111838SLiane.Praza@Sun.COM#!/bin/sh 211838SLiane.Praza@Sun.COM# 311838SLiane.Praza@Sun.COM# CDDL HEADER START 411838SLiane.Praza@Sun.COM# 511838SLiane.Praza@Sun.COM# The contents of this file are subject to the terms of the 611838SLiane.Praza@Sun.COM# Common Development and Distribution License (the "License"). 711838SLiane.Praza@Sun.COM# You may not use this file except in compliance with the License. 811838SLiane.Praza@Sun.COM# 911838SLiane.Praza@Sun.COM# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 1011838SLiane.Praza@Sun.COM# or http://www.opensolaris.org/os/licensing. 1111838SLiane.Praza@Sun.COM# See the License for the specific language governing permissions 1211838SLiane.Praza@Sun.COM# and limitations under the License. 1311838SLiane.Praza@Sun.COM# 1411838SLiane.Praza@Sun.COM# When distributing Covered Code, include this CDDL HEADER in each 1511838SLiane.Praza@Sun.COM# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 1611838SLiane.Praza@Sun.COM# If applicable, add the following below this CDDL HEADER, with the 1711838SLiane.Praza@Sun.COM# fields enclosed by brackets "[]" replaced with your own identifying 1811838SLiane.Praza@Sun.COM# information: Portions Copyright [yyyy] [name of copyright owner] 1911838SLiane.Praza@Sun.COM# 2011838SLiane.Praza@Sun.COM# CDDL HEADER END 2111838SLiane.Praza@Sun.COM# 2211838SLiane.Praza@Sun.COM# i.rbac 2311838SLiane.Praza@Sun.COM# 2412690Snathan.bush@oracle.com# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 2511838SLiane.Praza@Sun.COM# 2611838SLiane.Praza@Sun.COM# class action script for "rbac" class files 2711838SLiane.Praza@Sun.COM# installed by pkgadd 2811838SLiane.Praza@Sun.COM# 2911838SLiane.Praza@Sun.COM# Files in "rbac" class: 3011838SLiane.Praza@Sun.COM# 3111838SLiane.Praza@Sun.COM# /etc/security/{prof_attr,exec_attr,auth_attr} 3211838SLiane.Praza@Sun.COM# /etc/user_attr 3311838SLiane.Praza@Sun.COM# 3411838SLiane.Praza@Sun.COM# Allowable exit codes 3511838SLiane.Praza@Sun.COM# 3611838SLiane.Praza@Sun.COM# 0 - success 3711838SLiane.Praza@Sun.COM# 2 - warning or possible error condition. Installation continues. A warning 3811838SLiane.Praza@Sun.COM# message is displayed at the time of completion. 3911838SLiane.Praza@Sun.COM# 4011838SLiane.Praza@Sun.COM 4111838SLiane.Praza@Sun.COMumask 022 4211838SLiane.Praza@Sun.COM 4311838SLiane.Praza@Sun.COMtmp_dir=${TMPDIR:-/tmp} 4411838SLiane.Praza@Sun.COM 4511838SLiane.Praza@Sun.COMPATH="/usr/bin:/usr/sbin:${PATH}" 4611838SLiane.Praza@Sun.COMexport PATH 4711838SLiane.Praza@Sun.COM 4811838SLiane.Praza@Sun.COMbasename_cmd=basename 4911838SLiane.Praza@Sun.COMcp_cmd=cp 5011838SLiane.Praza@Sun.COMegrep_cmd=egrep 5111838SLiane.Praza@Sun.COMmv_cmd=mv 5211838SLiane.Praza@Sun.COMnawk_cmd=nawk 5311838SLiane.Praza@Sun.COMrm_cmd=rm 5411838SLiane.Praza@Sun.COMsed_cmd=sed 5511838SLiane.Praza@Sun.COMsort_cmd=sort 5611838SLiane.Praza@Sun.COM 5711838SLiane.Praza@Sun.COM# $1 is the type 5811838SLiane.Praza@Sun.COM# $2 is the "old/existing file" 5911838SLiane.Praza@Sun.COM# $3 is the "new (to be merged)" file 6011838SLiane.Praza@Sun.COM# $4 is the output file 6111838SLiane.Praza@Sun.COM# returns 0 on success 6211838SLiane.Praza@Sun.COM# returns 2 on failure if nawk fails with non-zero exit status 6311838SLiane.Praza@Sun.COM# 6411838SLiane.Praza@Sun.COMdbmerge() { 6511838SLiane.Praza@Sun.COM# 6611838SLiane.Praza@Sun.COM# Remove the ident lines. 6711838SLiane.Praza@Sun.COM# 6811838SLiane.Praza@Sun.COM ${egrep_cmd} -v '^#[pragma ]*ident' $2 > $4.old 2>/dev/null 6911838SLiane.Praza@Sun.COM# 7011838SLiane.Praza@Sun.COM# If the new file has a Sun copyright, remove the Sun copyright from the old 7111838SLiane.Praza@Sun.COM# file. 7211838SLiane.Praza@Sun.COM# 7311838SLiane.Praza@Sun.COM newcr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' $3 \ 7411838SLiane.Praza@Sun.COM 2>/dev/null` 7511838SLiane.Praza@Sun.COM if [ -n "${newcr}" ]; then 7611838SLiane.Praza@Sun.COM $sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \ 7711838SLiane.Praza@Sun.COM -e '/^# All rights reserved./d' \ 7811838SLiane.Praza@Sun.COM -e '/^# Use is subject to license terms./d' \ 7911838SLiane.Praza@Sun.COM $4.old > $4.