[nwam-dev] [Bug 9759] user with auth 'solaris.network.autoconf.write' makes the property 'enabled' true even the action 'nwamadm enable ...' failed.

[email protected] Tue, 30 Jun 2009 06:05:59 -0700 (PDT)

http://defect.opensolaris.org/bz/show_bug.cgi?id=9759



amaguire <alan.maguire at sun.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |INVALID




--- Comment #3 from amaguire <alan.maguire at sun.com>  2009-06-30 06:05:58 ---
(In reply to comment #2)
> Actually I found the issue is caused by the prior action with auth
> 'nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write',
> which leaves the 'enabled=true' even though the action is blocked by 'nwamadm:
> Could not enable enm 'myenm1': Insufficient permissions for action',
> here's the way to reproduce it:
> 
> 1. 
> # useradd -m -b /var/tmp/ nwamtest
> 
> 2. 
> Add
> 'nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write'
> to file /etc/user_attr.
> 
> 3. 
> earthscience:nwam# nwamcfg
> nwamcfg> create enm myenm1
> Created enm 'myenm1'.  Walking properties ...
> activation-mode (manual) [manual|conditional-any|conditional-all]> 
> fmri> 
> start> /var/tmp/start_myenm1
> stop> /var/tmp/stop_myenm1
> nwamcfg:enm:myenm1> 
> nwamcfg:enm:myenm1> end
> Committed changes
> nwamcfg> exit
> 
> # nwamcfg 'select enm myenm1; list'
> ENM:myenm1
>         activation-mode manual
>         enabled         false
>         start           "/var/tmp/start_myenm1"
>         stop            "/var/tmp/stop_myenm1"
> 
> earthscience:nwam# cat /var/tmp/start_myenm1
> #!/bin/ksh -p
> #
> # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # ident "@(#)nwamadm_start_myenm1.ksh   1.1     09/02/20 SMI"
> #
> 
> echo "This is the start script of myenm1." > /var/tmp/myenm1_start_result
> 
> 4.
> earthscience:nwam# su - nwamtest -c "/usr/sbin/nwamadm enable -p enm myenm1 &&
> echo SUCCESS"
> Sun Microsystems Inc.   SunOS 5.11      nwam1-build.2009-06-25  Jun. 25, 2009
> SunOS Internal Development:  amaguire 2009-06-25 [nwam1-build]
> bfu'ed from
> /net/trigati.east/export/build/amaguire/nwam1-build/archives/i386/nightly.2009-06-25
> on 2009-06-26
> Sun Microsystems Inc.   SunOS 5.11      snv_105 November 2008
> nwamadm: Could not enable enm 'myenm1': Insufficient permissions for action
> 
> # Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> AUTOCONF_REFRESH_AUTH for refresh action
> Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> AUTOCONF_WRITE_AUTH and AUTOCONF_REFRESH_AUTH for enable action
> 
> # nwamcfg 'select enm myenm1; list'
> ENM:myenm1
>         activation-mode manual
>         start           "/var/tmp/start_myenm1"
>         stop            "/var/tmp/stop_myenm1"
>         enabled         true
> 
> 
> Now, the 'enabled' is changed to 'true' somehow.
> 
> Here's the nwam.log:
> 
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 956038 daemon.debug] 2: signal
> Alarm Clock caught
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 727899 daemon.debug] 2:
> enqueueing event 17 (TIMED_CHECK_CONDITIONS) for object (80fea48)
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 892133 daemon.debug] 1:
> dequeueing event of type 17 (TIMED_CHECK_CONDITIONS) for object
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 831601 daemon.debug] 1:
> nwamd_enm_check: myenm1 is disabled
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 687599 daemon.info] 1:
> nwamd_loc_check_conditions: winning loc is Automatic
> Jun 30 15:52:55 earthscience nwamd[173204]: [ID 666328 daemon.debug] 1: delay
> enqueueing event TIMED_CHECK_CONDITIONS for object (8188788)  for 120 sec
> Jun 30 15:52:59 earthscience nwamd[173204]: [ID 388478 daemon.error] 3:
> door_switch: need AUTOCONF_REFRESH_AUTH for refresh action
> Jun 30 15:52:59 earthscience nwamd[173204]: [ID 646269 daemon.error] 3:
> door_switch: need AUTOCONF_WRITE_AUTH and AUTOCONF_REFRESH_AUTH for enable
> action

The reason this happens is that we need AUTOCONF_WRITE_AUTH to change
the enabled value, but we need AUTOCONF_REFRESH_AUTH to apply the enable
action.
In practice users should ensure they have AUTOCONF_[READ|WRITE|REFRESH]_AUTH so
that they can both create and manipulate configuration.

nwamd is correctly enforcing auths here (it was broken before), so I don't
think this counts as a bug.

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

[nwam-dev] [Bug 9759] user with auth 'solaris.network.autoconf.write' makes the property 'enabled' true even the action 'nwamadm enable ...' failed.

Reply via email to