xref: /onnv-gate/usr/src/lib/libsecdb/common/i.rbac (revision 13092:213128c64663)
111838SLiane.Praza@Sun.COM#!/bin/sh
211838SLiane.Praza@Sun.COM#
311838SLiane.Praza@Sun.COM# CDDL HEADER START
411838SLiane.Praza@Sun.COM#
511838SLiane.Praza@Sun.COM# The contents of this file are subject to the terms of the
611838SLiane.Praza@Sun.COM# Common Development and Distribution License (the "License").
711838SLiane.Praza@Sun.COM# You may not use this file except in compliance with the License.
811838SLiane.Praza@Sun.COM#
911838SLiane.Praza@Sun.COM# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
1011838SLiane.Praza@Sun.COM# or http://www.opensolaris.org/os/licensing.
1111838SLiane.Praza@Sun.COM# See the License for the specific language governing permissions
1211838SLiane.Praza@Sun.COM# and limitations under the License.
1311838SLiane.Praza@Sun.COM#
1411838SLiane.Praza@Sun.COM# When distributing Covered Code, include this CDDL HEADER in each
1511838SLiane.Praza@Sun.COM# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1611838SLiane.Praza@Sun.COM# If applicable, add the following below this CDDL HEADER, with the
1711838SLiane.Praza@Sun.COM# fields enclosed by brackets "[]" replaced with your own identifying
1811838SLiane.Praza@Sun.COM# information: Portions Copyright [yyyy] [name of copyright owner]
1911838SLiane.Praza@Sun.COM#
2011838SLiane.Praza@Sun.COM# CDDL HEADER END
2111838SLiane.Praza@Sun.COM#
2211838SLiane.Praza@Sun.COM# i.rbac
2311838SLiane.Praza@Sun.COM#
2412690Snathan.bush@oracle.com# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
2511838SLiane.Praza@Sun.COM#
2611838SLiane.Praza@Sun.COM# class action script for "rbac" class files
2711838SLiane.Praza@Sun.COM# installed by pkgadd
2811838SLiane.Praza@Sun.COM#
2911838SLiane.Praza@Sun.COM# Files in "rbac" class:
3011838SLiane.Praza@Sun.COM#
3111838SLiane.Praza@Sun.COM# /etc/security/{prof_attr,exec_attr,auth_attr}
3211838SLiane.Praza@Sun.COM# /etc/user_attr
3311838SLiane.Praza@Sun.COM#
3411838SLiane.Praza@Sun.COM#  Allowable exit codes
3511838SLiane.Praza@Sun.COM#
3611838SLiane.Praza@Sun.COM# 0 - success
3711838SLiane.Praza@Sun.COM# 2 - warning or possible error condition. Installation continues. A warning
3811838SLiane.Praza@Sun.COM#     message is displayed at the time of completion.
3911838SLiane.Praza@Sun.COM#
4011838SLiane.Praza@Sun.COM
4111838SLiane.Praza@Sun.COMumask 022
4211838SLiane.Praza@Sun.COM
4311838SLiane.Praza@Sun.COMtmp_dir=${TMPDIR:-/tmp}
4411838SLiane.Praza@Sun.COM
4511838SLiane.Praza@Sun.COMPATH="/usr/bin:/usr/sbin:${PATH}"
4611838SLiane.Praza@Sun.COMexport PATH
4711838SLiane.Praza@Sun.COM
4811838SLiane.Praza@Sun.COMbasename_cmd=basename
4911838SLiane.Praza@Sun.COMcp_cmd=cp
5011838SLiane.Praza@Sun.COMegrep_cmd=egrep
5111838SLiane.Praza@Sun.COMmv_cmd=mv
5211838SLiane.Praza@Sun.COMnawk_cmd=nawk
5311838SLiane.Praza@Sun.COMrm_cmd=rm
5411838SLiane.Praza@Sun.COMsed_cmd=sed
5511838SLiane.Praza@Sun.COMsort_cmd=sort
5611838SLiane.Praza@Sun.COM
5711838SLiane.Praza@Sun.COM# $1 is the type
5811838SLiane.Praza@Sun.COM# $2 is the "old/existing file"
5911838SLiane.Praza@Sun.COM# $3 is the "new (to be merged)" file
6011838SLiane.Praza@Sun.COM# $4 is the output file
6111838SLiane.Praza@Sun.COM# returns 0 on success
6211838SLiane.Praza@Sun.COM# returns 2 on failure if nawk fails with non-zero exit status
6311838SLiane.Praza@Sun.COM#
6411838SLiane.Praza@Sun.COMdbmerge() {
6511838SLiane.Praza@Sun.COM#
6611838SLiane.Praza@Sun.COM# Remove the ident lines.
6711838SLiane.Praza@Sun.COM#
6811838SLiane.Praza@Sun.COM	${egrep_cmd} -v '^#[pragma 	]*ident' $2 > $4.old 2>/dev/null
6911838SLiane.Praza@Sun.COM#
7011838SLiane.Praza@Sun.COM# If the new file has a Sun copyright, remove the Sun copyright from the old
7111838SLiane.Praza@Sun.COM# file.