$$ 2>/dev/null 8011838SLiane.Praza@Sun.COM $mv_cmd $4.$$ $4.old 8111838SLiane.Praza@Sun.COM fi 8211838SLiane.Praza@Sun.COM# 83*13092Snathan.bush@oracle.com# If the new file has an Oracle copyright, remove both the Sun and Oracle 84*13092Snathan.bush@oracle.com# copyrights from the old file. 85*13092Snathan.bush@oracle.com# 86*13092Snathan.bush@oracle.com oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \ 87*13092Snathan.bush@oracle.com $3 2>/dev/null` 88*13092Snathan.bush@oracle.com if [ -n "${oracle_cr}" ]; then 89*13092Snathan.bush@oracle.com $sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \ 90*13092Snathan.bush@oracle.com -e '/^# All rights reserved./d' \ 91*13092Snathan.bush@oracle.com -e '/^# Use is subject to license terms./d' \ 92*13092Snathan.bush@oracle.com -e '/^# Copyright.*Oracle and\/or its affiliates./d' \ 93*13092Snathan.bush@oracle.com $4.old > $4.$$ 2>/dev/null 94*13092Snathan.bush@oracle.com $mv_cmd $4.$$ $4.old 95*13092Snathan.bush@oracle.com fi 96*13092Snathan.bush@oracle.com# 9711838SLiane.Praza@Sun.COM# If the new file has the CDDL, remove it from the old file. 9811838SLiane.Praza@Sun.COM# 9911838SLiane.Praza@Sun.COM newcr=`${egrep_cmd} '^# CDDL HEADER START' $3 2>/dev/null` 10011838SLiane.Praza@Sun.COM if [ -n "${newcr}" ]; then 10111838SLiane.Praza@Sun.COM $sed_cmd -e '/^# CDDL HEADER START/,/^# CDDL HEADER END/d' \ 10211838SLiane.Praza@Sun.COM $4.old > $4.$$ 2>/dev/null 10311838SLiane.Praza@Sun.COM $mv_cmd $4.$$ $4.old 10411838SLiane.Praza@Sun.COM fi 10511838SLiane.Praza@Sun.COM# 10611838SLiane.Praza@Sun.COM# Remove empty lines and multiple instances of these comments: 10711838SLiane.Praza@Sun.COM# 10811838SLiane.Praza@Sun.COM $sed_cmd -e '/^# \/etc\/security\/exec_attr/d' -e '/^#$/d' \ 10911838SLiane.Praza@Sun.COM -e '/^# execution attributes for profiles./d' \ 11011838SLiane.Praza@Sun.COM -e '/^# See exec_attr(4)/d' \ 11111838SLiane.Praza@Sun.COM -e '/^# \/etc\/user_attr/d' \ 11211838SLiane.Praza@Sun.COM -e '/^# user attributes. see user_attr(4)/d' \ 11311838SLiane.Praza@Sun.COM -e '/^# \/etc\/security\/prof_attr/d' \ 11411838SLiane.Praza@Sun.COM -e '/^# profiles attributes. see prof_attr(4)/d' \ 11511838SLiane.Praza@Sun.COM -e '/^# See prof_attr(4)/d' \ 11611838SLiane.Praza@Sun.COM -e '/^# \/etc\/security\/auth_attr/d' \ 11711838SLiane.Praza@Sun.COM -e '/^# authorizations. see auth_attr(4)/d' \ 11811838SLiane.Praza@Sun.COM -e '/^# authorization attributes. see auth_attr(4)/d' \ 11911838SLiane.Praza@Sun.COM $4.old > $4.$$ 12011838SLiane.Praza@Sun.COM $mv_cmd $4.$$ $4.old 12111838SLiane.Praza@Sun.COM# 12211838SLiane.Praza@Sun.COM# Retain old and new header comments. 12311838SLiane.Praza@Sun.COM# 12411838SLiane.Praza@Sun.COM $sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $4.old > $4 12511838SLiane.Praza@Sun.COM $rm_cmd $4.old 12611838SLiane.Praza@Sun.COM $sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $3 >> $4 12711838SLiane.Praza@Sun.COM# 128*13092Snathan.bush@oracle.com# If the output file now has both Sun and Oracle copyrights, remove 129*13092Snathan.bush@oracle.com# the Sun copyright. 130*13092Snathan.bush@oracle.com# 131*13092Snathan.bush@oracle.com sun_cr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' \ 132*13092Snathan.bush@oracle.com $4 2>/dev/null` 133*13092Snathan.bush@oracle.com oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \ 134*13092Snathan.bush@oracle.com $4 2>/dev/null` 135*13092Snathan.bush@oracle.com if [ -n "${sun_cr}" ] && [ -n "${oracle_cr}" ]; then 136*13092Snathan.bush@oracle.com $sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \ 137*13092Snathan.bush@oracle.com -e '/^# All rights reserved./d' \ 138*13092Snathan.bush@oracle.com -e '/^# Use is subject to license terms./d' \ 139*13092Snathan.bush@oracle.com $4 > $4.