PSARC 2012/139 installadm Execution Profiles
7108281 create RBAC execution profiles for installadm
--- a/usr/src/cmd/Makefile.cmd Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/Makefile.cmd Tue Apr 24 11:31:32 2012 -0600
@@ -38,6 +38,7 @@
ROOTMANSYSSVC = $(ROOTMANSYS)/svc
ROOTMANSYSINS = $(ROOTMANSYS)/install
ROOTPROFATTR = $(ROOT)/etc/security/prof_attr.d
+ROOTAUTHATTR = $(ROOT)/etc/security/auth_attr.d
ROOTUSERATTR = $(ROOT)/etc/user_attr.d
ROOTUSRLIBINSTALLADM = $(ROOT)/usr/lib/installadm
ROOTUSRLIBINSTALL = $(ROOT)/usr/lib/install
@@ -59,6 +60,7 @@
ROOTEXECATTRFILES = $(EXECATTRFILES:exec_attr.%=$(ROOTEXECATTR)/%)
ROOTPROFATTRFILES = $(PROFATTRFILES:prof_attr.%=$(ROOTPROFATTR)/%)
ROOTUSERATTRFILES = $(USERATTRFILES:user_attr.%=$(ROOTUSERATTR)/%)
+ROOTAUTHATTRFILES = $(AUTHATTRFILES:auth_attr.%=$(ROOTAUTHATTR)/%)
# Basic linkage macro
LDLIBS.cmd = -L$(ROOTUSRLIB) -L$(ONLIBDIR) -L$(ONUSRLIBDIR)
--- a/usr/src/cmd/Makefile.targ Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/Makefile.targ Tue Apr 24 11:31:32 2012 -0600
@@ -35,6 +35,12 @@
$(ROOTEXECATTR)/%: exec_attr.%
$(INS.rename)
+$(ROOTAUTHATTR):
+ $(INS.dir)
+
+$(ROOTAUTHATTR)/%: auth_attr.%
+ $(INS.rename)
+
$(ROOTLIBSVCMANIFEST)/%: %
$(INS.file)
--- a/usr/src/cmd/ai-webserver/common_profile.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/common_profile.py Tue Apr 24 11:31:32 2012 -0600
@@ -34,7 +34,7 @@
from string import Template
from osol_install.auto_install.installadm_common import _
-from solaris_install import Popen
+from solaris_install import Popen, SetUIDasEUID
# profiles stored here internally
INTERNAL_PROFILE_DIRECTORY = '/var/ai/profile'
@@ -363,8 +363,9 @@
# validate against DTD using svccfg apply -n
pargs = ['/usr/sbin/svccfg', 'apply', '-n', profname]
# invoke command, save stderr, do not throw exception on failure
- cmdpipe = Popen.check_call(pargs, stderr=Popen.STORE,
- check_result=Popen.ANY)
+ with SetUIDasEUID():
+ cmdpipe = Popen.check_call(pargs, stderr=Popen.STORE,
+ check_result=Popen.ANY)
os.unlink(profname)
if cmdpipe.returncode == 0: # success
return ''
--- a/usr/src/cmd/ai-webserver/create_profile.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/create_profile.py Tue Apr 24 11:31:32 2012 -0600
@@ -40,6 +40,8 @@
from osol_install.auto_install.installadm_common import _
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, PROFILE_AUTH, \
+ UnauthorizedUserError
# Modes of operation.
DO_CREATE = True
@@ -201,6 +203,12 @@
Effect: add profiles to database per command line
Raises SystemExit if condition cannot be handled
'''
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
options = parse_options(DO_CREATE, cmd_options)
# get AI service image path and database name
@@ -287,6 +295,11 @@
Effect: update existing profile
Raises SystemExit if condition cannot be handled
'''
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
options = parse_options(DO_UPDATE, cmd_options)
--- a/usr/src/cmd/ai-webserver/delete_manifest.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/delete_manifest.py Tue Apr 24 11:31:32 2012 -0600
@@ -35,6 +35,8 @@
from osol_install.auto_install.installadm_common import _
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, MANIFEST_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -169,10 +171,11 @@
Delete a manifest from an install service.
