The new RBAC tools do not rely on these old SMC authorizations, so the profile entries in SUNWwbcor that enumerate these authorizations are obsolete. Removing them (as specified in this email thread) is appropriate.
--Glenn Darren J Moffat wrote: > This needs input from RBAC experts, particularly those working on the > new RBAC tools and those familiar with the implementation of SMC. > > -------- Original Message -------- > Subject: please review: #14279 SUNWwbcor RBAC merge should not have > added SMC-specific entries > Date: Mon, 08 Feb 2010 06:59:36 -0500 > From: Richard Lowe <richlowe at richlowe.net> > To: on-ips-dev at opensolaris.org > CC: Darren Moffat <Darren.Moffat at Sun.COM>, David Comay > <David.Comay at Sun.COM> > > Hey all, > > I need code review for: > > 14279 SUNWwbcor RBAC merge should not have added SMC-specific entries > > Webrev: > > v. on_ips : http://cr.opensolaris.org/~richlowe/onips_14279 > v. onnv : http://cr.opensolaris.org/~richlowe/onips_14279_onnv > > It's probably easier to use the webrev against onnv, and treat it as > entirely new addition, rather than use the actual webrev against > on_ips. > > Notes: > > In code review previously, Darren quite sensibly requested that entries > only of use in the Admin consolidation (he actually specified SMC, but I > think the two statements are equivalent) not be merged into ON, prior > practise, however, has been that we attempt to deliver exactly what > Indiana itself delivers. So Darren's comments lead us to depart from > this, which is why, David, I'm copying you on this, to make sure I don't > stuff it up *again*... > > What I propose to do, and what this webrev does, is add only those > entries meaningful for ON, matching, I think, Darren's desires. This > leaves several things that Indiana delivers via the SUNWwbcor fragment > it inserts into SUNWcs that SUNWcs will not itself deliver after on_ips > integrates. > > I should note that in the vast majority of these cases, it's hard to see > how they could function on Indiana even if the software using them was > delivered, as many (most) of the profiles delivered in the SUNWwbcor > prof_attr fragment refer to authorisations which are not themselves > delivered. > > If these changes integrate, when ON starts delivering IPS packages > natively (when on_ips integrates) entries from SUNWwbcor that are still > desirable, but excluded here will need to be delivered from some other > package. A list of these is appended to this message (edited copies of > the SUNWwbcor files delivered in build 132). The ones which stand out > are those relating to prodreg, and the Software Installation profile. > > To the best of my knowledge, on_ips is aiming to land *after* 2010.1H is > released, and so this movement of stuff should not cut into any release > stabilisation, nor distract from more release-critical efforts. > > If this scheme isn't acceptable to the Indiana folks (David, in this > case), I think we'll need them to come to some agreement with Darren, > and then tell me what it is. > > Specific notable changes in this webrev: > > - 'solaris.network.*' in the Network Security profile applies to some > authorizations from ON, and its addition is retained. > > - The Primary Administrator profile entry in exec_attr is switched to > the 'solaris' policy, per comments from Darren's review. This will > not be merged by i.rbac, but instead will add an additional line to > exec_attr. I have asked Darren if this was OK, and he agreed that it > was, as it also keeps unnecessary merging complexity out of i.rbac. > > -- Rich (who hopes to have finally gotten this *right*...) > > Entries from SUNWwbcor fragments not carried into ON, and here removed > from on_ips. > > prof_attr: > > Audit > Control::::auths=solaris.admin.logsvc.purge,solaris.admin.logsvc.read > Basic Solaris > User::::auths=solaris.admin.usermgr.read,solaris.admin.logsvc.read,solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.prodreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,,solaris.network.hosts.read > > > Device Management::::auths=solaris.admin.serialmgr.* > Device Security::::auths=solaris.admin.serialmgr.* > File System > Management::::auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.* > File System > Security::::auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.* > Maintenance and > Repair::::auths=solaris.admin.logsvc.write,solaris.admin.logsvc.read,solaris.compsys.write,solaris.compsys.read > > > Process Management::::auths=solaris.admin.procmgr.* > User > Management::::auths=solaris.admin.usermgr.write,solaris.admin.usermgr.read,solaris.admin.usermgr.manage > > > User > Security::::auths=solaris.admin.usermgr.*,solaris.admin.privilege.write > Printer > Management::::auths=solaris.admin.printer.read,solaris.admin.printer.modify,solaris.admin.printer.delete > > > Software > Installation::::auths=solaris.admin.prodreg.read,solaris.admin.prodreg.modify,solaris.admin.prodreg.delete,solaris.admin.dcmgr.admin,solaris.admin.dcmgr.read,solaris.admin.patchmgr.* > > > Network > Management::::auths=solaris.admin.dcmgr.clients,solaris.admin.dcmgr.read,solaris.snmp.*,solaris.network.hosts.* > > > Project Management:::Manage Solaris > projects:auths=solaris.project.read,solaris.project.write;help=RtProjManagement.html > > > > exec_attr: > > Name Service > Security:suser:cmd:::/usr/sadm/bin/smattrpop:uid=0;gid=sys > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org