$$ 2>/dev/null 140*13092Snathan.bush@oracle.com $mv_cmd $4.$$ $4 141*13092Snathan.bush@oracle.com fi 142*13092Snathan.bush@oracle.com# 14311838SLiane.Praza@Sun.COM# Handle line continuations (trailing \) 14411838SLiane.Praza@Sun.COM# 14511838SLiane.Praza@Sun.COM $sed_cmd \ 14611838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 14711838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 14811838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 14911838SLiane.Praza@Sun.COM $2 > $4.old 15011838SLiane.Praza@Sun.COM $sed_cmd \ 15111838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 15211838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 15311838SLiane.Praza@Sun.COM -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 15411838SLiane.Praza@Sun.COM $3 > $4.new 15511838SLiane.Praza@Sun.COM# 15613091Snathan.bush@oracle.com# The nawk script below processes the old and new files using up to 15713091Snathan.bush@oracle.com# three passes. If the old file is empty, only the final pass over 15813091Snathan.bush@oracle.com# the new file is required. 15913091Snathan.bush@oracle.com# 16013091Snathan.bush@oracle.com if [ -s $4.old ]; then 16113091Snathan.bush@oracle.com nawk_pass1=$4.old 16213091Snathan.bush@oracle.com nawk_pass2=$4.new 16313091Snathan.bush@oracle.com nawk_pass3=$4.new 16413091Snathan.bush@oracle.com else 16513091Snathan.bush@oracle.com nawk_pass1= 16613091Snathan.bush@oracle.com nawk_pass2= 16713091Snathan.bush@oracle.com nawk_pass3=$4.new 16813091Snathan.bush@oracle.com fi 16913091Snathan.bush@oracle.com# 17011838SLiane.Praza@Sun.COM#!/usr/bin/nawk -f 17111838SLiane.Praza@Sun.COM# 17213091Snathan.bush@oracle.com# dbmerge type=[auth|prof|user|exec] [ old-file new-file ] new-file 17311838SLiane.Praza@Sun.COM# 17411838SLiane.Praza@Sun.COM# Merge two versions of an RBAC database file. The output 17511838SLiane.Praza@Sun.COM# consists of the lines from the new-file, while preserving 17613091Snathan.bush@oracle.com# user customizations in the old-file. 17713091Snathan.bush@oracle.com# 17813091Snathan.bush@oracle.com# Entries in the new-file replace corresponding entries in the 17913091Snathan.bush@oracle.com# old-file, except as follows: For exec_attr, all old entries 18013091Snathan.bush@oracle.com# for profiles contained in the new-file are discarded. For 18113091Snathan.bush@oracle.com# user_attr, the "root" entry from the old-file is retained, 18213091Snathan.bush@oracle.com# and new keywords from the new-file are merged into it. 18313091Snathan.bush@oracle.com# 18413091Snathan.bush@oracle.com# Records with the same key field(s) are merged, so that the 18513091Snathan.bush@oracle.com# keyword/value section of each output record contains the union 18613091Snathan.bush@oracle.com# of the keywords found in all input records with the same key 18713091Snathan.bush@oracle.com# field(s). For selected multi-value keywords [1] the values from 18813091Snathan.bush@oracle.com# the new-file are merged with retained values from the old-file. 18913091Snathan.bush@oracle.com# Otherwise, the value for each keyword is the final value found 19013091Snathan.bush@oracle.com# in the new-file, except for keywords in the user_attr entry for 19113091Snathan.bush@oracle.com# "root" where values from the old-file are always retained. 19213091Snathan.bush@oracle.com# 19313091Snathan.bush@oracle.com# [1] The following file type and keyword combinations are merged: 19413091Snathan.bush@oracle.com# prof_attr: auths, profiles, privs 19513091Snathan.bush@oracle.com# user_attr: auths, profiles, roles 19611838SLiane.Praza@Sun.COM# 19711838SLiane.Praza@Sun.COM# The output is run through sort except for the comments 19811838SLiane.Praza@Sun.COM# which will appear first in the output. 