[nwam-dev] [Bug 9759] user with auth 'solaris.network.autoconf.write' makes the property 'enabled' true even the action 'nwamadm enable ...' failed.

[bugzilla-dae...@defect.opensolaris.org]

http://defect.opensolaris.org/bz/show_bug.cgi?id=9759


Lizhong Li <lizhong.li at sun.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|INVALID                     |




--- Comment #4 from Lizhong Li <lizhong.li at sun.com>  2009-06-30 06:16:16 ---
(In reply to comment #3)
> (In reply to comment #2)
> > Actually I found the issue is caused by the prior action with auth
> > 'nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write',
> > which leaves the 'enabled=true' even though the action is blocked by 
> > 'nwamadm:
> > Could not enable enm 'myenm1': Insufficient permissions for action',
> > here's the way to reproduce it:
> > 
> > 1. 
> > # useradd -m -b /var/tmp/ nwamtest
> > 
> > 2. 
> > Add
> > 'nwamtest::::type=normal;auths=solaris.network.autoconf.read,solaris.network.autoconf.write'
> > to file /etc/user_attr.
> > 
> > 3. 
> > earthscience:nwam# nwamcfg
> > nwamcfg> create enm myenm1
> > Created enm 'myenm1'.  Walking properties ...
> > activation-mode (manual) [manual|conditional-any|conditional-all]> 
> > fmri> 
> > start> /var/tmp/start_myenm1
> > stop> /var/tmp/stop_myenm1
> > nwamcfg:enm:myenm1> 
> > nwamcfg:enm:myenm1> end
> > Committed changes
> > nwamcfg> exit
> > 
> > # nwamcfg 'select enm myenm1; list'
> > ENM:myenm1
> >         activation-mode manual
> >         enabled         false
> >         start           "/var/tmp/start_myenm1"
> >         stop            "/var/tmp/stop_myenm1"
> > 
> > earthscience:nwam# cat /var/tmp/start_myenm1
> > #!/bin/ksh -p
> > #
> > # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
> > # Use is subject to license terms.
> > #
> > # ident "@(#)nwamadm_start_myenm1.ksh   1.1     09/02/20 SMI"
> > #
> > 
> > echo "This is the start script of myenm1." > /var/tmp/myenm1_start_result
> > 
> > 4.
> > earthscience:nwam# su - nwamtest -c "/usr/sbin/nwamadm enable -p enm myenm1 
> > &&
> > echo SUCCESS"
> > Sun Microsystems Inc.   SunOS 5.11      nwam1-build.2009-06-25  Jun. 25, 
> > 2009
> > SunOS Internal Development:  amaguire 2009-06-25 [nwam1-build]
> > bfu'ed from
> > /net/trigati.east/export/build/amaguire/nwam1-build/archives/i386/nightly.2009-06-25
> > on 2009-06-26
> > Sun Microsystems Inc.   SunOS 5.11      snv_105 November 2008
> > nwamadm: Could not enable enm 'myenm1': Insufficient permissions for action
> > 
> > # Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> > AUTOCONF_REFRESH_AUTH for refresh action
> > Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> > AUTOCONF_WRITE_AUTH and AUTOCONF_REFRESH_AUTH for enable action
> > 
> > # nwamcfg 'select enm myenm1; list'
> > ENM:myenm1
> >         activation-mode manual
> >         start           "/var/tmp/start_myenm1"
> >         stop            "/var/tmp/stop_myenm1"
> >         enabled         true
> > 
> > 
> > Now, the 'enabled' is changed to 'true' somehow.
> > 
> > Here's the nwam.log:
> > 
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 956038 daemon.debug] 2: 
> > signal
> > Alarm Clock caught
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 727899 daemon.debug] 2:
> > enqueueing event 17 (TIMED_CHECK_CONDITIONS) for object (80fea48)
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 892133 daemon.debug] 1:
> > dequeueing event of type 17 (TIMED_CHECK_CONDITIONS) for object
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 831601 daemon.debug] 1:
> > nwamd_enm_check: myenm1 is disabled
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 687599 daemon.info] 1:
> > nwamd_loc_check_conditions: winning loc is Automatic
> > Jun 30 15:52:55 earthscience nwamd[173204]: [ID 666328 daemon.debug] 1: 
> > delay
> > enqueueing event TIMED_CHECK_CONDITIONS for object (8188788)  for 120 sec
> > Jun 30 15:52:59 earthscience nwamd[173204]: [ID 388478 daemon.error] 3:
> > door_switch: need AUTOCONF_REFRESH_AUTH for refresh action
> > Jun 30 15:52:59 earthscience nwamd[173204]: [ID 646269 daemon.error] 3:
> > door_switch: need AUTOCONF_WRITE_AUTH and AUTOCONF_REFRESH_AUTH for enable
> > action
> 
> The reason this happens is that we need AUTOCONF_WRITE_AUTH to change
> the enabled value, but we need AUTOCONF_REFRESH_AUTH to apply the enable
> action.
> In practice users should ensure they have AUTOCONF_[READ|WRITE|REFRESH]_AUTH 
> so
> that they can both create and manipulate configuration.
> 

Sure, I know that, but what I mentioned is why the profile myenm1 got the
property 'enabled' to be 'true', it should be 'false' since the auth is not
right. 

> > # Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> > AUTOCONF_REFRESH_AUTH for refresh action
> > Jun 30 14:48:13 earthscience nwamd[173204]: 13: door_switch: need
> > AUTOCONF_WRITE_AUTH and AUTOCONF_REFRESH_AUTH for enable action
> > 
> > # nwamcfg 'select enm myenm1; list'
> > ENM:myenm1
> >         activation-mode manual
> >         start           "/var/tmp/start_myenm1"
> >         stop            "/var/tmp/stop_myenm1"
> >         enabled         true
> > 
> > 
> > Now, the 'enabled' is changed to 'true' somehow.

Anyway, this is wrong, though the log of nwamd is right.


> nwamd is correctly enforcing auths here (it was broken before), so I don't
> think this counts as a bug.

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.