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(MANIFEST_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
options = parse_options(cmd_options)
--- a/usr/src/cmd/ai-webserver/delete_profile.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/delete_profile.py Tue Apr 24 11:31:32 2012 -0600
@@ -37,6 +37,8 @@
from osol_install.auto_install.installadm_common import _, \
validate_service_name
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, PROFILE_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -141,6 +143,12 @@
Arg: cmd_options - command line options
Effect: delete profiles per command line
'''
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
options = parse_options(cmd_options)
# get AI service directory, database name
--- a/usr/src/cmd/ai-webserver/export.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/export.py Tue Apr 24 11:31:32 2012 -0600
@@ -24,7 +24,6 @@
'''
export - write out a manifest or profile
'''
-import errno
import gettext
import os
import shutil
@@ -36,8 +35,9 @@
from optparse import OptionParser
from osol_install.auto_install.service import AIService
-from osol_install.auto_install.installadm_common import _, \
- validate_service_name
+from osol_install.auto_install.installadm_common import _
+from solaris_install import check_auth_and_euid, MANIFEST_AUTH, PROFILE_AUTH, \
+ UnauthorizedUserError
SCREEN = "/dev/stdout"
@@ -84,6 +84,16 @@
if not len(options.mnames) and not len(options.pnames):
parser.error(_("A manifest or profile name is required."))
+ # based on the argument, check for authorization and euid
+ try:
+ if len(options.mnames):
+ check_auth_and_euid(MANIFEST_AUTH)
+
+ if len(options.pnames):
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
options.file_count = len(options.mnames) + len(options.pnames)
if not options.output_name:
--- a/usr/src/cmd/ai-webserver/publish_manifest.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/publish_manifest.py Tue Apr 24 11:31:32 2012 -0600
@@ -36,6 +36,8 @@
import osol_install.auto_install.service_config as config
from osol_install.auto_install.installadm_common import _
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, MANIFEST_AUTH, \
+ UnauthorizedUserError
INFINITY = str(0xFFFFFFFFFFFFFFFF)
@@ -518,10 +520,11 @@
Publish a manifest, associating it with an install service.
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error:\tRoot privileges are required for "
- "this command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(MANIFEST_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
# load in all the options and file data. Validate proper manifests.
data = parse_options(DO_CREATE, cmd_options)
@@ -555,10 +558,11 @@
Update the contents of an existing manifest.
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error:\tRoot privileges are required for "
- "this command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(MANIFEST_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
# load in all the options and file data. Validate proper manifests.
data = parse_options(DO_UPDATE, cmd_options)
--- a/usr/src/cmd/ai-webserver/set_criteria.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/set_criteria.py Tue Apr 24 11:31:32 2012 -0600
@@ -39,8 +39,10 @@
from optparse import OptionParser
from osol_install.auto_install.installadm_common import _, \
- AI_SERVICE_DIR_PATH, validate_service_name
+ validate_service_name
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, MANIFEST_AUTH, PROFILE_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -95,6 +97,16 @@
if len(args):
parser.error(_("Unexpected argument(s): %s" % args))
+ # based on the argument, check for authorization and euid
+ try:
+ if options.manifest_name is not None:
+ check_auth_and_euid(MANIFEST_AUTH)
+
+ if options.profile_name:
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
# Check that we have the install service's name and
# an AI manifest name
if options.service_name is None:
@@ -228,10 +240,6 @@
Modify the criteria associated with a manifest.
