#!/bin/sh
#
# $Id: i.rbac 551 2013-04-12 22:28:02Z elkner $
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
# Portions Copyright 2013 Jens Elkner.
#
# class action script for "rbac" class files
# installed by pkgadd
#
# Files in "rbac" class:
#
# /etc/security/{prof_attr,exec_attr,auth_attr}
# /etc/user_attr
#
# Allowable exit codes
#
# 0 - success
# 2 - warning or possible error condition. Installation continues. A warning
# message is displayed at the time of completion.
#
umask 022
tmp_dir=${TMPDIR:-/tmp}
PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH
basename_cmd=basename
cp_cmd=cp
egrep_cmd=egrep
mv_cmd=mv
nawk_cmd=nawk
rm_cmd=rm
sed_cmd=sed
sort_cmd=sort
# $1 is the type
# $2 is the "old/existing file"
# $3 is the "new (to be merged)" file
# $4 is the output file
# returns 0 on success
# returns 2 on failure if nawk fails with non-zero exit status
#
dbmerge() {
#
# Remove the ident lines.
#
${egrep_cmd} -v '^#[pragma ]*ident' $2 > $4.old 2>/dev/null
#
# If the new file has a Sun copyright, remove the Sun copyright from the old
# file.
#
newcr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' $3 \
2>/dev/null`
if [ -n "${newcr}" ]; then
$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
-e '/^# All rights reserved./d' \
-e '/^# Use is subject to license terms./d' \
$4.old > $4.$$ 2>/dev/null
$mv_cmd $4.$$ $4.old
fi
#
# If the new file has an Oracle copyright, remove both the Sun and Oracle
# copyrights from the old file.
#
oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \
$3 2>/dev/null`
if [ -n "${oracle_cr}" ]; then
$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
-e '/^# All rights reserved./d' \
-e '/^# Use is subject to license terms./d' \
-e '/^# Copyright.*Oracle and\/or its affiliates./d' \
$4.old > $4.$$ 2>/dev/null
$mv_cmd $4.$$ $4.old
fi
#
# If the new file has the CDDL, remove it from the old file.
#
newcr=`${egrep_cmd} '^# CDDL HEADER START' $3 2>/dev/null`
if [ -n "${newcr}" ]; then
$sed_cmd -e '/^# CDDL HEADER START/,/^# CDDL HEADER END/d' \
$4.old > $4.$$ 2>/dev/null
$mv_cmd $4.$$ $4.old
fi
#
# Remove empty lines and multiple instances of these comments:
#
$sed_cmd -e '/^# \/etc\/security\/exec_attr/d' -e '/^#$/d' \
-e '/^# execution attributes for profiles./d' \
-e '/^# See exec_attr(4)/d' \
-e '/^# \/etc\/user_attr/d' \
-e '/^# user attributes. see user_attr(4)/d' \
-e '/^# \/etc\/security\/prof_attr/d' \
-e '/^# profiles attributes. see prof_attr(4)/d' \
-e '/^# See prof_attr(4)/d' \
-e '/^# \/etc\/security\/auth_attr/d' \
-e '/^# authorizations. see auth_attr(4)/d' \
-e '/^# authorization attributes. see auth_attr(4)/d' \
$4.old > $4.$$
$mv_cmd $4.$$ $4.old
#
# Retain old and new header comments.
#
$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $4.old > $4
$rm_cmd $4.old
$sed_cmd -n -e '/^[^#]/,$d' -e '/^##/,$d' -e p $3 >> $4
#
# If the output file now has both Sun and Oracle copyrights, remove
# the Sun copyright.
#
sun_cr=`${egrep_cmd} '^# Copyright.*Sun Microsystems, Inc.' \
$4 2>/dev/null`
oracle_cr=`${egrep_cmd} '^# Copyright.*Oracle and/or its affiliates.' \
$4 2>/dev/null`
if [ -n "${sun_cr}" ] && [ -n "${oracle_cr}" ]; then
$sed_cmd -e '/^# Copyright.*Sun Microsystems, Inc./d' \
-e '/^# All rights reserved./d' \
-e '/^# Use is subject to license terms./d' \
$4 > $4.$$ 2>/dev/null
$mv_cmd $4.$$ $4
fi
#
# Handle line continuations (trailing \)
#
$sed_cmd \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
$2 > $4.old
$sed_cmd \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
-e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \
$3 > $4.new
if [ "$1" = "exec" ]; then
$sed_cmd -e "s#@CLIENT_BASEDIR@#$CLIENT_BASEDIR#g" $4.new > $4.$$
$mv_cmd $4.$$ $4.new
fi
#
# The nawk script below processes the old and new files using up to
# three passes. If the old file is empty, only the final pass over
# the new file is required.
#
if [ -s $4.old ]; then
nawk_pass1=$4.old
nawk_pass2=$4.new
nawk_pass3=$4.new
else
nawk_pass1=
nawk_pass2=
nawk_pass3=$4.new
fi
#
#!/usr/bin/nawk -f