7211838SLiane.Praza@Sun.COM#
7311838SLiane.Praza@Sun.COM	newcr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' $3 \
7411838SLiane.Praza@Sun.COM	    2>/dev/null`
7511838SLiane.Praza@Sun.COM	if [ -n "${newcr}" ]; then
7611838SLiane.Praza@Sun.COM		$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
7711838SLiane.Praza@Sun.COM		    -e '/^# All rights reserved./d' \
7811838SLiane.Praza@Sun.COM		    -e '/^# Use is subject to license terms./d' \
7911838SLiane.Praza@Sun.COM		    $4.old > $4.$$ 2>/dev/null
8011838SLiane.Praza@Sun.COM		$mv_cmd $4.$$ $4.old
8111838SLiane.Praza@Sun.COM	fi
8211838SLiane.Praza@Sun.COM#
83*13092Snathan.bush@oracle.com# If the new file has an Oracle copyright, remove both the Sun and Oracle
84*13092Snathan.bush@oracle.com# copyrights from the old file.
85*13092Snathan.bush@oracle.com#
86*13092Snathan.bush@oracle.com	oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \
87*13092Snathan.bush@oracle.com	    $3 2>/dev/null`
88*13092Snathan.bush@oracle.com	if [ -n "${oracle_cr}" ]; then
89*13092Snathan.bush@oracle.com		$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
90*13092Snathan.bush@oracle.com		    -e '/^# All rights reserved./d' \
91*13092Snathan.bush@oracle.com		    -e '/^# Use is subject to license terms./d' \
92*13092Snathan.bush@oracle.com		    -e '/^# Copyright.*Oracle and\/or its affiliates./d' \
93*13092Snathan.bush@oracle.com		    $4.old > $4.$$ 2>/dev/null
94*13092Snathan.bush@oracle.com		$mv_cmd $4.$$ $4.old
95*13092Snathan.bush@oracle.com	fi
96*13092Snathan.bush@oracle.com#
9711838SLiane.Praza@Sun.COM# If the new file has the CDDL, remove it from the old file.
9811838SLiane.Praza@Sun.COM#
9911838SLiane.Praza@Sun.COM	newcr=`${egrep_cmd} '^# CDDL HEADER START' $3 2>/dev/null`
10011838SLiane.Praza@Sun.COM	if [ -n "${newcr}" ]; then
10111838SLiane.Praza@Sun.COM		$sed_cmd -e '/^# CDDL HEADER START/,/^# CDDL HEADER END/d' \
10211838SLiane.Praza@Sun.COM		    $4.old > $4.$$ 2>/dev/null
10311838SLiane.Praza@Sun.COM		$mv_cmd $4.$$ $4.old
10411838SLiane.Praza@Sun.COM	fi
10511838SLiane.Praza@Sun.COM#
10611838SLiane.Praza@Sun.COM# Remove empty lines and multiple instances of these comments:
10711838SLiane.Praza@Sun.COM#
10811838SLiane.Praza@Sun.COM	$sed_cmd -e '/^# \/etc\/security\/exec_attr/d' -e '/^#$/d' \
10911838SLiane.Praza@Sun.COM		-e '/^# execution attributes for profiles./d' \
11011838SLiane.Praza@Sun.COM		-e '/^# See exec_attr(4)/d' \
11111838SLiane.Praza@Sun.COM		-e '/^# \/etc\/user_attr/d' \
11211838SLiane.Praza@Sun.COM		-e '/^# user attributes. see user_attr(4)/d' \
11311838SLiane.Praza@Sun.COM		-e '/^# \/etc\/security\/prof_attr/d' \
11411838SLiane.Praza@Sun.COM		-e '/^# profiles attributes. see prof_attr(4)/d' \
11511838SLiane.Praza@Sun.COM		-e '/^# See prof_attr(4)/d' \
11611838SLiane.Praza@Sun.COM		-e '/^# \/etc\/security\/auth_attr/d' \
11711838SLiane.Praza@Sun.COM		-e '/^# authorizations. see auth_attr(4)/d' \
11811838SLiane.Praza@Sun.COM		-e '/^# authorization attributes. see auth_attr(4)/d' \
11911838SLiane.Praza@Sun.COM		    $4.old > $4.$$
12011838SLiane.Praza@Sun.COM	$mv_cmd $4.$$ $4.old
12111838SLiane.Praza@Sun.COM#
12211838SLiane.Praza@Sun.COM# Retain old and new header comments.
12311838SLiane.Praza@Sun.COM#
12411838SLiane.Praza@Sun.COM	$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $4.old > $4
12511838SLiane.Praza@Sun.COM	$rm_cmd $4.old
12611838SLiane.Praza@Sun.COM	$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $3 >> $4
12711838SLiane.Praza@Sun.COM#
128*13092Snathan.bush@oracle.com# If the output file now has both Sun and Oracle copyrights, remove
129*13092Snathan.bush@oracle.com# the Sun copyright.