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
options = parse_options(cmd_options)
--- a/usr/src/cmd/ai-webserver/test/test_create_profile.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/test/test_create_profile.py Tue Apr 24 11:31:32 2012 -0600
@@ -213,6 +213,18 @@
return 1
+class MockSetUIDasEUID(object):
+ '''Class for mock SetUIDasEUID class '''
+
+ def __enter__(self):
+ ''' do nothing '''
+ pass
+
+ def __exit__(self, *exc_info):
+ ''' do nothing '''
+ pass
+
+
class ParseOptions(unittest.TestCase):
'''Tests for parse_options. Some tests correctly output usage msg'''
@@ -483,6 +495,12 @@
self.os_geteuid = os.geteuid
os.geteuid = MockEuid.geteuid
+ self.check_auth_and_euid = create_profile.check_auth_and_euid
+ create_profile.check_auth_and_euid = do_nothing
+
+ self.SetUIDasEUID = com.SetUIDasEUID
+ com.SetUIDasEUID = MockSetUIDasEUID
+
def tearDown(self):
'''unit test tear down'''
@@ -493,6 +511,8 @@
svc.AIService = self.service_AIService
os.geteuid = self.os_geteuid
shutil.rmtree(self.tmp_dir)
+ create_profile.check_auth_and_euid = self.check_auth_and_euid
+ com.SetUIDasEUID = self.SetUIDasEUID
def test_profile(self):
''' test update profile'''
--- a/usr/src/cmd/ai-webserver/test/test_export.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/test/test_export.py Tue Apr 24 11:31:32 2012 -0600
@@ -19,7 +19,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
#
'''
@@ -38,6 +38,12 @@
gettext.install("ai-test")
+
+def do_nothing(*args, **kwargs):
+ '''does nothing'''
+ pass
+
+
class MockIsService(object):
'''Class for mock is_service '''
def __init__(self, *args, **kwargs):
@@ -46,6 +52,7 @@
def __call__(self, name):
return True
+
class MockVersion(object):
'''Class for mock version '''
def __init__(self, *args, **kwargs):
@@ -54,6 +61,7 @@
def __call__(self):
return service.AIService.EARLIEST_VERSION
+
class ParseOptions(unittest.TestCase):
'''Tests for parse_options. Some tests correctly output usage msg'''
@@ -63,6 +71,8 @@
config.is_service = MockIsService
self.svc_version = service.AIService.version
service.AIService.version = MockVersion()
+ self.check_auth_and_euid = export.check_auth_and_euid
+ export.check_auth_and_euid = do_nothing
def tearDown(self):
'''unit test tear down
@@ -71,6 +81,7 @@
'''
config.is_service = self.config_is_service
service.AIService.version = self.svc_version
+ export.check_auth_and_euid = self.check_auth_and_euid
def test_parse_no_options(self):
'''Ensure no options caught'''
--- a/usr/src/cmd/ai-webserver/test/test_set_criteria.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/test/test_set_criteria.py Tue Apr 24 11:31:32 2012 -0600
@@ -19,7 +19,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
#
'''
@@ -38,14 +38,21 @@
gettext.install("ai-test")
+
+def do_nothing(*args, **kwargs):
+ '''does nothing'''
+ pass
+
+
class MockDataBase(object):
'''Class for mock database '''
def __init__(self):
- self.queue = MockQueue()
+ self.queue = MockQueue()
def getQueue(self):
return self.queue
+
class MockQueue(object):
'''Class for mock database '''
def __init__(self):
@@ -54,6 +61,7 @@
def put(self, query):
return
+
class MockQuery(object):
'''Class for mock query '''
def __init__(self):
@@ -69,6 +77,7 @@
def getResponse(self):
return
+
class MockGetCriteria(object):
'''Class for mock getCriteria '''
def __init__(self):
@@ -83,6 +92,7 @@
else:
return self.crit_unstripped
+
class MockisRangeCriteria(object):
'''Class for mock isRangeCriteria '''
def __init__(self):
@@ -93,6 +103,7 @@
return True
return False
+
class MockgetManNames(object):
'''Class for mock getManNames '''
def __init__(self):
@@ -114,6 +125,7 @@
self.criteria = None
self.database = MockDataBase()
+
class SetCriteria(unittest.TestCase):
'''Tests for set_criteria'''
@@ -149,8 +161,8 @@
set_criteria.set_criteria(criteria, "myxml", self.files.database,
'manifests')
expect_query = "UPDATE manifests SET arch='i86pc',MINmem=NULL," + \
- "MAXmem='4096',MINipv4=NULL,MAXipv4=NULL,MINmac=NULL," +\
- "MAXmac=NULL WHERE name='myxml'"
+ "MAXmem='4096',MINipv4=NULL,MAXipv4=NULL," +\
+ "MINmac=NULL,MAXmac=NULL WHERE name='myxml'"
self.assertEquals(expect_query, self.mockquery.query)
def test_unbounded_max(self):
@@ -253,6 +265,15 @@
class ParseOptions(unittest.TestCase):
'''Tests for parse_options. Some tests correctly output usage msg'''
+ def setUp(self):
+ '''unit test set up'''
+ self.check_auth_and_euid = set_criteria.check_auth_and_euid
