xref: /onnv-gate/usr/src/lib/libsecdb/common/i.rbac (revision 12690)

#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# i.rbac
#
# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
#
# class action script for "rbac" class files
# installed by pkgadd
#
# Files in "rbac" class:
#
# /etc/security/{prof_attr,exec_attr,auth_attr}
# /etc/user_attr
#
#  Allowable exit codes
#
# 0 - success
# 2 - warning or possible error condition. Installation continues. A warning
#     message is displayed at the time of completion.
#

umask 022

tmp_dir=${TMPDIR:-/tmp}

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

basename_cmd=basename
cp_cmd=cp
egrep_cmd=egrep
mv_cmd=mv
nawk_cmd=nawk
rm_cmd=rm
sed_cmd=sed
sort_cmd=sort

# $1 is the type
# $2 is the "old/existing file"
# $3 is the "new (to be merged)" file
# $4 is the output file
# returns 0 on success
# returns 2 on failure if nawk fails with non-zero exit status
#
dbmerge() {
#
# Remove the ident lines.
#
	${egrep_cmd} -v '^#[pragma 	]*ident' $2 > $4.old 2>/dev/null
#
# If the new file has a Sun copyright, remove the Sun copyright from the old
# file.
#
	newcr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' $3 \
	    2>/dev/null`
	if [ -n "${newcr}" ]; then
		$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
		    -e '/^# All rights reserved./d' \
		    -e '/^# Use is subject to license terms./d' \
		    $4.old > $4.$$ 2>/dev/null
		$mv_cmd $4.$$ $4.old
	fi
#
# If the new file has the CDDL, remove it from the old file.
#
	newcr=`${egrep_cmd} '^# CDDL HEADER START' $3 2>/dev/null`
	if [ -n "${newcr}" ]; then
		$sed_cmd -e '/^# CDDL HEADER START/,/^# CDDL HEADER END/d' \
		    $4.old > $4.$$ 2>/dev/null
		$mv_cmd $4.$$ $4.old
	fi
#
# Remove empty lines and multiple instances of these comments:
#
	$sed_cmd -e '/^# \/etc\/security\/exec_attr/d' -e '/^#$/d' \
		-e '/^# execution attributes for profiles./d' \
		-e '/^# See exec_attr(4)/d' \
		-e '/^# \/etc\/user_attr/d' \
		-e '/^# user attributes. see user_attr(4)/d' \
		-e '/^# \/etc\/security\/prof_attr/d' \
		-e '/^# profiles attributes. see prof_attr(4)/d' \
		-e '/^# See prof_attr(4)/d' \
		-e '/^# \/etc\/security\/auth_attr/d' \
		-e '/^# authorizations. see auth_attr(4)/d' \
		-e '/^# authorization attributes. see auth_attr(4)/d' \
		    $4.old > $4.$$
	$mv_cmd $4.$$ $4.old
#
# Retain old and new header comments.
#
	$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $4.old > $4
	$rm_cmd $4.old
	$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $3 >> $4
#
# Handle line continuations (trailing \)
#
 	$sed_cmd \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    $2 > $4.old
 	$sed_cmd \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    -e '/\\$/{N;s/\\\n//;}'  -e '/\\$/{N;s/\\\n//;}' \
 	    $3 > $4.new
#
#!/usr/bin/nawk -f
#
#       dbmerge type=[auth|prof|user|exec] old-file new-file
#
#       Merge two versions of an RBAC database file. The output
#       consists of the lines from the new-file, while preserving
#       user customizations in the old-file. Specifically, the
#       keyword/value section of each record contains the union
#       of the entries found in both files. The value for each
#       keyword is the value from the new-file, except for three
#       keywords ("auths", "profiles", "roles") where the values
#       from the old and new files are merged.
#
#	The output is run through sort except for the comments
#	which will appear first in the output.
#
#
	$nawk_cmd  '

