[nwam-dev] consulting the auth for 'nwamcfg -f ..."

Lizhong Li Thu, 19 Mar 2009 10:53:18 +0800


Anurag S. Maskey wrote:
> One thing that I've come across is that just having the 
> solaris.network.autoconf.write authorization doesn't guarantee 
> writeability.
Yes, I met it too. I think the document should mention this if it makes 
no sense for just using ' solaris.network.autoconf.write'.


    # /usr/sbin/nwamcfg list
    NCPs:
       User
       Automatic
    Locations:
       myloc1
    ENMs:
       myenm1

    # bash-3.2$ auths
    
solaris.network.autoconf.write,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read


    bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s
    Configuration read.
    bash-3.2$ echo $?
    0
    bash-3.2$ /usr/sbin/nwamcfg list
    List error: Insufficient permissions for action

    firering:nwam# nwamcfg list
    NCPs:
       User
       Automatic
    Locations:
       myloc1
    ENMs:
       myenm1


    The configuration is not really destroyed.


> That's because writing involves reading, which is managed by a 
> different authorization.  I think the write authorization provide the 
> read authorization implicity.
I don't know, but I got this info from Renee's email before:

    You are correct on both counts, actually.  Authorizations are not intended
    to be inherited in any way; that is, having the write authorization does
    not imply that you also have read authorization.  It does ultimately depend
    on the applications to enforce them as they are defined.  So that is 
something
    we want to test: you must have the read authorization to read nwam config;
    you must have the write authorization to write nwam config.


>
> Anurag
>
>
> Lizhong Li wrote:
>> Renee and Anurag,
>>
>> I checked it again,  I used this command to create the test user 
>> 'nwamtest'
>>
>> useradd -m -b /var/tmp nwamtest
>> And I changed the file /etc/user_attr to assign different auth to 
>> nwamtest.
>>
>> I noticed that I used 'su - ' while Anurag used 'su ', is it relating 
>> with this issue ?
>>
>> Please look at the following comments:
>>
>> Renee Danson wrote:
>>> Hi Lizhong,
>>>
>>> On Tue, Mar 17, 2009 at 11:34:17AM +0800, Lizhong Li wrote:
>>>  
>>>> Renee and Anurag,
>>>>
>>>> I found the issues in bits Mar 12, too. Please check the following
>>>> description.
>>>>
>>>> The difference is that you are using the user with 
>>>> "defaultpriv=basic",
>>>> I'm trying the one with "auths=solaris.network.autoconf.read" or
>>>> "auths=solaris.network.autoconf.write"
>>>> "auths=solaris.network.autoconf.read,auths=solaris.network.autoconf.write" 
>>>>
>>>>
>>>> * Here is the result for user with 
>>>> "auths=solaris.network.autoconf.read"
>>>>
>>>>     # firering:exp# su - nwamtest
>>>>     Sun Microsystems Inc. SunOS 5.11 nwam1-build:2009-03-12 Mar. 
>>>> 12, 2009
>>>>     SunOS Internal Development: am223141 2009-03-12 [nwam1-build]
>>>>     bfu'ed from
>>>>     
>>>> /net/zhadum.east/export/ws/am223141/nwam1-build/archives/sparc/nightly.2009-03-12
>>>>  
>>>>
>>>>     on 2009-03-15
>>>>     Sun Microsystems Inc. SunOS 5.11 snv_107 November 2008
>>>>
>>>>     bash-3.2$ /usr/sbin/nwamcfg list
>>>>     NCPs:
>>>>     User
>>>>     Automatic
>>>>     Locations:
>>>>     myloc1
>>>>     ENMs:
>>>>     myenm1
>>>>     myenm2
>>>>
>>>>     bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s
>>>>     Configuration read.
>>>>
>>>>     bash-3.2$ echo $?
>>>>     0
>>>>
>>>> This shouldn't be 0.
>>>>
>>>>     bash-3.2$ cat /etc/user_attr | grep nwamtest
>>>>     nwamtest::::type=normal;auths=solaris.network.autoconf.read
>>>>
>>>>     bash-3.2$ /usr/sbin/nwamcfg list
>>>>     NCPs:
>>>>     User
>>>>     Automatic
>>>>     Locations:
>>>>     myloc1
>>>>     ENMs:
>>>>     myenm1
>>>>     myenm2
>>>>     
>>>
>>> What exactly should nwamcfg_destroy_a.s do?  
>> bash-3.2$ cat nwamcfg_destroy_a.s
>> destroy -a
>> end
>>
>> I think this needs the writing auth.
>>> It does look like no profiles
>>> were removed, based on the before and after 'nwamcfg list' 
>>> commands.  I'm
>>> trying to understand why you're seeing such different results from 
>>> Anurag.
>>>
>>> It would also be helpful if you could show the output of the 'auths' 
>>> command,
>>> to make sure that the user_attr entry is being interpreted as expected.
>>>   
>> bash-3.2$ auths
>> solaris.network.autoconf.read,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
>>  
>>
>>
>>>  
>>>> * Here is the result for user with 
>>>> "auths=solaris.network.autoconf.write"
>>>>
>>>>     bash-3.2$ cat /etc/user_attr | grep nwamtest
>>>>     
>>>> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write
>>>>  
>>>>
>>>>     
>>>
>>> I think this user_attr entry is at least part of the problem.  As I
>>> mentioned in the mail I sent last week, I believe the correct syntax
>>> is
>>>
>>>       
>>> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write
>>>  
>>>
>>>
>>> That is, there is no "auths=" before the second authorization name.
>>> It should be 'auths=AUTH1,AUTH2 rather than 'auths=AUTH1,auths=AUTH2'.
>>>   
>> Sorry for that I misunderstood your last email, now it is:
>>
>> nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write
>>  
>>
>>
>>
>> And the result is right for user with 
>> 'auths=solaris.network.autoconf.read,solaris.network.autoconf.write', 
>> while it seems wrong for just 'solaris.network.autoconf.write' :
>>
>> # /usr/sbin/nwamcfg list
>> NCPs:
>>    User
>>    Automatic
>> Locations:
>>    myloc1
>> ENMs:
>>    myenm1
>>
>> # bash-3.2$ auths
>> solaris.network.autoconf.write,solaris.device.cdrw,solaris.profmgr.read,solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
>>  
>>
>> bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s
>> Configuration read.
>> bash-3.2$ echo $?
>> 0
>> bash-3.2$ /usr/sbin/nwamcfg list
>> List error: Insufficient permissions for action
>>
>> firering:nwam# nwamcfg list
>> NCPs:
>>    User
>>    Automatic
>> Locations:
>>    myloc1
>> ENMs:
>>    myenm1
>>
>> The configuration is not really destroyed.
>>

-- 
Thanks,
Lizhong

[nwam-dev] consulting the auth for 'nwamcfg -f ..."

Reply via email to