+ set_criteria.check_auth_and_euid = do_nothing
+
+ def tearDown(self):
+ '''unit test tear down '''
+ set_criteria.check_auth_and_euid = self.check_auth_and_euid
+
def test_parse_no_options(self):
'''Ensure no options caught'''
self.assertRaises(SystemExit, set_criteria.parse_options, [])
--- a/usr/src/cmd/ai-webserver/validate_profile.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/ai-webserver/validate_profile.py Tue Apr 24 11:31:32 2012 -0600
@@ -27,8 +27,6 @@
import os.path
import sys
-import lxml.etree
-
import osol_install.auto_install.AI_database as AIdb
import osol_install.auto_install.data_files as df
@@ -37,6 +35,8 @@
from osol_install.auto_install.installadm_common import _, \
validate_service_name
from osol_install.auto_install.service import AIService
+from solaris_install import check_auth_and_euid, PROFILE_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -126,6 +126,12 @@
Arg: cmd_options - command line options
Effect: validate per command line
'''
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(PROFILE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
options = parse_options(cmd_options)
isvalid = True
# get AI service directory, database name
--- a/usr/src/cmd/installadm/ai_smf_service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/ai_smf_service.py Tue Apr 24 11:31:32 2012 -0600
@@ -19,7 +19,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
#
'''
This file contains a thin wrapper around osol_install.libaiscf and
@@ -37,7 +37,7 @@
import osol_install.libaiscf as libaiscf
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
-from solaris_install import Popen, CalledProcessError
+from solaris_install import Popen, CalledProcessError, SetUIDasEUID
_ = com._
@@ -216,10 +216,12 @@
setprop = [SVCCFG, '-s', TFTP_FMRI, 'setprop', 'inetd_start/exec', '=',
INET_START % com.BOOT_DIR]
- Popen.check_call(setprop)
- Popen.check_call([SVCADM, 'refresh', TFTP_FMRI])
-
- Popen.check_call([SVCADM, 'enable', TFTP_FMRI])
+ with SetUIDasEUID():
+ Popen.check_call(setprop)
+ Popen.check_call([SVCADM, 'refresh', TFTP_FMRI])
+
+ with SetUIDasEUID():
+ Popen.check_call([SVCADM, 'enable', TFTP_FMRI])
def enable_instance():
--- a/usr/src/cmd/installadm/create_client.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/create_client.py Tue Apr 24 11:31:32 2012 -0600
@@ -26,7 +26,6 @@
'''
import gettext
import logging
-import os
import osol_install.auto_install.ai_smf_service as aismf
import osol_install.auto_install.client_control as clientctrl
@@ -38,7 +37,8 @@
from bootmgmt import BootmgmtError
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
-from solaris_install import Popen
+from solaris_install import Popen, check_auth_and_euid, CLIENT_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -167,10 +167,11 @@
def do_create_client(cmd_options=None):
'''Parse the user supplied arguments and create the specified client'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(CLIENT_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
# parse server options
options = parse_options(cmd_options)
--- a/usr/src/cmd/installadm/create_service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/create_service.py Tue Apr 24 11:31:32 2012 -0600
@@ -50,7 +50,8 @@
DEFAULT_ARCH, MountError, UnsupportedAliasError
from osol_install.auto_install.image import ImageError, InstalladmIsoImage, \
InstalladmPkgImage, is_iso
-from solaris_install import Popen, CalledProcessError
+from solaris_install import Popen, CalledProcessError, check_auth_and_euid, \
+ SERVICE_AUTH, UnauthorizedUserError
BASE_DEF_SVC_NAME = "solarisx"
@@ -664,10 +665,11 @@
def do_create_service(cmd_options=None):
''' Create either a base service or an alias '''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for this "
- "command.\n"))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
logging.log(com.XDEBUG, '**** START do_create_service ****')
--- a/usr/src/cmd/installadm/delete_client.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/delete_client.py Tue Apr 24 11:31:32 2012 -0600
@@ -25,7 +25,6 @@
'''
import gettext
import logging
-import os
import osol_install.auto_install.client_control as clientctrl
import osol_install.auto_install.installadm_common as com
@@ -34,6 +33,8 @@
from optparse import OptionParser
from osol_install.auto_install.installadm_common import _
+from solaris_install import check_auth_and_euid, CLIENT_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -72,10 +73,11 @@
client.