130*13092Snathan.bush@oracle.com#
131*13092Snathan.bush@oracle.com	sun_cr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' \
132*13092Snathan.bush@oracle.com	    $4 2>/dev/null`
133*13092Snathan.bush@oracle.com	oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \
134*13092Snathan.bush@oracle.com	    $4 2>/dev/null`
135*13092Snathan.bush@oracle.com	if [ -n "${sun_cr}" ] && [ -n "${oracle_cr}" ]; then
136*13092Snathan.bush@oracle.com		$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
137*13092Snathan.bush@oracle.com		    -e '/^# All rights reserved./d' \
138*13092Snathan.bush@oracle.com		    -e '/^# Use is subject to license terms./d' \
139*13092Snathan.bush@oracle.com		    $4 > $4.$$ 2>/dev/null
140*13092Snathan.bush@oracle.com		$mv_cmd $4.$$ $4
141*13092Snathan.bush@oracle.com	fi
142*13092Snathan.bush@oracle.com#
14311838SLiane.Praza@Sun.COM# Handle line continuations (trailing \)
14411838SLiane.Praza@Sun.COM#
14511838SLiane.Praza@Sun.COM 	$sed_cmd \
14611838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
14711838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
14811838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
14911838SLiane.Praza@Sun.COM 	    $2 > $4.old
15011838SLiane.Praza@Sun.COM 	$sed_cmd \
15111838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
15211838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
15311838SLiane.Praza@Sun.COM 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
15411838SLiane.Praza@Sun.COM 	    $3 > $4.new
15511838SLiane.Praza@Sun.COM#
15613091Snathan.bush@oracle.com# The nawk script below processes the old and new files using up to
15713091Snathan.bush@oracle.com# three passes.  If the old file is empty, only the final pass over
15813091Snathan.bush@oracle.com# the new file is required.
15913091Snathan.bush@oracle.com#
16013091Snathan.bush@oracle.com	if [ -s $4.old ]; then
16113091Snathan.bush@oracle.com		nawk_pass1=$4.old
16213091Snathan.bush@oracle.com		nawk_pass2=$4.new
16313091Snathan.bush@oracle.com		nawk_pass3=$4.new
16413091Snathan.bush@oracle.com	else
16513091Snathan.bush@oracle.com		nawk_pass1=
16613091Snathan.bush@oracle.com		nawk_pass2=
16713091Snathan.bush@oracle.com		nawk_pass3=$4.new
16813091Snathan.bush@oracle.com	fi
16913091Snathan.bush@oracle.com#
17011838SLiane.Praza@Sun.COM#!/usr/bin/nawk -f
17111838SLiane.Praza@Sun.COM#
17213091Snathan.bush@oracle.com#       dbmerge type=[auth|prof|user|exec] [ old-file new-file ] new-file
17311838SLiane.Praza@Sun.COM#
17411838SLiane.Praza@Sun.COM#       Merge two versions of an RBAC database file. The output
17511838SLiane.Praza@Sun.COM#       consists of the lines from the new-file, while preserving
17613091Snathan.bush@oracle.com#       user customizations in the old-file.
17713091Snathan.bush@oracle.com#
17813091Snathan.bush@oracle.com#	Entries in the new-file replace corresponding entries in the
17913091Snathan.bush@oracle.com#	old-file, except as follows:  For exec_attr, all old entries
18013091Snathan.bush@oracle.com#	for profiles contained in the new-file are discarded.  For
18113091Snathan.bush@oracle.com#	user_attr, the "root" entry from the old-file is retained,
18213091Snathan.bush@oracle.com#	and new keywords from the new-file are merged into it.
18313091Snathan.bush@oracle.com#
18413091Snathan.bush@oracle.com#	Records with the same key field(s) are merged, so that the
18513091Snathan.bush@oracle.com#	keyword/value section of each output record contains the union
18613091Snathan.bush@oracle.com#	of the keywords found in all input records with the same key
18713091Snathan.bush@oracle.com#	field(s).  For selected multi-value keywords [1] the values from
18813091Snathan.bush@oracle.com#	the new-file are merged with retained values from the old-file.
18913091Snathan.bush@oracle.com#	Otherwise, the value for each keyword is the final value found
19013091Snathan.bush@oracle.com#	in the new-file, except for keywords in the user_attr entry for
19113091Snathan.bush@oracle.com#	"root" where values from the old-file are always retained.
19213091Snathan.bush@oracle.com#
19313091Snathan.bush@oracle.com#	[1] The following file type and keyword combinations are merged:
19413091Snathan.bush@oracle.com#	    prof_attr: auths, profiles, privs
19513091Snathan.bush@oracle.com#	    user_attr: auths, profiles, roles
19611838SLiane.Praza@Sun.COM#
19711838SLiane.Praza@Sun.COM#	The output is run through sort except for the comments
19811838SLiane.Praza@Sun.COM#	which will appear first in the output.
19911838SLiane.Praza@Sun.COM#
20011838SLiane.Praza@Sun.COM#
20111838SLiane.Praza@Sun.COM	$nawk_cmd  '
20211838SLiane.Praza@Sun.COM
20313091Snathan.bush@oracle.com# This script may be invoked with up to three file names.  Each file
20413091Snathan.bush@oracle.com# name corresponds to a separate processing pass.  The passes are
20513091Snathan.bush@oracle.com# defined as follows:
20613091Snathan.bush@oracle.com#
20713091Snathan.bush@oracle.com# Pass 1: Read existing data.
20813091Snathan.bush@oracle.com# Data from the old-file is read into memory.