#
# dbmerge type=[auth|prof|user|exec] [ old-file new-file ] new-file
#
# Merge two versions of an RBAC database file. The output
# consists of the lines from the new-file, while preserving
# user customizations in the old-file.
#
# Entries in the new-file replace corresponding entries in the
# old-file, except as follows: For exec_attr, all old entries
# for profiles contained in the new-file are discarded. For
# user_attr, the "root" entry from the old-file is retained,
# and new keywords from the new-file are merged into it.
#
# Records with the same key field(s) are merged, so that the
# keyword/value section of each output record contains the union
# of the keywords found in all input records with the same key
# field(s). For selected multi-value keywords [1] the values from
# the new-file are merged with retained values from the old-file.
# Otherwise, the value for each keyword is the final value found
# in the new-file, except for keywords in the user_attr entry for
# "root" where values from the old-file are always retained.
#
# [1] The following file type and keyword combinations are merged:
# prof_attr: auths, profiles, privs
# user_attr: auths, profiles, roles
#
# The output is run through sort except for the comments
# which will appear first in the output.
#
#
$nawk_cmd '
# This script may be invoked with up to three file names. Each file
# name corresponds to a separate processing pass. The passes are
# defined as follows:
#
# Pass 1: Read existing data.
# Data from the old-file is read into memory.
#
# Pass 2: Remove obsolete data.
# Discard any data from the old-file that is part of profiles that
# are also in the new-file. (As a special case, the user_attr entry
# for 'root' is always retained.)
#
# Pass 3: Merge new data.
# Data from the new-file is merged with the remaining old-file data.
# (As a special case, exec_attr entries are replaced, not merged.)
BEGIN {
# The variable 'pass' specifies which type of processing to perform.
# When processing only one file, skip passes 1 and 2.
if (ARGC == 3)
pass += 2;
# The array 'keyword_behavior' specifies the special treatment of
# [type, keyword] combinations subject to value merging.
keyword_behavior["prof", "auths"] = "merge";
keyword_behavior["prof", "profiles"] = "merge";
keyword_behavior["prof", "privs"] = "merge";
keyword_behavior["user", "auths"] = "merge";
keyword_behavior["user", "profiles"] = "merge";
keyword_behavior["user", "roles"] = "merge";
FS=":"
}
# When FNR (current file record number) is 1 it indicates that nawk
# is starting to read the next file specified on its command line,
# and is beginning the next processing pass.
FNR == 1 {
pass++;
}
/^#/ || /^$/ {
continue;
}
{
# For each input line, nawk automatically assigns the complete
# line to $0 and also splits the line at field separators and
# assigns each field to a variable $1..$n. Assignment to $0
# re-splits the line into the field variables. Conversely,
# assgnment to a variable $1..$n will cause $0 to be recomputed
# from the field variable values.
#
# This code adds awareness of escaped field separators by using
# a custom function to split the line into a temporary array.
# It assigns the empty string to $0 to clear any excess field
# variables, and assigns the desired elements of the temporary
# array back to the field variables $1..$7.
#
# Subsequent code must not assign directly to $0 or the fields
# will be re-split without regard to escaped field separators.
split_escape($0, f, ":");
$0 = "";
$1 = f[1];
$2 = f[2];
$3 = f[3];
$4 = f[4];
$5 = f[5];
$6 = f[6];
$7 = f[7];
}
type == "auth" {
key = $1 ":" $2 ":" $3 ;
if (pass == 1) {
short_comment[key] = $4 ;
long_comment[key] = $5;
record[key] = $6;
} else if (pass == 2) {
delete short_comment[key];
delete long_comment[key];
delete record[key];
} else if (pass == 3) {
if ( $4 != "" ) {
short_comment[key] = $4 ;
}
if ( $5 != "" ) {
long_comment[key] = $5 ;
}
record[key] = merge_attrs(record[key], $6);
}
}
type == "prof" {
key = $1 ":" $2 ":" $3 ;
if (pass == 1) {
comment[key] = $4;
record[key] = $5;
} else if (pass == 2) {
delete comment[key];
delete record[key];
} else if (pass == 3) {
if ( $4 != "" ) {
comment[key] = $4 ;
}
if (key != "::") {
record[key] = merge_attrs(record[key], $5);
}
}
}
type == "exec" {
key = $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" $6 ;
if (pass == 1) {
record[key] = $7;
} else if (pass == 2) {
# For exec_attr, deletion is based on the 'name' field only,
# so that all old entries for the profile are removed.
for (oldkey in record) {
split_escape(oldkey, oldkey_fields, ":");
if (oldkey_fields[1] == $1)
delete record[oldkey];
