintf(stderr, gettext("%s: can't set privileges\n"), - cmd_realpath); + cmd_realpath); return (0); } if (setreuid(uid, euid) == -1) { @@ -452,7 +452,7 @@ get_granted_privs(uid_t uid) free_proflist(profArray, profcnt); } - get_default_privs(res); + get_default_privs(pwent->pw_name, res); if (ua != NULL) free_userattr(ua); @@ -461,21 +461,20 @@ get_granted_privs(uid_t uid) } static void -get_default_privs(priv_set_t *pset) +get_default_privs(const char *user, priv_set_t *pset) { char *profs = NULL; char *profArray[MAXPROFS]; int profcnt = 0; - if (defopen(AUTH_POLICY) == 0) { + if (_get_user_defs(user, NULL, &profs) == 0) { /* get privileges from default profiles */ - profs = defread(DEF_PROF); if (profs != NULL) { get_profile_privs(profs, profArray, &profcnt, pset); free_proflist(profArray, profcnt); + _free_user_defs(NULL, profs); } } - (void) defopen(NULL); } static void diff --git a/usr/src/cmd/profiles/profiles.c b/usr/src/cmd/profiles/profiles.c index 8086494fb8..087a6aa855 100644 --- a/usr/src/cmd/profiles/profiles.c +++ b/usr/src/cmd/profiles/profiles.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -64,7 +64,7 @@ static void print_profs_long(char *, void *, int); static void print_profs(char *, char **, int, int); static void format_attr(int *, int, char *); static void getProfiles(char *, char **, int *); -static void getDefaultProfiles(char **, int *); +static void getDefaultProfiles(char *, char **, int *); static char *progname = "profiles"; @@ -93,10 +93,10 @@ main(int argc, char *argv[]) argv += optind; if (*argv == NULL) { - status = show_profs((char *)NULL, print_flag); + status = show_profs(NULL, print_flag); } else { do { - status = show_profs(*argv, print_flag); + status = show_profs((char *)*argv, print_flag); if (status == EXIT_FATAL) { break; } @@ -136,7 +136,7 @@ show_profs(char *username, int print_flag) if ((user = getusernam(username)) != NULL) { status = list_profs(user, print_flag); } else { - getDefaultProfiles(profArray, &profcnt); + getDefaultProfiles(username, profArray, &profcnt); if (profcnt == 0) { status = EXIT_NON_FATAL; } else { @@ -183,7 +183,7 @@ list_profs(userattr_t *user, int print_flag) getProfiles(proflist, profArray, &profcnt); } /* Also get any default profiles */ - getDefaultProfiles(profArray, &profcnt); + getDefaultProfiles(user->name, profArray, &profcnt); if (profcnt == 0) { status = EXIT_NON_FATAL; } @@ -324,16 +324,14 @@ print_profs(char *user, char **profnames, int print_flag, int profcnt) * Get the list of default profiles from /etc/security/policy.conf */ static void -getDefaultProfiles(char **profArray, int *profcnt) +getDefaultProfiles(char *user, char **profArray, int *profcnt) { char *profs = NULL; - if (defopen(AUTH_POLICY) == NULL) { - profs = defread(DEF_PROF); - } - - if (profs != NULL) { - getProfiles(profs, profArray, profcnt); + if (_get_user_defs(user, NULL, &profs) == 0) { + if (profs != NULL) { + getProfiles(profs, profArray, profcnt); + _free_user_defs(NULL, profs); + } } - } diff --git a/usr/src/cmd/svc/configd/rc_node.c b/usr/src/cmd/svc/configd/rc_node.c index 8182c709b6..c7b77349ea 100644 --- a/usr/src/cmd/svc/configd/rc_node.c +++ b/usr/src/cmd/svc/configd/rc_node.c @@ -351,6 +351,7 @@ #include <libscf_priv.h> #include <prof_attr.h> #include <pthread.h> +#include <pwd.