[nwam-dev] consulting the auth for 'nwamcfg -f ..."

Lizhong Li Wed, 18 Mar 2009 10:53:22 +0800

Renee and Anurag,

I checked it again,  I used this command to create the test user 'nwamtest'


useradd -m -b /var/tmp nwamtest
And I changed the file /etc/user_attr to assign different auth to nwamtest.

I noticed that I used 'su - ' while Anurag used 'su ', is it relating 
with this issue ?

Please look at the following comments:

Renee Danson wrote:
> Hi Lizhong,
>
> On Tue, Mar 17, 2009 at 11:34:17AM +0800, Lizhong Li wrote:
>   
>> Renee and Anurag,
>>
>> I found the issues in bits Mar 12, too. Please check the following
>> description.
>>
>> The difference is that you are using the user with "defaultpriv=basic",
>> I'm trying the one with "auths=solaris.network.autoconf.read" or
>> "auths=solaris.network.autoconf.write"
>> "auths=solaris.network.autoconf.read,auths=solaris.network.autoconf.write"
>>
>> * Here is the result for user with "auths=solaris.network.autoconf.read"
>>
>>     # firering:exp# su - nwamtest
>>     Sun Microsystems Inc. SunOS 5.11 nwam1-build:2009-03-12 Mar. 12, 2009
>>     SunOS Internal Development: am223141 2009-03-12 [nwam1-build]
>>     bfu'ed from
>>     
>> /net/zhadum.east/export/ws/am223141/nwam1-build/archives/sparc/nightly.2009-03-12
>>     on 2009-03-15
>>     Sun Microsystems Inc. SunOS 5.11 snv_107 November 2008
>>
>>     bash-3.2$ /usr/sbin/nwamcfg list
>>     NCPs:
>>     User
>>     Automatic
>>     Locations:
>>     myloc1
>>     ENMs:
>>     myenm1
>>     myenm2
>>
>>     bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s
>>     Configuration read.
>>
>>     bash-3.2$ echo $?
>>     0
>>
>> This shouldn't be 0.
>>
>>     bash-3.2$ cat /etc/user_attr | grep nwamtest
>>     nwamtest::::type=normal;auths=solaris.network.autoconf.read
>>
>>     bash-3.2$ /usr/sbin/nwamcfg list
>>     NCPs:
>>     User
>>     Automatic
>>     Locations:
>>     myloc1
>>     ENMs:
>>     myenm1
>>     myenm2
>>     
>
> What exactly should nwamcfg_destroy_a.s do?  
bash-3.2$ cat nwamcfg_destroy_a.s
destroy -a
end

I think this needs the writing auth.
> It does look like no profiles
> were removed, based on the before and after 'nwamcfg list' commands.  I'm
> trying to understand why you're seeing such different results from Anurag.
>
> It would also be helpful if you could show the output of the 'auths' command,
> to make sure that the user_attr entry is being interpreted as expected.
>   
bash-3.2$ auths
solaris.network.autoconf.read,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read

>   
>> * Here is the result for user with "auths=solaris.network.autoconf.write"
>>
>>     bash-3.2$ cat /etc/user_attr | grep nwamtest
>>     
>> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write
>>     
>
> I think this user_attr entry is at least part of the problem.  As I
> mentioned in the mail I sent last week, I believe the correct syntax
> is
>
>       
> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write
>
> That is, there is no "auths=" before the second authorization name.
> It should be 'auths=AUTH1,AUTH2 rather than 'auths=AUTH1,auths=AUTH2'.
>   
Sorry for that I misunderstood your last email, now it is:

nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write


And the result is right for user with 
'auths=solaris.network.autoconf.read,solaris.network.autoconf.write', 
while it seems wrong for just 'solaris.network.autoconf.write' :

# /usr/sbin/nwamcfg list
NCPs:
    User
    Automatic
Locations:
    myloc1
ENMs:
    myenm1

# bash-3.2$ auths
solaris.network.autoconf.write,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s
Configuration read.
bash-3.2$ echo $?
0
bash-3.2$ /usr/sbin/nwamcfg list
List error: Insufficient permissions for action

firering:nwam# nwamcfg list
NCPs:
    User
    Automatic
Locations:
    myloc1
ENMs:
    myenm1

The configuration is not really destroyed.

-- 
Thanks,
Lizhong

[nwam-dev] consulting the auth for 'nwamcfg -f ..."

Reply via email to