One thing that I've come across is that just having the solaris.network.autoconf.write authorization doesn't guarantee writeability. That's because writing involves reading, which is managed by a different authorization. I think the write authorization provide the read authorization implicity.
Anurag Lizhong Li wrote: > Renee and Anurag, > > I checked it again, I used this command to create the test user > 'nwamtest' > > useradd -m -b /var/tmp nwamtest > And I changed the file /etc/user_attr to assign different auth to > nwamtest. > > I noticed that I used 'su - ' while Anurag used 'su ', is it relating > with this issue ? > > Please look at the following comments: > > Renee Danson wrote: >> Hi Lizhong, >> >> On Tue, Mar 17, 2009 at 11:34:17AM +0800, Lizhong Li wrote: >> >>> Renee and Anurag, >>> >>> I found the issues in bits Mar 12, too. Please check the following >>> description. >>> >>> The difference is that you are using the user with "defaultpriv=basic", >>> I'm trying the one with "auths=solaris.network.autoconf.read" or >>> "auths=solaris.network.autoconf.write" >>> "auths=solaris.network.autoconf.read,auths=solaris.network.autoconf.write" >>> >>> >>> * Here is the result for user with >>> "auths=solaris.network.autoconf.read" >>> >>> # firering:exp# su - nwamtest >>> Sun Microsystems Inc. SunOS 5.11 nwam1-build:2009-03-12 Mar. 12, >>> 2009 >>> SunOS Internal Development: am223141 2009-03-12 [nwam1-build] >>> bfu'ed from >>> >>> /net/zhadum.east/export/ws/am223141/nwam1-build/archives/sparc/nightly.2009-03-12 >>> >>> >>> on 2009-03-15 >>> Sun Microsystems Inc. SunOS 5.11 snv_107 November 2008 >>> >>> bash-3.2$ /usr/sbin/nwamcfg list >>> NCPs: >>> User >>> Automatic >>> Locations: >>> myloc1 >>> ENMs: >>> myenm1 >>> myenm2 >>> >>> bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s >>> Configuration read. >>> >>> bash-3.2$ echo $? >>> 0 >>> >>> This shouldn't be 0. >>> >>> bash-3.2$ cat /etc/user_attr | grep nwamtest >>> nwamtest::::type=normal;auths=solaris.network.autoconf.read >>> >>> bash-3.2$ /usr/sbin/nwamcfg list >>> NCPs: >>> User >>> Automatic >>> Locations: >>> myloc1 >>> ENMs: >>> myenm1 >>> myenm2 >>> >> >> What exactly should nwamcfg_destroy_a.s do? > bash-3.2$ cat nwamcfg_destroy_a.s > destroy -a > end > > I think this needs the writing auth. >> It does look like no profiles >> were removed, based on the before and after 'nwamcfg list' commands. >> I'm >> trying to understand why you're seeing such different results from >> Anurag. >> >> It would also be helpful if you could show the output of the 'auths' >> command, >> to make sure that the user_attr entry is being interpreted as expected. >> > bash-3.2$ auths > solaris.network.autoconf.read,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read > > > >> >>> * Here is the result for user with >>> "auths=solaris.network.autoconf.write" >>> >>> bash-3.2$ cat /etc/user_attr | grep nwamtest >>> >>> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write >>> >>> >>> >> >> I think this user_attr entry is at least part of the problem. As I >> mentioned in the mail I sent last week, I believe the correct syntax >> is >> >> >> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write >> >> >> >> That is, there is no "auths=" before the second authorization name. >> It should be 'auths=AUTH1,AUTH2 rather than 'auths=AUTH1,auths=AUTH2'. >> > Sorry for that I misunderstood your last email, now it is: > > nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write > > > > > And the result is right for user with > 'auths=solaris.network.autoconf.read,solaris.network.autoconf.write', > while it seems wrong for just 'solaris.network.autoconf.write' : > > # /usr/sbin/nwamcfg list > NCPs: > User > Automatic > Locations: > myloc1 > ENMs: > myenm1 > > # bash-3.2$ auths > solaris.network.autoconf.write,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read > > > bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s > Configuration read. > bash-3.2$ echo $? > 0 > bash-3.2$ /usr/sbin/nwamcfg list > List error: Insufficient permissions for action > > firering:nwam# nwamcfg list > NCPs: > User > Automatic > Locations: > myloc1 > ENMs: > myenm1 > > The configuration is not really destroyed. >