19911838SLiane.Praza@Sun.COM# 20011838SLiane.Praza@Sun.COM# 20111838SLiane.Praza@Sun.COM $nawk_cmd ' 20211838SLiane.Praza@Sun.COM 20313091Snathan.bush@oracle.com# This script may be invoked with up to three file names. Each file 20413091Snathan.bush@oracle.com# name corresponds to a separate processing pass. The passes are 20513091Snathan.bush@oracle.com# defined as follows: 20613091Snathan.bush@oracle.com# 20713091Snathan.bush@oracle.com# Pass 1: Read existing data. 20813091Snathan.bush@oracle.com# Data from the old-file is read into memory. 20913091Snathan.bush@oracle.com# 21013091Snathan.bush@oracle.com# Pass 2: Remove obsolete data. 21113091Snathan.bush@oracle.com# Discard any data from the old-file that is part of profiles that 21213091Snathan.bush@oracle.com# are also in the new-file. (As a special case, the user_attr entry 21313091Snathan.bush@oracle.com# for 'root' is always retained.) 21413091Snathan.bush@oracle.com# 21513091Snathan.bush@oracle.com# Pass 3: Merge new data. 21613091Snathan.bush@oracle.com# Data from the new-file is merged with the remaining old-file data. 21713091Snathan.bush@oracle.com# (As a special case, exec_attr entries are replaced, not merged.) 21813091Snathan.bush@oracle.com 21911838SLiane.Praza@Sun.COMBEGIN { 22013091Snathan.bush@oracle.com # The variable 'pass' specifies which type of processing to perform. 22113091Snathan.bush@oracle.com # When processing only one file, skip passes 1 and 2. 22213091Snathan.bush@oracle.com if (ARGC == 3) 22313091Snathan.bush@oracle.com pass += 2; 22413091Snathan.bush@oracle.com 22513091Snathan.bush@oracle.com # The array 'keyword_behavior' specifies the special treatment of 22613091Snathan.bush@oracle.com # [type, keyword] combinations subject to value merging. 22713091Snathan.bush@oracle.com keyword_behavior["prof", "auths"] = "merge"; 22813091Snathan.bush@oracle.com keyword_behavior["prof", "profiles"] = "merge"; 22913091Snathan.bush@oracle.com keyword_behavior["prof", "privs"] = "merge"; 23013091Snathan.bush@oracle.com keyword_behavior["user", "auths"] = "merge"; 23113091Snathan.bush@oracle.com keyword_behavior["user", "profiles"] = "merge"; 23213091Snathan.bush@oracle.com keyword_behavior["user", "roles"] = "merge"; 23313091Snathan.bush@oracle.com 23411838SLiane.Praza@Sun.COM FS=":" 23511838SLiane.Praza@Sun.COM} 23611838SLiane.Praza@Sun.COM 23713091Snathan.bush@oracle.com# When FNR (current file record number) is 1 it indicates that nawk 23813091Snathan.bush@oracle.com# is starting to read the next file specified on its command line, 23913091Snathan.bush@oracle.com# and is beginning the next processing pass. 24013091Snathan.bush@oracle.comFNR == 1 { 24113091Snathan.bush@oracle.com pass++; 24213091Snathan.bush@oracle.com} 24313091Snathan.bush@oracle.com 24411838SLiane.Praza@Sun.COM/^#/ || /^$/ { 24511838SLiane.Praza@Sun.COM continue; 24611838SLiane.Praza@Sun.COM} 24711838SLiane.Praza@Sun.COM 24812690Snathan.bush@oracle.com{ 24912690Snathan.bush@oracle.com # For each input line, nawk automatically assigns the complete 25012690Snathan.bush@oracle.com # line to $0 and also splits the line at field separators and 25112690Snathan.bush@oracle.com # assigns each field to a variable $1..$n. Assignment to $0 25212690Snathan.bush@oracle.com # re-splits the line into the field variables. Conversely, 25312690Snathan.bush@oracle.com # assgnment to a variable $1..$n will cause $0 to be recomputed 25412690Snathan.bush@oracle.com # from the field variable values. 25512690Snathan.bush@oracle.com # 25612690Snathan.bush@oracle.com # This code adds awareness of escaped field separators by using 25712690Snathan.bush@oracle.com # a custom function to split the line into a temporary array. 25812690Snathan.bush@oracle.com # It assigns the empty string to $0 to clear any excess field 25912690Snathan.bush@oracle.com # variables, and assigns the desired elements of the temporary 26012690Snathan.bush@oracle.com # array back to the field variables $1..$7. 