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> @@ -491,8 +492,6 @@ static pthread_mutex_t rc_pg_notify_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t rc_pg_notify_cv = PTHREAD_COND_INITIALIZER; static uint_t rc_notify_in_use; /* blocks removals */ -static pthread_mutex_t perm_lock = PTHREAD_MUTEX_INITIALIZER; - /* * Some combinations of property group/property name require a special * audit event to be generated when there is a change. @@ -1515,38 +1514,11 @@ perm_granted(permcheck_t *pcp) uid_t uid; userattr_t *uap; char *authlist, *userattr_authlist, *proflist, *def_prof = NULL; - - /* - * Get generic authorizations from policy.conf - * - * Note that _get_auth_policy is not threadsafe, so we single-thread - * access to it. - */ - (void) pthread_mutex_lock(&perm_lock); - ret = _get_auth_policy(&authlist, &def_prof); - (void) pthread_mutex_unlock(&perm_lock); - - if (ret != 0) - return (-1); - - if (authlist != NULL) { - ret = check_auth_list(pcp, authlist); - - if (ret) { - _free_auth_policy(authlist, def_prof); - return (ret); - } - } - - /* - * Put off checking def_prof for later in an attempt to consolidate - * prof_attr accesses. - */ + struct passwd pw; + char pwbuf[1024]; /* XXX should be NSS_BUFLEN_PASSWD */ /* Get the uid */ if ((uc = get_ucred()) == NULL) { - _free_auth_policy(authlist, def_prof); - if (errno == EINVAL) { /* * Client is no longer waiting for our response (e.g., @@ -1569,7 +1541,33 @@ perm_granted(permcheck_t *pcp) uid = ucred_geteuid(uc); assert(uid != (uid_t)-1); - uap = getuseruid(uid); + if (getpwuid_r(uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) { + return (-1); + } + + /* + * Get user's default authorizations from policy.conf + */ + ret = _get_user_defs(pw.pw_name, &authlist, &def_prof); + + if (ret != 0) + return (-1); + + if (authlist != NULL) { + ret = check_auth_list(pcp, authlist); + + if (ret) { + _free_user_defs(authlist, def_prof); + return (ret); + } + } + + /* + * Put off checking def_prof for later in an attempt to consolidate + * prof_attr accesses. + */ + + uap = getusernam(pw.pw_name); if (uap != NULL) { /* Get the authorizations from user_attr. */ userattr_authlist = kva_match(uap->attr, USERATTR_AUTHS_KW); @@ -1589,7 +1587,7 @@ perm_granted(permcheck_t *pcp) ret = check_prof_list(pcp, proflist); } - _free_auth_policy(authlist, def_prof); + _free_user_defs(authlist, def_prof); if (uap != NULL) free_userattr(uap); diff --git a/usr/src/head/prof_attr.h b/usr/src/head/prof_attr.h index 2acac51cc7..42ff2d8534 100644 --- a/usr/src/head/prof_attr.h +++ b/usr/src/head/prof_attr.h @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 1999,2002-2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -52,6 +51,7 @@ extern "C" { #define PROFATTR_COL4_KW "attr" #define DEF_PROF "PROFS_GRANTED=" +#define DEF_CONSUSER "CONSOLE_USER=" #define MAXPROFS 4096 diff --git a/usr/src/head/secdb.h b/usr/src/head/secdb.h index 716faacb2c..fad64204e2 100644 --- a/usr/src/head/secdb.h +++ b/usr/src/head/secdb.h @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -82,14 +82,14 @@ extern char *_argv_to_csl(char **strings); extern char **_csl_to_argv(char *csl); extern char *_do_unescape(char *src); extern void _free_argv(char **p_argv); -extern int _get_auth_policy(char **, char **); -extern void _free_auth_policy(char *, char *); extern int _insert2kva(kva_t *, char *, char *); extern int _kva2str(kva_t *, char *, int, char *, char *); extern kva_t *_kva_dup(kva_t *); extern void _kva_free(kva_t *); extern kva_t *_new_kva(int size); extern kva_t *_str2kva(char *, char *, char *); +extern int _get_user_defs(const char *, char **, char **); +extern void _free_user_defs(char *, char *); #else /* not __STDC__ */ @@ -100,14 +100,14 @@ extern char *_argv_to_csl(); extern char **_csl_to_argv(); extern char *_do_unescape(); extern void _free_argv(); -extern int _get_auth_policy(); -extern void _free_auth_policy(); extern int _insert2kva(); extern int _kva2str(); extern kva_t *_kva_dup(); extern void _kva_free(kva_t *); extern kva_t *_new_kva(); extern int _str2kva(); +extern int _get_user_defs(); +extern void _free_user_defs(); #endif /* __STDC__ */ #ifdef __cplusplus diff --git a/usr/src/lib/libsecdb/common/chkauthattr.c b/usr/src/lib/libsecdb/common/chkauthattr.c index 6e41e99723..04b1fe8846 100644 --- a/usr/src/lib/libsecdb/common/chkauthattr.c +++ b/usr/src/lib/libsecdb/common/chkauthattr.