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command.\n"))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(CLIENT_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
options = parse_options(cmd_options)
clientid = '01' + str(options.mac)
--- a/usr/src/cmd/installadm/delete_service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/delete_service.py Tue Apr 24 11:31:32 2012 -0600
@@ -25,7 +25,6 @@
'''
import gettext
import logging
-import os
import sys
import osol_install.auto_install.client_control as clientctrl
@@ -37,6 +36,8 @@
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
from osol_install.auto_install.service import AIService, DEFAULT_ARCH
+from solaris_install import check_auth_and_euid, SERVICE_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -240,10 +241,11 @@
Entry point for delete_service
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for this "
- "command.\n"))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
# parse server options
options = parse_options(cmd_options)
--- a/usr/src/cmd/installadm/dhcp.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/dhcp.py Tue Apr 24 11:31:32 2012 -0600
@@ -39,7 +39,7 @@
from osol_install.auto_install.installadm_common import _, cli_wrap as cw, \
MACAddress
from osol_install.libaimdns import getifaddrs
-from solaris_install import Popen, CalledProcessError
+from solaris_install import Popen, CalledProcessError, SetUIDasEUID
VERSION = "0.1"
@@ -821,7 +821,8 @@
% action)
cmd = [SVCADM, action, DHCP_SERVER_IPV4_SVC]
- Popen.check_call(cmd, stderr=Popen.STORE)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stderr=Popen.STORE)
# Delay a second to allow for the change to propagate
time.sleep(1)
@@ -833,7 +834,8 @@
if action in SMF_ONLINE_ACTIONS:
for action in SMF_HARD_RESET_ACTIONS:
cmd = [SVCADM, action, DHCP_SERVER_IPV4_SVC]
- Popen.check_call(cmd, stderr=Popen.STORE)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stderr=Popen.STORE)
time.sleep(1)
if self._state == SMF_EXPECTED_STATE[action]:
return
--- a/usr/src/cmd/installadm/image.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/image.py Tue Apr 24 11:31:32 2012 -0600
@@ -60,7 +60,7 @@
import osol_install.auto_install.installadm_common as com
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
-from solaris_install import Popen, PKG5_API_VERSION
+from solaris_install import Popen, PKG5_API_VERSION, SetUIDasEUID
_FILE = '/usr/bin/file'
@@ -395,7 +395,8 @@
'''
cmd = [com.SETUP_IMAGE_SCRIPT, com.IMAGE_CREATE, iso, targetdir]
- Popen.check_call(cmd, stderr=Popen.STORE)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stderr=Popen.STORE)
iso_img = cls(targetdir)
iso_img.verify()
iso_img._prep_ai_webserver()
--- a/usr/src/cmd/installadm/installadm-convert.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/installadm-convert.py Tue Apr 24 11:31:32 2012 -0600
@@ -50,7 +50,8 @@
from osol_install.auto_install.grub import AIGrubCfg as grubcfg
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
from osol_install.auto_install.service import AIService
-from solaris_install import Popen, CalledProcessError
+from solaris_install import Popen, CalledProcessError, check_auth_and_euid, \
+ SERVICE_AUTH, SetUIDasEUID, UnauthorizedUserError
VERSION = _("%prog: version 1.0")
@@ -225,8 +226,9 @@
# first get a list of networks served
cmd = ["/usr/sbin/pntadm", "-L"]
try:
- pipe = Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.DEVNULL)
+ with SetUIDasEUID():
+ pipe = Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.DEVNULL)
except CalledProcessError as err:
# return a DHCPError on failure
raise SUNDHCPData.DHCPError(err)
@@ -313,8 +315,9 @@
# get a list of all server macros
cmd = ["/usr/sbin/dhtadm", "-P"]
try:
- pipe = Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.DEVNULL)
+ with SetUIDasEUID():