26112690Snathan.bush@oracle.com # 26212690Snathan.bush@oracle.com # Subsequent code must not assign directly to $0 or the fields 26312690Snathan.bush@oracle.com # will be re-split without regard to escaped field separators. 26412690Snathan.bush@oracle.com split_escape($0, f, ":"); 26512690Snathan.bush@oracle.com $0 = ""; 26612690Snathan.bush@oracle.com $1 = f[1]; 26712690Snathan.bush@oracle.com $2 = f[2]; 26812690Snathan.bush@oracle.com $3 = f[3]; 26912690Snathan.bush@oracle.com $4 = f[4]; 27012690Snathan.bush@oracle.com $5 = f[5]; 27112690Snathan.bush@oracle.com $6 = f[6]; 27212690Snathan.bush@oracle.com $7 = f[7]; 27312690Snathan.bush@oracle.com} 27412690Snathan.bush@oracle.com 27511838SLiane.Praza@Sun.COMtype == "auth" { 27611838SLiane.Praza@Sun.COM key = $1 ":" $2 ":" $3 ; 27713091Snathan.bush@oracle.com if (pass == 1) { 27811838SLiane.Praza@Sun.COM short_comment[key] = $4 ; 27911838SLiane.Praza@Sun.COM long_comment[key] = $5; 28011838SLiane.Praza@Sun.COM record[key] = $6; 28113091Snathan.bush@oracle.com } else if (pass == 2) { 28213091Snathan.bush@oracle.com delete short_comment[key]; 28313091Snathan.bush@oracle.com delete long_comment[key]; 28413091Snathan.bush@oracle.com delete record[key]; 28513091Snathan.bush@oracle.com } else if (pass == 3) { 28611838SLiane.Praza@Sun.COM if ( $4 != "" ) { 28711838SLiane.Praza@Sun.COM short_comment[key] = $4 ; 28811838SLiane.Praza@Sun.COM } 28911838SLiane.Praza@Sun.COM if ( $5 != "" ) { 29011838SLiane.Praza@Sun.COM long_comment[key] = $5 ; 29111838SLiane.Praza@Sun.COM } 29213091Snathan.bush@oracle.com record[key] = merge_attrs(record[key], $6); 29311838SLiane.Praza@Sun.COM } 29411838SLiane.Praza@Sun.COM} 29511838SLiane.Praza@Sun.COM 29611838SLiane.Praza@Sun.COMtype == "prof" { 29711838SLiane.Praza@Sun.COM key = $1 ":" $2 ":" $3 ; 29813091Snathan.bush@oracle.com if (pass == 1) { 29911838SLiane.Praza@Sun.COM comment[key] = $4; 30011838SLiane.Praza@Sun.COM record[key] = $5; 30113091Snathan.bush@oracle.com } else if (pass == 2) { 30213091Snathan.bush@oracle.com delete comment[key]; 30313091Snathan.bush@oracle.com delete record[key]; 30413091Snathan.bush@oracle.com } else if (pass == 3) { 30511838SLiane.Praza@Sun.COM if ( $4 != "" ) { 30611838SLiane.Praza@Sun.COM comment[key] = $4 ; 30711838SLiane.Praza@Sun.COM } 30811838SLiane.Praza@Sun.COM if (key != "::") { 30913091Snathan.bush@oracle.com record[key] = merge_attrs(record[key], $5); 31011838SLiane.Praza@Sun.COM } 31111838SLiane.Praza@Sun.COM } 31211838SLiane.Praza@Sun.COM} 31311838SLiane.Praza@Sun.COM 31411838SLiane.Praza@Sun.COMtype == "exec" { 31511838SLiane.Praza@Sun.COM key = $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" $6 ; 31613091Snathan.bush@oracle.com if (pass == 1) { 31713091Snathan.bush@oracle.com record[key] = $7; 31813091Snathan.bush@oracle.com } else if (pass == 2) { 31913091Snathan.bush@oracle.com # For exec_attr, deletion is based on the 'name' field only, 32013091Snathan.bush@oracle.com # so that all old entries for the profile are removed. 32113091Snathan.bush@oracle.com for (oldkey in record) { 32213091Snathan.bush@oracle.com split_escape(oldkey, oldkey_fields, ":"); 32313091Snathan.bush@oracle.com if (oldkey_fields[1] == $1) 32413091Snathan.bush@oracle.com delete record[oldkey]; 32513091Snathan.bush@oracle.com } 32613091Snathan.bush@oracle.com } else if (pass == 3) { 32713091Snathan.bush@oracle.com # Substitute new entries, do not merge. 