20913091Snathan.bush@oracle.com#
21013091Snathan.bush@oracle.com# Pass 2: Remove obsolete data.
21113091Snathan.bush@oracle.com# Discard any data from the old-file that is part of profiles that
21213091Snathan.bush@oracle.com# are also in the new-file.  (As a special case, the user_attr entry
21313091Snathan.bush@oracle.com# for 'root' is always retained.)
21413091Snathan.bush@oracle.com#
21513091Snathan.bush@oracle.com# Pass 3: Merge new data.
21613091Snathan.bush@oracle.com# Data from the new-file is merged with the remaining old-file data.
21713091Snathan.bush@oracle.com# (As a special case, exec_attr entries are replaced, not merged.)
21813091Snathan.bush@oracle.com
21911838SLiane.Praza@Sun.COMBEGIN {
22013091Snathan.bush@oracle.com	# The variable 'pass' specifies which type of processing to perform.
22113091Snathan.bush@oracle.com	# When processing only one file, skip passes 1 and 2.
22213091Snathan.bush@oracle.com	if (ARGC == 3)
22313091Snathan.bush@oracle.com		pass += 2;
22413091Snathan.bush@oracle.com
22513091Snathan.bush@oracle.com	# The array 'keyword_behavior' specifies the special treatment of
22613091Snathan.bush@oracle.com	# [type, keyword] combinations subject to value merging.
22713091Snathan.bush@oracle.com	keyword_behavior["prof", "auths"] =	"merge";
22813091Snathan.bush@oracle.com	keyword_behavior["prof", "profiles"] =	"merge";
22913091Snathan.bush@oracle.com	keyword_behavior["prof", "privs"] =	"merge";
23013091Snathan.bush@oracle.com	keyword_behavior["user", "auths"] =	"merge";
23113091Snathan.bush@oracle.com	keyword_behavior["user", "profiles"] =	"merge";
23213091Snathan.bush@oracle.com	keyword_behavior["user", "roles"] =	"merge";
23313091Snathan.bush@oracle.com
23411838SLiane.Praza@Sun.COM	FS=":"
23511838SLiane.Praza@Sun.COM}
23611838SLiane.Praza@Sun.COM
23713091Snathan.bush@oracle.com# When FNR (current file record number) is 1 it indicates that nawk
23813091Snathan.bush@oracle.com# is starting to read the next file specified on its command line,
23913091Snathan.bush@oracle.com# and is beginning the next processing pass.
24013091Snathan.bush@oracle.comFNR == 1 {
24113091Snathan.bush@oracle.com	pass++;
24213091Snathan.bush@oracle.com}
24313091Snathan.bush@oracle.com
24411838SLiane.Praza@Sun.COM/^#/ || /^$/ {
24511838SLiane.Praza@Sun.COM	continue;
24611838SLiane.Praza@Sun.COM}
24711838SLiane.Praza@Sun.COM
24812690Snathan.bush@oracle.com{
24912690Snathan.bush@oracle.com	# For each input line, nawk automatically assigns the complete
25012690Snathan.bush@oracle.com	# line to $0 and also splits the line at field separators and
25112690Snathan.bush@oracle.com	# assigns each field to a variable $1..$n.  Assignment to $0
25212690Snathan.bush@oracle.com	# re-splits the line into the field variables.  Conversely,
25312690Snathan.bush@oracle.com	# assgnment to a variable $1..$n will cause $0 to be recomputed
25412690Snathan.bush@oracle.com	# from the field variable values.
25512690Snathan.bush@oracle.com	#
25612690Snathan.bush@oracle.com	# This code adds awareness of escaped field separators by using
25712690Snathan.bush@oracle.com	# a custom function to split the line into a temporary array.
25812690Snathan.bush@oracle.com	# It assigns the empty string to $0 to clear any excess field
25912690Snathan.bush@oracle.com	# variables, and assigns the desired elements of the temporary
26012690Snathan.bush@oracle.com	# array back to the field variables $1..$7.
26112690Snathan.bush@oracle.com	#
26212690Snathan.bush@oracle.com	# Subsequent code must not assign directly to $0 or the fields
26312690Snathan.bush@oracle.com	# will be re-split without regard to escaped field separators.