+ pipe = Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.DEVNULL)
except CalledProcessError as err:
raise SUNDHCPData.DHCPError(err)
@@ -365,8 +368,9 @@
systems = dict()
cmd = ["/usr/sbin/pntadm", "-P", net]
try:
- pipe = Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.DEVNULL)
+ with SetUIDasEUID():
+ pipe = Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.DEVNULL)
except CalledProcessError as err:
raise SUNDHCPData.DHCPError(err)
@@ -654,9 +658,10 @@
'inetd_start/exec="%s"' % val]
try:
- Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.STORE, logger='',
- stderr_loglevel=logging.DEBUG)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.STORE, logger='',
+ stderr_loglevel=logging.DEBUG)
except CalledProcessError:
sys.stderr.write(cw(_('%(path)s: warning: Unable to set the value of '
'key property inetd/start_exec for '
@@ -667,9 +672,10 @@
cmd = ['/usr/sbin/svcadm', 'refresh', 'tftp/udp6:default']
try:
- Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.STORE, logger='',
- stderr_loglevel=logging.DEBUG)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.STORE, logger='',
+ stderr_loglevel=logging.DEBUG)
except CalledProcessError:
sys.stderr.write(cw(_('%s: warning: Unable to refresh the service: '
'tftp/udp6:default\nThis needs to be done '
@@ -692,9 +698,10 @@
cmd = ['/usr/sbin/svccfg', '-s', AI_SVC_FMRI, 'delprop', pg_name]
try:
- Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.STORE, logger='',
- stderr_loglevel=logging.DEBUG)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.STORE, logger='',
+ stderr_loglevel=logging.DEBUG)
except CalledProcessError as err:
sys.stderr.write(cw(_('%(cmd)s failed with: %(error)s')
% {'cmd': cmd, 'error': err.popen.stderr}))
@@ -753,10 +760,11 @@
# unmount filesystem
try:
cmd = ["/usr/sbin/umount", boot_archive]
- Popen.check_call(cmd, stdout=Popen.STORE,
- stderr=Popen.STORE, logger='',
- stderr_loglevel=logging.DEBUG,
- check_result=Popen.SUCCESS)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.STORE, logger='',
+ stderr_loglevel=logging.DEBUG,
+ check_result=Popen.SUCCESS)
# if run_cmd errors out we should continue
except CalledProcessError as err:
@@ -1855,10 +1863,11 @@
(options, args) = parser.parse_args()
- # check for root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
try:
inst = smf.AISCF(FMRI="system/install/server")
--- a/usr/src/cmd/installadm/installadm.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/installadm.py Tue Apr 24 11:31:32 2012 -0600
@@ -19,13 +19,12 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
#
'''
installadm - administration of AI services, manifests, and clients
'''
import logging
-import os
import sys
import traceback
@@ -54,7 +53,8 @@
from osol_install.auto_install.image import ImageError
from osol_install.auto_install.service import AIService, MountError, \
VersionError, InvalidServiceError
-from solaris_install import Popen, CalledProcessError
+from solaris_install import Popen, CalledProcessError, check_auth_and_euid, \
+ SERVICE_AUTH, UnauthorizedUserError
DEFAULT_LOG_LEVEL = logging.WARN
@@ -95,16 +95,17 @@
'''
logging.log(XDEBUG, '**** START do_enable_service ****')
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
usage = '\n' + get_enable_usage()
parser = OptionParser(usage=usage)
args = parser.parse_args(cmd_options)[1]
- # Check for privileges
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
-
# Check for correct number of args
if len(args) != 1:
if len(args) == 0:
@@ -155,16 +156,17 @@
'''
logging.debug('**** START do_disable_service ****')
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
+
usage = '\n' + get_disable_usage()
parser = OptionParser(usage=usage)
(options, args) = parser.parse_args(cmd_options)
- # Check for privileges
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for "
- "this command."))