32813091Snathan.bush@oracle.com record[key] = $7; 32913091Snathan.bush@oracle.com } 33011838SLiane.Praza@Sun.COM} 33111838SLiane.Praza@Sun.COM 33211838SLiane.Praza@Sun.COMtype == "user" { 33311838SLiane.Praza@Sun.COM key = $1 ":" $2 ":" $3 ":" $4 ; 33413091Snathan.bush@oracle.com if (pass == 1) { 33511838SLiane.Praza@Sun.COM record[key] = $5; 33613091Snathan.bush@oracle.com } else if (pass == 2) { 33713091Snathan.bush@oracle.com if ($1 != "root") 33813091Snathan.bush@oracle.com delete record[key]; 33913091Snathan.bush@oracle.com } else if (pass == 3) { 34013091Snathan.bush@oracle.com record[key] = merge_attrs(record[key], $5); 34111838SLiane.Praza@Sun.COM } 34211838SLiane.Praza@Sun.COM} 34311838SLiane.Praza@Sun.COM 34411838SLiane.Praza@Sun.COMEND { 34511838SLiane.Praza@Sun.COM for (key in record) { 34611838SLiane.Praza@Sun.COM if (type == "prof") { 34711838SLiane.Praza@Sun.COM if (key != "::") { 34811838SLiane.Praza@Sun.COM print key ":" comment[key] ":" record[key]; 34911838SLiane.Praza@Sun.COM } 35011838SLiane.Praza@Sun.COM } else 35111838SLiane.Praza@Sun.COM if (type == "auth") { 35211838SLiane.Praza@Sun.COM print key ":" short_comment[key] ":" \ 35311838SLiane.Praza@Sun.COM long_comment[key] ":" record[key]; 35411838SLiane.Praza@Sun.COM } else 35511838SLiane.Praza@Sun.COM print key ":" record[key]; 35611838SLiane.Praza@Sun.COM } 35711838SLiane.Praza@Sun.COM} 35811838SLiane.Praza@Sun.COM 35911838SLiane.Praza@Sun.COMfunction merge_attrs(old, new, cnt, new_cnt, i, j, list, new_list, keyword) 36011838SLiane.Praza@Sun.COM{ 36112690Snathan.bush@oracle.com cnt = split_escape(old, list, ";"); 36212690Snathan.bush@oracle.com new_cnt = split_escape(new, new_list, ";"); 36311838SLiane.Praza@Sun.COM for (i = 1; i <= new_cnt; i++) { 36411838SLiane.Praza@Sun.COM keyword = substr(new_list[i], 1, index(new_list[i], "=")-1); 36511838SLiane.Praza@Sun.COM for (j = 1; j <= cnt; j++) { 36611838SLiane.Praza@Sun.COM if (match(list[j], "^" keyword "=")) { 36711838SLiane.Praza@Sun.COM list[j] = merge_values(keyword, list[j], 36811838SLiane.Praza@Sun.COM new_list[i]); 36911838SLiane.Praza@Sun.COM break; 37011838SLiane.Praza@Sun.COM } 37111838SLiane.Praza@Sun.COM } 37211838SLiane.Praza@Sun.COM if (j > cnt) 37311838SLiane.Praza@Sun.COM list[++cnt] = new_list[i]; 37411838SLiane.Praza@Sun.COM } 37511838SLiane.Praza@Sun.COM 37611838SLiane.Praza@Sun.COM return unsplit(list, cnt, ";"); \ 37711838SLiane.Praza@Sun.COM} 37811838SLiane.Praza@Sun.COM 37911838SLiane.Praza@Sun.COMfunction merge_values(keyword, old, new, cnt, new_cnt, i, j, list, new_list, d) 38011838SLiane.Praza@Sun.COM{ 38113091Snathan.bush@oracle.com # Keywords with multivalued attributes that are subject to merging 38213091Snathan.bush@oracle.com # are processed by the algorithm implemented further below. 38313091Snathan.bush@oracle.com # Otherwise, the keyword is not subject to merging, and: 38413091Snathan.bush@oracle.com # For user_attr, the existing value is retained. 38513091Snathan.bush@oracle.com # For any other file, the new value is substituted. 38613091Snathan.bush@oracle.com if (keyword_behavior[type, keyword] != "merge") { 38713091Snathan.bush@oracle.com if (type == "user") { 38813091Snathan.bush@oracle.com return old; 38913091Snathan.bush@oracle.com } else { 39013091Snathan.bush@oracle.com return new; 39113091Snathan.bush@oracle.com } 39213091Snathan.bush@oracle.com } 39311838SLiane.Praza@Sun.COM 39411838SLiane.Praza@Sun.COM cnt = split(substr(old, length(keyword)+2), list, ","); 39511838SLiane.Praza@Sun.COM new_cnt = split(substr(new, length(keyword)+2), new_list, ","); 39611838SLiane.Praza@Sun.COM 39711838SLiane.Praza@Sun.COM # If the existing list contains "All", remove it and add it 39811838SLiane.Praza@Sun.COM # to the new list; that way "All" will appear at the only valid 39911838SLiane.Praza@Sun.COM # location, the end of the list. 40011838SLiane.Praza@Sun.COM if (keyword == "profiles") { 40111838SLiane.Praza@Sun.COM d = 0; 40211838SLiane.Praza@Sun.COM for (i = 1; i <= cnt; i++) { 40311838SLiane.Praza@Sun.COM if (list[i] != "All") 40411838SLiane.Praza@Sun.COM list[++d] = list[i]; 40511838SLiane.Praza@Sun.COM } 40611838SLiane.Praza@Sun.COM if (cnt != d) { 40711838SLiane.Praza@Sun.COM new_list[++new_cnt] = "All"; 40811838SLiane.Praza@Sun.COM cnt = d; 40911838SLiane.Praza@Sun.COM } 41011838SLiane.Praza@Sun.COM } 41111838SLiane.Praza@Sun.COM for (i = 1; i <= new_cnt; i++) { 