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,6 +33,8 @@ #include <fcntl.h> #include <sys/mman.h> #include <limits.h> +#include <pwd.h> +#include <nss_dbdefs.h> #include <deflt.h> #include <auth_attr.h> #include <prof_attr.h> @@ -40,10 +42,8 @@ static int _is_authorized(const char *, char *); -static int _chk_policy_auth(const char *, char **, int *); +static int _chk_policy_auth(const char *, const char *, char **, int *); static int _chkprof_for_auth(const char *, const char *, char **, int *); - - int chkauthattr(const char *authname, const char *username) { @@ -59,7 +59,8 @@ chkauthattr(const char *authname, const char *username) return (0); /* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */ - auth_granted = _chk_policy_auth(authname, chkedprof, &chkedprof_cnt); + auth_granted = _chk_policy_auth(authname, username, chkedprof, + &chkedprof_cnt); if (auth_granted) goto exit; @@ -203,45 +204,6 @@ _is_authorized(const char *authname, char *auths) } -int -_get_auth_policy(char **def_auth, char **def_prof) -{ - char *cp; - - if (defopen(AUTH_POLICY) != 0) - return (-1); - - cp = defread(DEF_AUTH); - if (cp != NULL) { - *def_auth = strdup(cp); - if (*def_auth == NULL) - return (-1); - } else { - *def_auth = NULL; - } - - cp = defread(DEF_PROF); - if (cp != NULL) { - *def_prof = strdup(cp); - if (*def_prof == NULL) { - free(*def_auth); - return (-1); - } - } else { - *def_prof = NULL; - } - - (void) defopen(NULL); - return (0); -} - -void -_free_auth_policy(char *def_auth, char *def_prof) -{ - free(def_auth); - free(def_prof); -} - /* * read /etc/security/policy.conf for AUTHS_GRANTED. * return 1 if found matching authname. @@ -249,12 +211,14 @@ _free_auth_policy(char *def_auth, char *def_prof) * default profiles. */ static int -_chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt) +_chk_policy_auth(const char *authname, const char *username, char **chkedprof, + int *chkedprof_cnt) { - char *auths, *profs; + char *auths = NULL; + char *profs = NULL; int ret = 1; - if (_get_auth_policy(&auths, &profs) != 0) + if (_get_user_defs(username, &auths, &profs) != 0) return (0); if (auths != NULL) { @@ -270,6 +234,102 @@ _chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt) ret = 0; exit: - _free_auth_policy(auths, profs); + _free_user_defs(auths, profs); return (ret); } + +#define CONSOLE "/dev/console" + +static int +is_cons_user(const char *user) +{ + struct stat cons; + struct passwd pw; + char pwbuf[NSS_BUFLEN_PASSWD]; + + if (user == NULL) { + return (0); + } + if (stat(CONSOLE, &cons) == -1) { + return (0); + } + if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) { + return (0); + } + + return (pw.pw_uid == cons.st_uid); +} + + +int +_get_user_defs(const char *user, char **def_auth, char **def_prof) +{ + char *cp; + char *profs; + + if (defopen(AUTH_POLICY) != 0) { + if (def_auth != NULL) { + *def_auth = NULL; + } + if (def_prof != NULL) { + *def_prof = NULL; + } + return (-1); + } + + if (def_auth != NULL) { + if ((cp = defread(DEF_AUTH)) != NULL) { + if ((*def_auth = strdup(cp)) == NULL) { + (void) defopen(NULL); + return (-1); + } + } else { + *def_auth = NULL; + } + } + if (def_prof != NULL) { + if (is_cons_user(user) && + (cp = defread(DEF_CONSUSER)) != NULL) { + if ((*def_prof = strdup(cp)) == NULL) { + (void) defopen(NULL); + return (-1); + } + } + if ((cp = defread(DEF_PROF)) != NULL) { + int prof_len; + + if (*def_prof == NULL) { + if ((*def_prof = strdup(cp)) == NULL) { + (void) defopen(NULL); + return (-1); + } + (void) defopen(NULL); + return (0); + } + + /* concatenate def profs with "," separator */ + prof_len = strlen(*def_prof) + strlen(cp) + 