BEGIN {
	FS=":"
}

/^#/ || /^$/ {
	continue;
}

{
	# For each input line, nawk automatically assigns the complete
	# line to $0 and also splits the line at field separators and
	# assigns each field to a variable $1..$n.  Assignment to $0
	# re-splits the line into the field variables.  Conversely,
	# assgnment to a variable $1..$n will cause $0 to be recomputed
	# from the field variable values.
	#
	# This code adds awareness of escaped field separators by using
	# a custom function to split the line into a temporary array.
	# It assigns the empty string to $0 to clear any excess field
	# variables, and assigns the desired elements of the temporary
	# array back to the field variables $1..$7.
	#
	# Subsequent code must not assign directly to $0 or the fields
	# will be re-split without regard to escaped field separators.
	split_escape($0, f, ":");
	$0 = "";
	$1 = f[1];
	$2 = f[2];
	$3 = f[3];
	$4 = f[4];
	$5 = f[5];
	$6 = f[6];
	$7 = f[7];
}

type == "auth" {
	key = $1 ":" $2 ":" $3 ;
	if (NR == FNR) {
		short_comment[key] = $4 ;
		long_comment[key] = $5;
		record[key] = $6;
	}
	else {
		if ( $4 != "" ) {
			short_comment[key] = $4 ;
		}
		if ( $5 != "" ) {
			long_comment[key] =  $5 ;
		}
		print key ":" short_comment[key] ":" long_comment[key] ":" \
		    merge_attrs(record[key], $6);
		delete record[key];
	}
}

type == "prof" {
	key = $1 ":" $2 ":" $3 ;
	if (NR == FNR) {
		comment[key] = $4;
		record[key] = $5;
	}
	else {
		if ( $4 != "" ) {
			comment[key] = $4 ;
		}
		if (key != "::") {
			print key ":" comment[key] ":" \
			    merge_attrs(record[key], $5);
		}
		delete record[key];
	}
}

type == "exec" {
	key = $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" $6 ;
	# Substitute new entries, do not merge.
	record[key] = $7;
}

type == "user" {
	key = $1 ":" $2 ":" $3 ":" $4 ;
	if (NR == FNR)
		record[key] = $5;
	else {
		print key ":" merge_attrs(record[key], $5);
		delete record[key];
	}
}

END {
	for (key in record) {
		if (type == "prof") {
			if (key != "::") {
				print key ":" comment[key] ":" record[key];
			}
		} else
			if (type == "auth") {
				print key ":" short_comment[key] ":"  \
				    long_comment[key] ":" record[key];
			} else
				print key ":" record[key];
		}
}

function merge_attrs(old, new, cnt, new_cnt, i, j, list, new_list, keyword)
{
	cnt = split_escape(old, list, ";");
	new_cnt = split_escape(new, new_list, ";");
	for (i = 1; i <= new_cnt; i++) {
		keyword = substr(new_list[i], 1, index(new_list[i], "=")-1);
		for (j = 1; j <= cnt; j++) {
			if (match(list[j], "^" keyword "=")) {
				list[j] = merge_values(keyword, list[j],
				    new_list[i]);
				break;
			}
		}
		if (j > cnt)
			list[++cnt] = new_list[i];
	}

	return unsplit(list, cnt, ";"); \
}

function merge_values(keyword, old, new, cnt, new_cnt, i, j, list, new_list, d)
{
	if (keyword != "auths" && keyword != "profiles")
		return new;

	cnt = split(substr(old, length(keyword)+2), list, ",");
	new_cnt = split(substr(new, length(keyword)+2), new_list, ",");