41211838SLiane.Praza@Sun.COM for (j = 1; j <= cnt; j++) { 41311838SLiane.Praza@Sun.COM if (list[j] == new_list[i]) 41411838SLiane.Praza@Sun.COM break; 41511838SLiane.Praza@Sun.COM } 41611838SLiane.Praza@Sun.COM if (j > cnt) 41711838SLiane.Praza@Sun.COM list[++cnt] = new_list[i]; 41811838SLiane.Praza@Sun.COM } 41911838SLiane.Praza@Sun.COM 42011838SLiane.Praza@Sun.COM return keyword "=" unsplit(list, cnt, ","); 42111838SLiane.Praza@Sun.COM} 42211838SLiane.Praza@Sun.COM 42312690Snathan.bush@oracle.com# This function is similar to the nawk built-in split() function, 42412690Snathan.bush@oracle.com# except that a "\" character may be used to escape any subsequent 42512690Snathan.bush@oracle.com# character, so that the escaped character will not be treated as a 42612690Snathan.bush@oracle.com# field separator or as part of a field separator regular expression. 42712690Snathan.bush@oracle.com# The "\" characters will remain in the elements of the output array 42812690Snathan.bush@oracle.com# variable upon completion. 42912690Snathan.bush@oracle.comfunction split_escape(str, list, fs, cnt, saved, sep) 43012690Snathan.bush@oracle.com{ 43112690Snathan.bush@oracle.com # default to global FS 43212690Snathan.bush@oracle.com if (fs == "") 43312690Snathan.bush@oracle.com fs = FS; 43412690Snathan.bush@oracle.com # initialize empty list, cnt, saved 43512690Snathan.bush@oracle.com split("", list, " "); 43612690Snathan.bush@oracle.com cnt = 0; 43712690Snathan.bush@oracle.com saved = ""; 43812690Snathan.bush@oracle.com # track whether last token was a field separator 43912690Snathan.bush@oracle.com sep = 0; 44012690Snathan.bush@oracle.com # nonzero str length indicates more string left to scan 44112690Snathan.bush@oracle.com while (length(str)) { 44212690Snathan.bush@oracle.com if (match(str, fs) == 1) { 44312690Snathan.bush@oracle.com # field separator, terminates current field 44412690Snathan.bush@oracle.com list[++cnt] = saved; 44512690Snathan.bush@oracle.com saved = ""; 44612690Snathan.bush@oracle.com str = substr(str, RLENGTH + 1); 44712690Snathan.bush@oracle.com sep = 1; 44812690Snathan.bush@oracle.com } else if (substr(str, 1, 1) == "\\") { 44912690Snathan.bush@oracle.com # escaped character 45012690Snathan.bush@oracle.com saved = saved substr(str, 1, 2); 45112690Snathan.bush@oracle.com str = substr(str, 3); 45212690Snathan.bush@oracle.com sep = 0; 45312690Snathan.bush@oracle.com } else { 45412690Snathan.bush@oracle.com # regular character 45512690Snathan.bush@oracle.com saved = saved substr(str, 1, 1); 45612690Snathan.bush@oracle.com str = substr(str, 2); 45712690Snathan.bush@oracle.com sep = 0; 45812690Snathan.bush@oracle.com } 45912690Snathan.bush@oracle.com } 46012690Snathan.bush@oracle.com # if required, append final field to list 46112690Snathan.bush@oracle.com if (sep || length(saved)) 46212690Snathan.bush@oracle.com list[++cnt] = saved; 46312690Snathan.bush@oracle.com 46412690Snathan.bush@oracle.com return cnt; 46512690Snathan.bush@oracle.com} 46612690Snathan.bush@oracle.com 46711838SLiane.Praza@Sun.COMfunction unsplit(list, cnt, delim, str) 46811838SLiane.Praza@Sun.COM{ 46911838SLiane.Praza@Sun.COM str = list[1]; 47011838SLiane.Praza@Sun.COM for (i = 2; i <= cnt; i++) 47111838SLiane.Praza@Sun.COM str = str delim list[i]; 47211838SLiane.Praza@Sun.COM return str; 47311838SLiane.Praza@Sun.COM}' \ 47413091Snathan.bush@oracle.com type=$1 $nawk_pass1 $nawk_pass2 $nawk_pass3 > $4.unsorted 47511838SLiane.Praza@Sun.COM rc=$? 47611838SLiane.Praza@Sun.COM $sort_cmd < $4.unsorted >> $4 47711838SLiane.Praza@Sun.COM return $rc 47811838SLiane.Praza@Sun.COM} 47911838SLiane.Praza@Sun.COM 48011838SLiane.Praza@Sun.COM# $1 is the merged file 48111838SLiane.Praza@Sun.COM# $2 is the target file 48211838SLiane.Praza@Sun.COM# 48311838SLiane.Praza@Sun.COMcommit() { 48411838SLiane.Praza@Sun.COM # Make sure that the last mv uses rename(2) by first moving to 48511838SLiane.Praza@Sun.COM # the same filesystem. 