26412690Snathan.bush@oracle.com	split_escape($0, f, ":");
26512690Snathan.bush@oracle.com	$0 = "";
26612690Snathan.bush@oracle.com	$1 = f[1];
26712690Snathan.bush@oracle.com	$2 = f[2];
26812690Snathan.bush@oracle.com	$3 = f[3];
26912690Snathan.bush@oracle.com	$4 = f[4];
27012690Snathan.bush@oracle.com	$5 = f[5];
27112690Snathan.bush@oracle.com	$6 = f[6];
27212690Snathan.bush@oracle.com	$7 = f[7];
27312690Snathan.bush@oracle.com}
27412690Snathan.bush@oracle.com
27511838SLiane.Praza@Sun.COMtype == "auth" {
27611838SLiane.Praza@Sun.COM	key = $1 ":" $2 ":" $3 ;
27713091Snathan.bush@oracle.com	if (pass == 1) {
27811838SLiane.Praza@Sun.COM		short_comment[key] = $4 ;
27911838SLiane.Praza@Sun.COM		long_comment[key] = $5;
28011838SLiane.Praza@Sun.COM		record[key] = $6;
28113091Snathan.bush@oracle.com	} else if (pass == 2) {
28213091Snathan.bush@oracle.com		delete short_comment[key];
28313091Snathan.bush@oracle.com		delete long_comment[key];
28413091Snathan.bush@oracle.com		delete record[key];
28513091Snathan.bush@oracle.com	} else if (pass == 3) {
28611838SLiane.Praza@Sun.COM		if ( $4 != "" ) {
28711838SLiane.Praza@Sun.COM			short_comment[key] = $4 ;
28811838SLiane.Praza@Sun.COM		}
28911838SLiane.Praza@Sun.COM		if ( $5 != "" ) {
29011838SLiane.Praza@Sun.COM			long_comment[key] =  $5 ;
29111838SLiane.Praza@Sun.COM		}
29213091Snathan.bush@oracle.com		record[key] = merge_attrs(record[key], $6);
29311838SLiane.Praza@Sun.COM	}
29411838SLiane.Praza@Sun.COM}
29511838SLiane.Praza@Sun.COM
29611838SLiane.Praza@Sun.COMtype == "prof" {
29711838SLiane.Praza@Sun.COM	key = $1 ":" $2 ":" $3 ;
29813091Snathan.bush@oracle.com	if (pass == 1) {
29911838SLiane.Praza@Sun.COM		comment[key] = $4;
30011838SLiane.Praza@Sun.COM		record[key] = $5;
30113091Snathan.bush@oracle.com	} else if (pass == 2) {
30213091Snathan.bush@oracle.com		delete comment[key];
30313091Snathan.bush@oracle.com		delete record[key];
30413091Snathan.bush@oracle.com	} else if (pass == 3) {
30511838SLiane.Praza@Sun.COM		if ( $4 != "" ) {
30611838SLiane.Praza@Sun.COM			comment[key] = $4 ;
30711838SLiane.Praza@Sun.COM		}
30811838SLiane.Praza@Sun.COM		if (key != "::") {
30913091Snathan.bush@oracle.com			record[key] = merge_attrs(record[key], $5);
31011838SLiane.Praza@Sun.COM		}
31111838SLiane.Praza@Sun.COM	}
31211838SLiane.Praza@Sun.COM}
31311838SLiane.Praza@Sun.COM
31411838SLiane.Praza@Sun.COMtype == "exec" {
31511838SLiane.Praza@Sun.COM	key = $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" $6 ;
31613091Snathan.bush@oracle.com	if (pass == 1) {
31713091Snathan.bush@oracle.com		record[key] = $7;
31813091Snathan.bush@oracle.com	} else if (pass == 2) {
31913091Snathan.bush@oracle.com		# For exec_attr, deletion is based on the 'name' field only,
32013091Snathan.bush@oracle.com		# so that all old entries for the profile are removed.
32113091Snathan.bush@oracle.com		for (oldkey in record) {
32213091Snathan.bush@oracle.com			split_escape(oldkey, oldkey_fields, ":");
32313091Snathan.bush@oracle.com			if (oldkey_fields[1] == $1)
32413091Snathan.bush@oracle.com				delete record[oldkey];
32513091Snathan.bush@oracle.com		}
32613091Snathan.bush@oracle.com	} else if (pass == 3) {
32713091Snathan.bush@oracle.com		# Substitute new entries, do not merge.
32813091Snathan.bush@oracle.com		record[key] = $7;
32913091Snathan.bush@oracle.com	}
33011838SLiane.Praza@Sun.COM}
33111838SLiane.Praza@Sun.COM
33211838SLiane.Praza@Sun.COMtype == "user" {
33311838SLiane.Praza@Sun.COM	key = $1 ":" $2 ":" $3 ":" $4 ;
33413091Snathan.bush@oracle.com	if (pass == 1) {
33511838SLiane.Praza@Sun.COM		record[key] = $5;
33613091Snathan.bush@oracle.com	} else if (pass == 2) {
33713091Snathan.bush@oracle.com		if ($1 != "root")
33813091Snathan.bush@oracle.com			delete record[key];
33913091Snathan.bush@oracle.com	} else if (pass == 3) {
34013091Snathan.bush@oracle.com		record[key] = merge_attrs(record[key], $5);
34111838SLiane.Praza@Sun.COM	}
34211838SLiane.Praza@Sun.COM}
34311838SLiane.Praza@Sun.COM
34411838SLiane.Praza@Sun.COMEND {
34511838SLiane.Praza@Sun.COM	for (key in record) {
34611838SLiane.Praza@Sun.COM		if (type == "prof") {
34711838SLiane.Praza@Sun.COM			if (key != "::") {
34811838SLiane.Praza@Sun.COM				print key ":" comment[key] ":" record[key];
34911838SLiane.Praza@Sun.COM			}
35011838SLiane.Praza@Sun.COM		} else