	# If the existing list contains "All", remove it and add it
	# to the new list; that way "All" will appear at the only valid
	# location, the end of the list.
	if (keyword == "profiles") {
		d = 0;
		for (i = 1; i <= cnt; i++) {
			if (list[i] != "All")
				list[++d] = list[i];
		}
		if (cnt != d) {
			new_list[++new_cnt] = "All";
			cnt = d;
		}
	}
	for (i = 1; i <= new_cnt; i++) {
		for (j = 1; j <= cnt; j++) {
			if (list[j] == new_list[i])
				break;
		}
		if (j > cnt)
			list[++cnt] = new_list[i];
	}

	return keyword "=" unsplit(list, cnt, ",");
}

# This function is similar to the nawk built-in split() function,
# except that a "\" character may be used to escape any subsequent
# character, so that the escaped character will not be treated as a
# field separator or as part of a field separator regular expression.
# The "\" characters will remain in the elements of the output array
# variable upon completion.
function split_escape(str, list, fs, cnt, saved, sep)
{
	# default to global FS
	if (fs == "")
		fs = FS;
	# initialize empty list, cnt, saved
	split("", list, " ");
	cnt = 0;
	saved = "";
	# track whether last token was a field separator
	sep = 0;
	# nonzero str length indicates more string left to scan
	while (length(str)) {
		if (match(str, fs) == 1) {
			# field separator, terminates current field
			list[++cnt] = saved;
			saved = "";
			str = substr(str, RLENGTH + 1);
			sep = 1;
		} else if (substr(str, 1, 1) == "\\") {
			# escaped character
			saved = saved substr(str, 1, 2);
			str = substr(str, 3);
			sep = 0;
		} else {
			# regular character
			saved = saved substr(str, 1, 1);
			str = substr(str, 2);
			sep = 0;
		}
	}
	# if required, append final field to list
	if (sep || length(saved))
		list[++cnt] = saved;

	return cnt;
}

function unsplit(list, cnt, delim, str)
{
	str = list[1];
	for (i = 2; i <= cnt; i++)
		str = str delim list[i];
	return str;
}' \
	type=$1 $4.old $4.new > $4.unsorted
	rc=$?
	$sort_cmd < $4.unsorted >> $4
	return $rc
}

# $1 is the merged file
# $2 is the target file
#
commit() {
	# Make sure that the last mv uses rename(2) by first moving to
	# the same filesystem.
	$mv_cmd $1 $2.$$
	$mv_cmd $2.$$ $2
	return $?
}

outfile=""
type=""
set_type_and_outfile() {
	#
	# Assumes basename $1 returns one of
	# prof_attr, exec_attr, auth_attr, or user_attr
	#
	fname=`$basename_cmd $1`
	type=`echo $fname | $sed_cmd -e s'/^\([a-z][a-z]*\)_attr$/\1/' `
	case "$type" in
		"prof"|"exec"|"user"|"auth") ;;
		*) return 2 ;;
	esac

	outfile=$tmp_dir/rbac_${PKGINST}_${fname}_merge.$$

	return 0
}

cleanup() {
	$rm_cmd -f $outfile $outfile.old $outfile.new $outfile.unsorted

	return 0
}

exit_status=0

# main

while read newfile oldfile ; do
	if [ -n "$PKGINST" ]
	then
		# Install the file in the "fragment" directory.
		mkdir -m 755 -p ${oldfile}.d
		rm -f ${oldfile}.d/"$PKGINST"
		cp $newfile ${oldfile}.d/"$PKGINST"

		# Make sure that it is marked read-only.
		chmod a-w,a+r ${oldfile}.d/"$PKGINST"

		# We also execute the rest of the i.rbac script.
	fi

	if [ ! -f $oldfile ]; then
		cp $newfile $oldfile
	else
		set_type_and_outfile $newfile ||
			set_type_and_outfile $oldfile
		if [ $? -ne 0 ]; then
			echo "$0 : $newfile not one of" \
			    " prof_attr, exec_attr, auth_attr, user_attr"
			exit_status=2
			continue
		fi

		dbmerge $type $oldfile $newfile $outfile
		if [ $? -ne 0 ]; then
			echo "$0 : failed to merge $newfile with $oldfile"
			cleanup
			exit_status=2
			continue
		fi

		commit $outfile $oldfile
		if [ $? -ne 0 ]; then
			echo "$0 : failed to mv $outfile to $2"
			cleanup
			exit_status=2
			continue
		fi

		cleanup
	fi
done

if [ "$1" = "ENDOFCLASS" ]; then
	exit 0
fi

exit $exit_status