48611838SLiane.Praza@Sun.COM $mv_cmd $1 $2.$$ 48711838SLiane.Praza@Sun.COM $mv_cmd $2.$$ $2 48811838SLiane.Praza@Sun.COM return $? 48911838SLiane.Praza@Sun.COM} 49011838SLiane.Praza@Sun.COM 49111838SLiane.Praza@Sun.COMoutfile="" 49211838SLiane.Praza@Sun.COMtype="" 49311838SLiane.Praza@Sun.COMset_type_and_outfile() { 49411838SLiane.Praza@Sun.COM # 49511838SLiane.Praza@Sun.COM # Assumes basename $1 returns one of 49611838SLiane.Praza@Sun.COM # prof_attr, exec_attr, auth_attr, or user_attr 49711838SLiane.Praza@Sun.COM # 49811838SLiane.Praza@Sun.COM fname=`$basename_cmd $1` 49911838SLiane.Praza@Sun.COM type=`echo $fname | $sed_cmd -e s'/^\([a-z][a-z]*\)_attr$/\1/' ` 50011838SLiane.Praza@Sun.COM case "$type" in 50111838SLiane.Praza@Sun.COM "prof"|"exec"|"user"|"auth") ;; 50211838SLiane.Praza@Sun.COM *) return 2 ;; 50311838SLiane.Praza@Sun.COM esac 50411838SLiane.Praza@Sun.COM 50511838SLiane.Praza@Sun.COM outfile=$tmp_dir/rbac_${PKGINST}_${fname}_merge.$$ 50611838SLiane.Praza@Sun.COM 50711838SLiane.Praza@Sun.COM return 0 50811838SLiane.Praza@Sun.COM} 50911838SLiane.Praza@Sun.COM 51011838SLiane.Praza@Sun.COMcleanup() { 51111838SLiane.Praza@Sun.COM $rm_cmd -f $outfile $outfile.old $outfile.new $outfile.unsorted 51211838SLiane.Praza@Sun.COM 51311838SLiane.Praza@Sun.COM return 0 51411838SLiane.Praza@Sun.COM} 51511838SLiane.Praza@Sun.COM 51611838SLiane.Praza@Sun.COMexit_status=0 51711838SLiane.Praza@Sun.COM 51811838SLiane.Praza@Sun.COM# main 51911838SLiane.Praza@Sun.COM 52011838SLiane.Praza@Sun.COMwhile read newfile oldfile ; do 52111838SLiane.Praza@Sun.COM if [ -n "$PKGINST" ] 52211838SLiane.Praza@Sun.COM then 52311838SLiane.Praza@Sun.COM # Install the file in the "fragment" directory. 52411838SLiane.Praza@Sun.COM mkdir -m 755 -p ${oldfile}.d 52511838SLiane.Praza@Sun.COM rm -f ${oldfile}.d/"$PKGINST" 52611838SLiane.Praza@Sun.COM cp $newfile ${oldfile}.d/"$PKGINST" 52711838SLiane.Praza@Sun.COM 52811838SLiane.Praza@Sun.COM # Make sure that it is marked read-only. 52911838SLiane.Praza@Sun.COM chmod a-w,a+r ${oldfile}.d/"$PKGINST" 53011838SLiane.Praza@Sun.COM 53111838SLiane.Praza@Sun.COM # We also execute the rest of the i.rbac script. 53211838SLiane.Praza@Sun.COM fi 53311838SLiane.Praza@Sun.COM 53411838SLiane.Praza@Sun.COM if [ ! -f $oldfile ]; then 53511838SLiane.Praza@Sun.COM cp $newfile $oldfile 53611838SLiane.Praza@Sun.COM else 53711838SLiane.Praza@Sun.COM set_type_and_outfile $newfile || 53811838SLiane.Praza@Sun.COM set_type_and_outfile $oldfile 53911838SLiane.Praza@Sun.COM if [ $? -ne 0 ]; then 54011838SLiane.Praza@Sun.COM echo "$0 : $newfile not one of" \ 54111838SLiane.Praza@Sun.COM " prof_attr, exec_attr, auth_attr, user_attr" 54211838SLiane.Praza@Sun.COM exit_status=2 54311838SLiane.Praza@Sun.COM continue 54411838SLiane.Praza@Sun.COM fi 54511838SLiane.Praza@Sun.COM 54611838SLiane.Praza@Sun.COM dbmerge $type $oldfile $newfile $outfile 54711838SLiane.Praza@Sun.COM if [ $? -ne 0 ]; then 54811838SLiane.Praza@Sun.COM echo "$0 : failed to merge $newfile with $oldfile" 54911838SLiane.Praza@Sun.COM cleanup 55011838SLiane.Praza@Sun.COM exit_status=2 55111838SLiane.Praza@Sun.COM continue 55211838SLiane.Praza@Sun.COM fi 55311838SLiane.Praza@Sun.COM 55411838SLiane.Praza@Sun.COM commit $outfile $oldfile 55511838SLiane.Praza@Sun.COM if [ $? -ne 0 ]; then 55611838SLiane.Praza@Sun.COM echo "$0 : failed to mv $outfile to $2" 55711838SLiane.Praza@Sun.COM cleanup 55811838SLiane.Praza@Sun.COM exit_status=2 55911838SLiane.Praza@Sun.COM continue 56011838SLiane.Praza@Sun.COM fi 56111838SLiane.Praza@Sun.COM 56211838SLiane.Praza@Sun.COM cleanup 56311838SLiane.Praza@Sun.COM fi 56411838SLiane.Praza@Sun.COMdone 56511838SLiane.Praza@Sun.COM 56611838SLiane.Praza@Sun.COMif [ "$1" = "ENDOFCLASS" ]; then 56711838SLiane.Praza@Sun.COM exit 0 56811838SLiane.Praza@Sun.COMfi 56911838SLiane.Praza@Sun.COM 57011838SLiane.Praza@Sun.COMexit $exit_status 571