35111838SLiane.Praza@Sun.COM			if (type == "auth") {
35211838SLiane.Praza@Sun.COM				print key ":" short_comment[key] ":"  \
35311838SLiane.Praza@Sun.COM				    long_comment[key] ":" record[key];
35411838SLiane.Praza@Sun.COM			} else
35511838SLiane.Praza@Sun.COM				print key ":" record[key];
35611838SLiane.Praza@Sun.COM		}
35711838SLiane.Praza@Sun.COM}
35811838SLiane.Praza@Sun.COM
35911838SLiane.Praza@Sun.COMfunction merge_attrs(old, new, cnt, new_cnt, i, j, list, new_list, keyword)
36011838SLiane.Praza@Sun.COM{
36112690Snathan.bush@oracle.com	cnt = split_escape(old, list, ";");
36212690Snathan.bush@oracle.com	new_cnt = split_escape(new, new_list, ";");
36311838SLiane.Praza@Sun.COM	for (i = 1; i <= new_cnt; i++) {
36411838SLiane.Praza@Sun.COM		keyword = substr(new_list[i], 1, index(new_list[i], "=")-1);
36511838SLiane.Praza@Sun.COM		for (j = 1; j <= cnt; j++) {
36611838SLiane.Praza@Sun.COM			if (match(list[j], "^" keyword "=")) {
36711838SLiane.Praza@Sun.COM				list[j] = merge_values(keyword, list[j],
36811838SLiane.Praza@Sun.COM				    new_list[i]);
36911838SLiane.Praza@Sun.COM				break;
37011838SLiane.Praza@Sun.COM			}
37111838SLiane.Praza@Sun.COM		}
37211838SLiane.Praza@Sun.COM		if (j > cnt)
37311838SLiane.Praza@Sun.COM			list[++cnt] = new_list[i];
37411838SLiane.Praza@Sun.COM	}
37511838SLiane.Praza@Sun.COM
37611838SLiane.Praza@Sun.COM	return unsplit(list, cnt, ";"); \
37711838SLiane.Praza@Sun.COM}
37811838SLiane.Praza@Sun.COM
37911838SLiane.Praza@Sun.COMfunction merge_values(keyword, old, new, cnt, new_cnt, i, j, list, new_list, d)
38011838SLiane.Praza@Sun.COM{
38113091Snathan.bush@oracle.com	# Keywords with multivalued attributes that are subject to merging
38213091Snathan.bush@oracle.com	# are processed by the algorithm implemented further below.
38313091Snathan.bush@oracle.com	# Otherwise, the keyword is not subject to merging, and:
38413091Snathan.bush@oracle.com	#   For user_attr, the existing value is retained.
38513091Snathan.bush@oracle.com	#   For any other file, the new value is substituted.
38613091Snathan.bush@oracle.com	if (keyword_behavior[type, keyword] != "merge") {
38713091Snathan.bush@oracle.com		if (type == "user") {
38813091Snathan.bush@oracle.com			return old;
38913091Snathan.bush@oracle.com		} else {
39013091Snathan.bush@oracle.com			return new;
39113091Snathan.bush@oracle.com		}
39213091Snathan.bush@oracle.com	}
39311838SLiane.Praza@Sun.COM
39411838SLiane.Praza@Sun.COM	cnt = split(substr(old, length(keyword)+2), list, ",");
39511838SLiane.Praza@Sun.COM	new_cnt = split(substr(new, length(keyword)+2), new_list, ",");
39611838SLiane.Praza@Sun.COM
39711838SLiane.Praza@Sun.COM	# If the existing list contains "All", remove it and add it
39811838SLiane.Praza@Sun.COM	# to the new list; that way "All" will appear at the only valid
39911838SLiane.Praza@Sun.COM	# location, the end of the list.
40011838SLiane.Praza@Sun.COM	if (keyword == "profiles") {
40111838SLiane.Praza@Sun.COM		d = 0;
40211838SLiane.Praza@Sun.COM		for (i = 1; i <= cnt; i++) {
40311838SLiane.Praza@Sun.COM			if (list[i] != "All")
40411838SLiane.Praza@Sun.COM				list[++d] = list[i];
40511838SLiane.Praza@Sun.COM		}
40611838SLiane.Praza@Sun.COM		if (cnt != d) {
40711838SLiane.Praza@Sun.COM			new_list[++new_cnt] = "All";
40811838SLiane.Praza@Sun.COM			cnt = d;
40911838SLiane.Praza@Sun.COM		}
41011838SLiane.Praza@Sun.COM	}
41111838SLiane.Praza@Sun.COM	for (i = 1; i <= new_cnt; i++) {
41211838SLiane.Praza@Sun.COM		for (j = 1; j <= cnt; j++) {
41311838SLiane.Praza@Sun.COM			if (list[j] == new_list[i])
41411838SLiane.Praza@Sun.COM				break;
41511838SLiane.Praza@Sun.COM		}
41611838SLiane.Praza@Sun.COM		if (j > cnt)
41711838SLiane.Praza@Sun.COM			list[++cnt] = new_list[i];
41811838SLiane.Praza@Sun.COM	}
41911838SLiane.Praza@Sun.COM
42011838SLiane.Praza@Sun.COM	return keyword "=" unsplit(list, cnt, ",");
42111838SLiane.Praza@Sun.COM}
42211838SLiane.Praza@Sun.COM
42312690Snathan.bush@oracle.com# This function is similar to the nawk built-in split() function,
42412690Snathan.bush@oracle.com# except that a "\" character may be used to escape any subsequent
42512690Snathan.bush@oracle.com# character, so that the escaped character will not be treated as a
42612690Snathan.bush@oracle.com# field separator or as part of a field separator regular expression.