2; + if ((profs = malloc(prof_len)) == NULL) { + free(*def_prof); + *def_prof = NULL; + (void) defopen(NULL); + return (-1); + } + (void) snprintf(profs, prof_len, "%s,%s", *def_prof, + cp); + free(*def_prof); + *def_prof = profs; + } + } + + (void) defopen(NULL); + return (0); +} + + +void +_free_user_defs(char *def_auth, char *def_prof) +{ + free(def_auth); + free(def_prof); +} diff --git a/usr/src/lib/libsecdb/common/getexecattr.c b/usr/src/lib/libsecdb/common/getexecattr.c index 1e1ab20ffd..93d05e9706 100644 --- a/usr/src/lib/libsecdb/common/getexecattr.c +++ b/usr/src/lib/libsecdb/common/getexecattr.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -74,8 +74,8 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag) int err = 0; char unique[NSS_BUFLEN_EXECATTR]; char buf[NSS_BUFLEN_EXECATTR]; - execattr_t *head = (execattr_t *)NULL; - execattr_t *prev = (execattr_t *)NULL; + execattr_t *head = NULL; + execattr_t *prev = NULL; execstr_t exec; execstr_t *tmp; @@ -83,7 +83,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag) (void) memset(&exec, 0, sizeof (execstr_t)); if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) { - return ((execattr_t *)NULL); + return (NULL); } if ((name == NULL) && (type == NULL) && (id == NULL)) { @@ -101,7 +101,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag) }; break; default: - head = (execattr_t *)NULL; + head = NULL; break; } endexecattr(); @@ -129,12 +129,12 @@ getexecuser(const char *username, const char *type, const char *id, char buf[NSS_BUFLEN_USERATTR]; userstr_t user; userstr_t *utmp; - execattr_t *head = (execattr_t *)NULL; - execattr_t *prev = (execattr_t *)NULL; - execattr_t *new = (execattr_t *)NULL; + execattr_t *head = NULL; + execattr_t *prev = NULL; + execattr_t *new = NULL; if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) { - return ((execattr_t *)NULL); + return (NULL); } if (username == NULL) { @@ -156,7 +156,7 @@ getexecuser(const char *username, const char *type, const char *id, prev = get_tail(head); } while ((utmp = _getuserattr(&user, - buf, NSS_BUFLEN_USERATTR, &err)) != NULL) { + buf, NSS_BUFLEN_USERATTR, &err)) != NULL) { if ((new = userprof((const char *)(utmp->name), type, id, search_flag)) != NULL) { @@ -171,7 +171,7 @@ getexecuser(const char *username, const char *type, const char *id, } break; default: - head = (execattr_t *)NULL; + head = NULL; break; } enduserattr(); @@ -187,7 +187,7 @@ execattr_t * match_execattr(execattr_t *exec, const char *profname, const char *type, const char *id) { - execattr_t *execp = (execattr_t *)NULL; + execattr_t *execp = NULL; for (execp = exec; execp != NULL; execp = execp->next) { if ((profname && execp->name && @@ -218,7 +218,7 @@ endexecattr() void free_execattr(execattr_t *exec) { - if (exec != (execattr_t *)NULL) { + if (exec != NULL) { free(exec->name); free(exec->type); free(exec->policy); @@ -240,16 +240,16 @@ userprof(const char *username, const char *type, const char *id, int err = 0; char *last; char *sep = ","; - char *proflist = (char *)NULL; - char *profname = (char *)NULL; + char *proflist = NULL; + char *profname = NULL; char buf[NSS_BUFLEN_USERATTR]; char pwdb[NSS_BUFLEN_PASSWD]; kva_t *user_attr; userstr_t user; userstr_t *utmp; execattr_t *exec; - execattr_t *head = (execattr_t *)NULL; - execattr_t *prev = (execattr_t *)NULL; + execattr_t *head = NULL; + execattr_t *prev = NULL; struct passwd pwd; char *profArray[MAXPROFS]; @@ -265,7 +265,6 @@ userprof(const char *username, const char *type, const char *id, utmp = _getusernam(username, &user, buf, NSS_BUFLEN_USERATTR, &err); if (utmp != NULL) { - proflist = NULL; user_attr = _str2kva(user.attr, KV_ASSIGN, KV_DELIMITER); if ((proflist = kva_match(user_attr, "profiles")) != NULL) { /* Get the list of profiles