}
} else if (pass == 3) {
# Substitute new entries, do not merge.
record[key] = $7;
}
}
type == "user" {
key = $1 ":" $2 ":" $3 ":" $4 ;
if (pass == 1) {
record[key] = $5;
} else if (pass == 2) {
if ($1 != "root")
delete record[key];
} else if (pass == 3) {
record[key] = merge_attrs(record[key], $5);
}
}
END {
for (key in record) {
if (type == "prof") {
if (key != "::") {
print key ":" comment[key] ":" record[key];
}
} else
if (type == "auth") {
print key ":" short_comment[key] ":" \
long_comment[key] ":" record[key];
} else
print key ":" record[key];
}
}
function merge_attrs(old, new, cnt, new_cnt, i, j, list, new_list, keyword)
{
cnt = split_escape(old, list, ";");
new_cnt = split_escape(new, new_list, ";");
for (i = 1; i <= new_cnt; i++) {
keyword = substr(new_list[i], 1, index(new_list[i], "=")-1);
for (j = 1; j <= cnt; j++) {
if (match(list[j], "^" keyword "=")) {
list[j] = merge_values(keyword, list[j],
new_list[i]);
break;
}
}
if (j > cnt)
list[++cnt] = new_list[i];
}
return unsplit(list, cnt, ";"); \
}
function merge_values(keyword, old, new, cnt, new_cnt, i, j, list, new_list, d)
{
# Keywords with multivalued attributes that are subject to merging
# are processed by the algorithm implemented further below.
# Otherwise, the keyword is not subject to merging, and:
# For user_attr, the existing value is retained.
# For any other file, the new value is substituted.
if (keyword_behavior[type, keyword] != "merge") {
if (type == "user") {
return old;
} else {
return new;
}
}
cnt = split(substr(old, length(keyword)+2), list, ",");
new_cnt = split(substr(new, length(keyword)+2), new_list, ",");
# If the existing list contains "All", remove it and add it
# to the new list; that way "All" will appear at the only valid
# location, the end of the list.
if (keyword == "profiles") {
d = 0;
for (i = 1; i <= cnt; i++) {
if (list[i] != "All")
list[++d] = list[i];
}
if (cnt != d) {
new_list[++new_cnt] = "All";
cnt = d;
}
}
for (i = 1; i <= new_cnt; i++) {
for (j = 1; j <= cnt; j++) {
if (list[j] == new_list[i])
break;
}
if (j > cnt)
list[++cnt] = new_list[i];
}
return keyword "=" unsplit(list, cnt, ",");
}
# This function is similar to the nawk built-in split() function,
# except that a "\" character may be used to escape any subsequent
# character, so that the escaped character will not be treated as a
# field separator or as part of a field separator regular expression.
# The "\" characters will remain in the elements of the output array
# variable upon completion.
function split_escape(str, list, fs, cnt, saved, sep)
{
# default to global FS
if (fs == "")
fs = FS;
# initialize empty list, cnt, saved
split("", list, " ");
cnt = 0;
saved = "";
# track whether last token was a field separator
sep = 0;
# nonzero str length indicates more string left to scan
while (length(str)) {
if (match(str, fs) == 1) {
# field separator, terminates current field
list[++cnt] = saved;
saved = "";
str = substr(str, RLENGTH + 1);
sep = 1;
} else if (substr(str, 1, 1) == "\\") {
# escaped character
saved = saved substr(str, 1, 2);
str = substr(str, 3);
sep = 0;
} else {
# regular character
saved = saved substr(str, 1, 1);
str = substr(str, 2);
sep = 0;
}
}
# if required, append final field to list
if (sep || length(saved))
list[++cnt] = saved;
return cnt;
}
function unsplit(list, cnt, delim, str)
{
str = list[1];
for (i = 2; i <= cnt; i++)
str = str delim list[i];
return str;
}' \
type=$1 $nawk_pass1 $nawk_pass2 $nawk_pass3 > $4.unsorted
rc=$?
$sort_cmd < $4.unsorted >> $4
return $rc
}
# $1 is the merged file
# $2 is the target file
#
commit() {
# Make sure that the last mv uses rename(2) by first moving to
# the same filesystem.
$mv_cmd $1 $2.$$
$mv_cmd $2.$$ $2
return $?
}
outfile=""
type=""
set_type_and_outfile() {
#
# Assumes basename $1 returns one of
# prof_attr, exec_attr, auth_attr, or user_attr
#
fname=`$basename_cmd $1`
type=`echo $fname | $sed_cmd -e s'/^\([a-z][a-z]*\)_attr$/\1/' `
case "$type" in
"prof"|"exec"|"user"|"auth") ;;
*) return 2 ;;
esac
outfile=$tmp_dir/rbac_${PKGINST}_${fname}_merge.$$
return 0
}
cleanup() {
$rm_cmd -f $outfile $outfile.old $outfile.new $outfile.unsorted
return 0
}
exit_status=0
# main
while read src dst ; do
if [ ! -f $dst ]; then
sed -e "s#@CLIENT_BASEDIR@#$CLIENT_BASEDIR#g" $src > $dst
else
set_type_and_outfile $dst
if [ $? -ne 0 ]; then
echo "$0 : $src not one of {prof,exec,auth,user}_attr"
exit_status=2
continue
fi
dbmerge $type $dst $src $outfile
if [ $? -ne 0 ]; then
echo "$0 : failed to merge $src with $dst"
cleanup
exit_status=2
continue
fi
commit $outfile $dst
if [ $? -ne 0 ]; then
echo "$0 : failed to mv $outfile to $2"
cleanup
exit_status=2
continue
fi
cleanup
fi
done
if [ "$1" = "ENDOFCLASS" ]; then
exit 0
fi
exit $exit_status