42712690Snathan.bush@oracle.com# The "\" characters will remain in the elements of the output array
42812690Snathan.bush@oracle.com# variable upon completion.
42912690Snathan.bush@oracle.comfunction split_escape(str, list, fs, cnt, saved, sep)
43012690Snathan.bush@oracle.com{
43112690Snathan.bush@oracle.com	# default to global FS
43212690Snathan.bush@oracle.com	if (fs == "")
43312690Snathan.bush@oracle.com		fs = FS;
43412690Snathan.bush@oracle.com	# initialize empty list, cnt, saved
43512690Snathan.bush@oracle.com	split("", list, " ");
43612690Snathan.bush@oracle.com	cnt = 0;
43712690Snathan.bush@oracle.com	saved = "";
43812690Snathan.bush@oracle.com	# track whether last token was a field separator
43912690Snathan.bush@oracle.com	sep = 0;
44012690Snathan.bush@oracle.com	# nonzero str length indicates more string left to scan
44112690Snathan.bush@oracle.com	while (length(str)) {
44212690Snathan.bush@oracle.com		if (match(str, fs) == 1) {
44312690Snathan.bush@oracle.com			# field separator, terminates current field
44412690Snathan.bush@oracle.com			list[++cnt] = saved;
44512690Snathan.bush@oracle.com			saved = "";
44612690Snathan.bush@oracle.com			str = substr(str, RLENGTH + 1);
44712690Snathan.bush@oracle.com			sep = 1;
44812690Snathan.bush@oracle.com		} else if (substr(str, 1, 1) == "\\") {
44912690Snathan.bush@oracle.com			# escaped character
45012690Snathan.bush@oracle.com			saved = saved substr(str, 1, 2);
45112690Snathan.bush@oracle.com			str = substr(str, 3);
45212690Snathan.bush@oracle.com			sep = 0;
45312690Snathan.bush@oracle.com		} else {
45412690Snathan.bush@oracle.com			# regular character
45512690Snathan.bush@oracle.com			saved = saved substr(str, 1, 1);
45612690Snathan.bush@oracle.com			str = substr(str, 2);
45712690Snathan.bush@oracle.com			sep = 0;
45812690Snathan.bush@oracle.com		}
45912690Snathan.bush@oracle.com	}
46012690Snathan.bush@oracle.com	# if required, append final field to list
46112690Snathan.bush@oracle.com	if (sep || length(saved))
46212690Snathan.bush@oracle.com		list[++cnt] = saved;
46312690Snathan.bush@oracle.com
46412690Snathan.bush@oracle.com	return cnt;
46512690Snathan.bush@oracle.com}
46612690Snathan.bush@oracle.com
46711838SLiane.Praza@Sun.COMfunction unsplit(list, cnt, delim, str)
46811838SLiane.Praza@Sun.COM{
46911838SLiane.Praza@Sun.COM	str = list[1];
47011838SLiane.Praza@Sun.COM	for (i = 2; i <= cnt; i++)
47111838SLiane.Praza@Sun.COM		str = str delim list[i];
47211838SLiane.Praza@Sun.COM	return str;
47311838SLiane.Praza@Sun.COM}' \
47413091Snathan.bush@oracle.com	type=$1 $nawk_pass1 $nawk_pass2 $nawk_pass3 > $4.unsorted
47511838SLiane.Praza@Sun.COM	rc=$?
47611838SLiane.Praza@Sun.COM	$sort_cmd < $4.unsorted >> $4
47711838SLiane.Praza@Sun.COM	return $rc
47811838SLiane.Praza@Sun.COM}
47911838SLiane.Praza@Sun.COM
48011838SLiane.Praza@Sun.COM# $1 is the merged file
48111838SLiane.Praza@Sun.COM# $2 is the target file
48211838SLiane.Praza@Sun.COM#
48311838SLiane.Praza@Sun.COMcommit() {
48411838SLiane.Praza@Sun.COM	# Make sure that the last mv uses rename(2) by first moving to
48511838SLiane.Praza@Sun.COM	# the same filesystem.
48611838SLiane.Praza@Sun.COM	$mv_cmd $1 $2.$$
48711838SLiane.Praza@Sun.COM	$mv_cmd $2.$$ $2
48811838SLiane.Praza@Sun.COM	return $?
