This needs input from RBAC experts, particularly those working on the new RBAC tools and those familiar with the implementation of SMC.
-------- Original Message -------- Subject: please review: #14279 SUNWwbcor RBAC merge should not have added SMC-specific entries Date: Mon, 08 Feb 2010 06:59:36 -0500 From: Richard Lowe <richl...@richlowe.net> To: on-ips-dev at opensolaris.org CC: Darren Moffat <Darren.Moffat at Sun.COM>, David Comay <David.Comay at Sun.COM> Hey all, I need code review for: 14279 SUNWwbcor RBAC merge should not have added SMC-specific entries Webrev: v. on_ips : http://cr.opensolaris.org/~richlowe/onips_14279 v. onnv : http://cr.opensolaris.org/~richlowe/onips_14279_onnv It's probably easier to use the webrev against onnv, and treat it as entirely new addition, rather than use the actual webrev against on_ips. Notes: In code review previously, Darren quite sensibly requested that entries only of use in the Admin consolidation (he actually specified SMC, but I think the two statements are equivalent) not be merged into ON, prior practise, however, has been that we attempt to deliver exactly what Indiana itself delivers. So Darren's comments lead us to depart from this, which is why, David, I'm copying you on this, to make sure I don't stuff it up *again*... What I propose to do, and what this webrev does, is add only those entries meaningful for ON, matching, I think, Darren's desires. This leaves several things that Indiana delivers via the SUNWwbcor fragment it inserts into SUNWcs that SUNWcs will not itself deliver after on_ips integrates. I should note that in the vast majority of these cases, it's hard to see how they could function on Indiana even if the software using them was delivered, as many (most) of the profiles delivered in the SUNWwbcor prof_attr fragment refer to authorisations which are not themselves delivered. If these changes integrate, when ON starts delivering IPS packages natively (when on_ips integrates) entries from SUNWwbcor that are still desirable, but excluded here will need to be delivered from some other package. A list of these is appended to this message (edited copies of the SUNWwbcor files delivered in build 132). The ones which stand out are those relating to prodreg, and the Software Installation profile. To the best of my knowledge, on_ips is aiming to land *after* 2010.1H is released, and so this movement of stuff should not cut into any release stabilisation, nor distract from more release-critical efforts. If this scheme isn't acceptable to the Indiana folks (David, in this case), I think we'll need them to come to some agreement with Darren, and then tell me what it is. Specific notable changes in this webrev: - 'solaris.network.*' in the Network Security profile applies to some authorizations from ON, and its addition is retained. - The Primary Administrator profile entry in exec_attr is switched to the 'solaris' policy, per comments from Darren's review. This will not be merged by i.rbac, but instead will add an additional line to exec_attr. I have asked Darren if this was OK, and he agreed that it was, as it also keeps unnecessary merging complexity out of i.rbac. -- Rich (who hopes to have finally gotten this *right*...) Entries from SUNWwbcor fragments not carried into ON, and here removed from on_ips. prof_attr: Audit Control::::auths=solaris.admin.logsvc.purge,solaris.admin.logsvc.read Basic Solaris User::::auths=solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,,solaris.network.hosts.read Device Management::::auths=solaris.admin.serialmgr.* Device Security::::auths=solaris.admin.serialmgr.* File System Management::::auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.* File System Security::::auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.* Maintenance and Repair::::auths=solaris.admin.logsvc.write,solaris.admin.logsvc.read,solaris.compsys.write,solaris.compsys.read Process Management::::auths=solaris.admin.procmgr.* User Management::::auths=solaris.admin.usermgr.write,solaris.admin.usermgr.read,solaris.admin.usermgr.manage User Security::::auths=solaris.admin.usermgr.*,solaris.admin.privilege.write Printer Management::::auths=solaris.admin.printer.read,solaris.admin.printer.modify,solaris.admin.printer.delete Software Installation::::auths=solaris.admin.prodreg.read,solaris.admin.prodreg.modify,solaris.admin.prodreg.delete,solaris.admin.dcmgr.admin,solaris.admin.dcmgr.read,solaris.admin.patchmgr.* Network Management::::auths=solaris.admin.dcmgr.clients,solaris.admin.dcmgr.read,solaris.snmp.*,solaris.network.hosts.* Project Management:::Manage Solaris projects:auths=solaris.project.read,solaris.project.write;help=RtProjManagement.html exec_attr: Name Service Security:suser:cmd:::/usr/sadm/bin/smattrpop:uid=0;gid=sys