for this user */ @@ -278,16 +277,15 @@ userprof(const char *username, const char *type, const char *id, } /* Get the list of default profiles */ - if (defopen(AUTH_POLICY) == NULL) { - proflist = defread(DEF_PROF); - (void) defopen(NULL); - } + proflist = NULL; + (void) _get_user_defs(username, NULL, &proflist); if (proflist != NULL) { for (profname = _strtok_escape(proflist, sep, &last); profname != NULL; profname = _strtok_escape(NULL, sep, &last)) { getproflist(profname, profArray, &profcnt); } + _free_user_defs(NULL, proflist); } if (profcnt == 0) { @@ -321,8 +319,8 @@ userprof(const char *username, const char *type, const char *id, static execattr_t * get_tail(execattr_t *exec) { - execattr_t *i_exec = (execattr_t *)NULL; - execattr_t *j_exec = (execattr_t *)NULL; + execattr_t *i_exec = NULL; + execattr_t *j_exec = NULL; if (exec != NULL) { if (exec->next == NULL) { @@ -345,10 +343,10 @@ execstr2attr(execstr_t *es) execattr_t *newexec; if (es == NULL) { - return ((execattr_t *)NULL); + return (NULL); } - if ((newexec = (execattr_t *)malloc(sizeof (execattr_t))) == NULL) { - return ((execattr_t *)NULL); + if ((newexec = malloc(sizeof (execattr_t))) == NULL) { + return (NULL); } newexec->name = _do_unescape(es->name); @@ -361,7 +359,7 @@ execstr2attr(execstr_t *es) if (es->next) { newexec->next = execstr2attr((execstr_t *)(es->next)); } else { - newexec->next = (execattr_t *)NULL; + newexec->next = NULL; } return (newexec); } diff --git a/usr/src/lib/libsecdb/common/mapfile-vers b/usr/src/lib/libsecdb/common/mapfile-vers index a6490cb988..8c401df535 100644 --- a/usr/src/lib/libsecdb/common/mapfile-vers +++ b/usr/src/lib/libsecdb/common/mapfile-vers @@ -19,7 +19,7 @@ # CDDL HEADER END # # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -64,8 +64,8 @@ SUNWprivate_1.1 { _csl_to_argv; _do_unescape; _free_argv; - _free_auth_policy; - _get_auth_policy; + _free_user_defs; + _get_user_defs; _insert2kva; _kva2str; _kva_dup; diff --git a/usr/src/lib/libsecdb/help/profiles/Makefile b/usr/src/lib/libsecdb/help/profiles/Makefile index 4a3c6e309f..41beab05fe 100644 --- a/usr/src/lib/libsecdb/help/profiles/Makefile +++ b/usr/src/lib/libsecdb/help/profiles/Makefile @@ -33,6 +33,7 @@ HTMLENTS = \ RtAuditCtrl.html \ RtAuditReview.html \ RtContractObserver.html \ + RtConsUser.html \ RtCronMngmnt.html \ RtCryptoMngmnt.html \ RtLogMngmnt.html \ diff --git a/usr/src/lib/libsecdb/help/profiles/RtConsUser.html b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html new file mode 100644 index 0000000000..7e7b956193 --- /dev/null +++ b/usr/src/lib/libsecdb/help/profiles/RtConsUser.html @@ -0,0 +1,44 @@ +<HTML> +<!-- + CDDL HEADER START + + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. + + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. + + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] + + CDDL HEADER END + +-- Copyright 2008 Sun Microsystems, Inc. All rights reserved. +-- Use is subject to license terms. +--> +<HEAD> + <TITLE> </TITLE> + + +</HEAD> +<BODY> +<!-- ident "%Z%%M% %I% %E% SMI" --> + + +When Console User is in the Rights Included column, it grants the right +for a user or role to do operations often associated with ownership of a +Solaris workstation or laptop. +<p> +These Rights are typically granted automatically through policy.conf(4) +to the user logged in on the workstation console. It can be, but is +generally not directly assigned to a user or role. +<p> +If All is grayed, then you are not entitled to Add or Remove this right. +</BODY> +</HTML> diff --git a/usr/src/lib/libsecdb/policy.conf b/usr/src/lib/libsecdb/policy.conf index e148f4d2b0..bb5dc487f8 100644 --- a/usr/src/lib/libsecdb/policy.conf +++ b/usr/src/lib/libsecdb/policy.conf @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ # CDDL HEADER END # # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # /etc/security/policy.conf @@ -31,6 +30,7 @@ # AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User +CONSOLE_USER=Console User # crypt(3c) Algorithms Configuration # diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt index 0f379911ef..a5ec1a5680 100644 --- a/usr/src/lib/libsecdb/prof_attr.txt +++ b/usr/src/lib/libsecdb/prof_attr.txt @@ -34,6 +34,7 @@ All:::Execute any command as the user or role:help=RtAll.html Audit Control:::Configure BSM auditing:auths=solaris.audit.config,solaris.jobs.admin;help=RtAuditCtrl.html Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditReview.html +Console User:::Manage System as the Console User:help=RtConsUser.html Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.*,solaris.label.print,solaris.smf.manage.discovery.printers.*,solaris.smf.value.discovery.printers.*;help=RtPrntAdmin.html diff --git a/usr/src/pkgdefs/SUNW0on/prototype_com b/usr/src/pkgdefs/SUNW0on/prototype_com index 0b72ba0e34..f6f01a4208 100644 --- a/usr/src/pkgdefs/SUNW0on/prototype_com +++ b/usr/src/pkgdefs/SUNW0on/prototype_com @@ -316,6 +316,7 @@ f none usr/lib/help/profiles/locale/RtAuditCtrl.html 444 root bin f none usr/lib/help/profiles/locale/RtAuditReview.html 444 root bin f none usr/lib/help/profiles/locale/RtDeviceMngmnt.html 444 root bin f none usr/lib/help/profiles/locale/RtPrntAdmin.html 444 root bin +f none usr/lib/help/profiles/locale/RtConsUser.html 444 root bin f none usr/lib/help/profiles/locale/RtContractObserver.html 444 root bin f none usr/lib/help/profiles/locale/RtCronMngmnt.html 444 root bin f none usr/lib/help/profiles/locale/RtCryptoMngmnt.html 444 root bin diff --git a/usr/src/pkgdefs/SUNWcsu/prototype_com b/usr/src/pkgdefs/SUNWcsu/prototype_com index d88e1c7aa3..225ceaa91e 100644 --- a/usr/src/pkgdefs/SUNWcsu/prototype_com +++ b/usr/src/pkgdefs/SUNWcsu/prototype_com @@ -528,6 +528,7 @@ d none usr/lib/help/profiles/locale/C 755 root bin f none usr/lib/help/profiles/locale/C/RtAll.html 444 root bin f none usr/lib/help/profiles/locale/C/RtAuditCtrl.html 444 root bin f none usr/lib/help/profiles/locale/C/RtAuditReview.html 444 root bin +f none usr/lib/help/profiles/locale/C/RtConsUser.html 444 root bin f none usr/lib/help/profiles/locale/C/RtContractObserver.html 444 root bin f none usr/lib/help/profiles/locale/C/RtCronMngmnt.html 444 root bin f none usr/lib/help/profiles/locale/C/RtCryptoMngmnt.html 444 root bin diff --git a/usr/src/pkgdefs/common_files/i.policyconf b/usr/src/pkgdefs/common_files/i.policyconf index d884de48d7..b61c3caa68 100644 --- a/usr/src/pkgdefs/common_files/i.policyconf +++ b/usr/src/pkgdefs/common_files/i.policyconf @@ -3,9 +3,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -23,7 +22,7 @@ # #ident "%Z%%M% %I% %E% SMI" # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # @@ -43,6 +42,7 @@ do # ag="AUTHS_GRANTED=solaris.device.cdrw" pg="PROFS_GRANTED=Basic Solaris User" + wo="CONSOLE_USER=Console User" sed -n -e '/^[^#]/q;p' < $src > $dest.$$ sed -n \ -e "s/^#AUTHS_GRANTED=$/$ag/" \ @@ -51,13 +51,24 @@ do -e "s/ *$//" \ -e '/^[^#]/,$p' < $dest >> $dest.$$ - if grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1 + grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1 + if [ $? != 0 ] ; then + sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\ +$pg" + cat $dest > $dest.$$ + fi + + if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1 then cat $dest.$$ > $dest else - sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\ -$pg" + sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\ +$wo" + echo "${dest} updating entries for CONSOLE_USER," \ + "see policy.conf(4) for details." \ + >> ${CLEANUP_FILE} fi + rm -f $dest.$$ grep 'CRYPT_' $dest > /dev/null 2>&1 |