48911838SLiane.Praza@Sun.COM}
49011838SLiane.Praza@Sun.COM
49111838SLiane.Praza@Sun.COMoutfile=""
49211838SLiane.Praza@Sun.COMtype=""
49311838SLiane.Praza@Sun.COMset_type_and_outfile() {
49411838SLiane.Praza@Sun.COM	#
49511838SLiane.Praza@Sun.COM	# Assumes basename $1 returns one of
49611838SLiane.Praza@Sun.COM	# prof_attr, exec_attr, auth_attr, or user_attr
49711838SLiane.Praza@Sun.COM	#
49811838SLiane.Praza@Sun.COM	fname=`$basename_cmd $1`
49911838SLiane.Praza@Sun.COM	type=`echo $fname | $sed_cmd -e s'/^\([a-z][a-z]*\)_attr$/\1/' `
50011838SLiane.Praza@Sun.COM	case "$type" in
50111838SLiane.Praza@Sun.COM		"prof"|"exec"|"user"|"auth") ;;
50211838SLiane.Praza@Sun.COM		*) return 2 ;;
50311838SLiane.Praza@Sun.COM	esac
50411838SLiane.Praza@Sun.COM
50511838SLiane.Praza@Sun.COM	outfile=$tmp_dir/rbac_${PKGINST}_${fname}_merge.$$
50611838SLiane.Praza@Sun.COM
50711838SLiane.Praza@Sun.COM	return 0
50811838SLiane.Praza@Sun.COM}
50911838SLiane.Praza@Sun.COM
51011838SLiane.Praza@Sun.COMcleanup() {
51111838SLiane.Praza@Sun.COM	$rm_cmd -f $outfile $outfile.old $outfile.new $outfile.unsorted
51211838SLiane.Praza@Sun.COM
51311838SLiane.Praza@Sun.COM	return 0
51411838SLiane.Praza@Sun.COM}
51511838SLiane.Praza@Sun.COM
51611838SLiane.Praza@Sun.COMexit_status=0
51711838SLiane.Praza@Sun.COM
51811838SLiane.Praza@Sun.COM# main
51911838SLiane.Praza@Sun.COM
52011838SLiane.Praza@Sun.COMwhile read newfile oldfile ; do
52111838SLiane.Praza@Sun.COM	if [ -n "$PKGINST" ]
52211838SLiane.Praza@Sun.COM	then
52311838SLiane.Praza@Sun.COM		# Install the file in the "fragment" directory.
52411838SLiane.Praza@Sun.COM		mkdir -m 755 -p ${oldfile}.d
52511838SLiane.Praza@Sun.COM		rm -f ${oldfile}.d/"$PKGINST"
52611838SLiane.Praza@Sun.COM		cp $newfile ${oldfile}.d/"$PKGINST"
52711838SLiane.Praza@Sun.COM
52811838SLiane.Praza@Sun.COM		# Make sure that it is marked read-only.
52911838SLiane.Praza@Sun.COM		chmod a-w,a+r ${oldfile}.d/"$PKGINST"
53011838SLiane.Praza@Sun.COM
53111838SLiane.Praza@Sun.COM		# We also execute the rest of the i.rbac script.
53211838SLiane.Praza@Sun.COM	fi
53311838SLiane.Praza@Sun.COM
53411838SLiane.Praza@Sun.COM	if [ ! -f $oldfile ]; then
53511838SLiane.Praza@Sun.COM		cp $newfile $oldfile
53611838SLiane.Praza@Sun.COM	else
53711838SLiane.Praza@Sun.COM		set_type_and_outfile $newfile ||
53811838SLiane.Praza@Sun.COM			set_type_and_outfile $oldfile
53911838SLiane.Praza@Sun.COM		if [ $? -ne 0 ]; then
54011838SLiane.Praza@Sun.COM			echo "$0 : $newfile not one of" \
54111838SLiane.Praza@Sun.COM			    " prof_attr, exec_attr, auth_attr, user_attr"
54211838SLiane.Praza@Sun.COM			exit_status=2
54311838SLiane.Praza@Sun.COM			continue
54411838SLiane.Praza@Sun.COM		fi
54511838SLiane.Praza@Sun.COM
54611838SLiane.Praza@Sun.COM		dbmerge $type $oldfile $newfile $outfile
54711838SLiane.Praza@Sun.COM		if [ $? -ne 0 ]; then
54811838SLiane.Praza@Sun.COM			echo "$0 : failed to merge $newfile with $oldfile"
54911838SLiane.Praza@Sun.COM			cleanup
55011838SLiane.Praza@Sun.COM			exit_status=2
55111838SLiane.Praza@Sun.COM			continue
55211838SLiane.Praza@Sun.COM		fi
55311838SLiane.Praza@Sun.COM
55411838SLiane.Praza@Sun.COM		commit $outfile $oldfile
55511838SLiane.Praza@Sun.COM		if [ $? -ne 0 ]; then
55611838SLiane.Praza@Sun.COM			echo "$0 : failed to mv $outfile to $2"
55711838SLiane.Praza@Sun.COM			cleanup
55811838SLiane.Praza@Sun.COM			exit_status=2
55911838SLiane.Praza@Sun.COM			continue
56011838SLiane.Praza@Sun.COM		fi
56111838SLiane.Praza@Sun.COM
56211838SLiane.Praza@Sun.COM		cleanup
56311838SLiane.Praza@Sun.COM	fi
56411838SLiane.Praza@Sun.COMdone
56511838SLiane.Praza@Sun.COM
56611838SLiane.Praza@Sun.COMif [ "$1" = "ENDOFCLASS" ]; then
56711838SLiane.Praza@Sun.COM	exit 0
56811838SLiane.Praza@Sun.COMfi
56911838SLiane.Praza@Sun.COM
57011838SLiane.Praza@Sun.COMexit $exit_status
571