-
# Check for correct number of args
if len(args) != 1:
if len(args) == 0:
--- a/usr/src/cmd/installadm/rename_service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/rename_service.py Tue Apr 24 11:31:32 2012 -0600
@@ -40,6 +40,8 @@
validate_service_name, cli_wrap as cw
from osol_install.auto_install.service import AIService, MountError, \
DEFAULT_ARCH
+from solaris_install import check_auth_and_euid, SERVICE_AUTH, \
+ UnauthorizedUserError
def get_usage():
@@ -89,10 +91,11 @@
of leaving the final product as close to functional as possible
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for this "
- "command.\n"))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
(svcname, newsvcname) = parse_options(cmd_options)
--- a/usr/src/cmd/installadm/service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/service.py Tue Apr 24 11:31:32 2012 -0600
@@ -56,7 +56,8 @@
from osol_install.auto_install.grub import AIGrubCfg as grubcfg
from osol_install.auto_install.image import InstalladmImage, ImageError
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
-from solaris_install import Popen, CalledProcessError, force_delete
+from solaris_install import Popen, CalledProcessError, force_delete, \
+ SetUIDasEUID
MOUNT = '/usr/sbin/mount'
UNMOUNT = '/usr/sbin/umount'
@@ -300,7 +301,8 @@
# the setup-service-script relies on sending information to
# stdout/stderr
logging.debug("Executing: %s", cmd)
- Popen.check_call(cmd)
+ with SetUIDasEUID():
+ Popen.check_call(cmd)
except CalledProcessError:
print >> sys.stderr, _("Failed to setup service directory for "
"service, %s\n" % name)
@@ -415,7 +417,8 @@
def _unregister(self):
cmd = [com.SETUP_SERVICE_SCRIPT, com.SERVICE_DISABLE, self.name]
- Popen.check_call(cmd, check_result=Popen.ANY)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, check_result=Popen.ANY)
def delete(self):
'''Deletes this service, removing the image area, mountpoints,
@@ -683,9 +686,10 @@
self._prepare_target(to_mountpoint)
cmd = [MOUNT, '-F', 'lofs', from_path, to_mountpoint]
try:
- Popen.check_call(cmd, stdout=Popen.STORE, stderr=Popen.STORE,
- logger='', stderr_loglevel=logging.DEBUG,
- check_result=Popen.SUCCESS)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE, stderr=Popen.STORE,
+ logger='', stderr_loglevel=logging.DEBUG,
+ check_result=Popen.SUCCESS)
except CalledProcessError as err:
raise MountError(from_path, to_mountpoint, err.popen.stderr)
@@ -759,9 +763,11 @@
cmd = list(umount_cmd)
cmd.append(mountpoint)
try:
- Popen.check_call(cmd, stdout=Popen.STORE, stderr=Popen.STORE,
- logger='', stderr_loglevel=logging.DEBUG,
- check_result=Popen.SUCCESS)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, stdout=Popen.STORE,
+ stderr=Popen.STORE, logger='',
+ stderr_loglevel=logging.DEBUG,
+ check_result=Popen.SUCCESS)
except CalledProcessError as err:
failures.append(UnmountError(mountpoint, err.popen.stderr))
@@ -1117,7 +1123,9 @@
modified_env['LC_CTYPE'] = lc_all
del modified_env['LC_ALL']
modified_env['LC_NUMERIC'] = 'C'
- Popen.check_call(cmd, env=modified_env)
+ with SetUIDasEUID():
+ Popen.check_call(cmd, env=modified_env)
+
self._setup_install_conf()
def _setup_install_conf(self):
--- a/usr/src/cmd/installadm/service_config.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/service_config.py Tue Apr 24 11:31:32 2012 -0600
@@ -37,7 +37,7 @@
import osol_install.auto_install.installadm_common as com
from osol_install.auto_install.installadm_common import _, cli_wrap as cw
-from solaris_install import CalledProcessError, Popen
+from solaris_install import CalledProcessError, Popen, SetUIDasEUID
# AI installation service property keys and values
@@ -529,7 +529,7 @@
# Confirm required keys are available and exit if not
verify_key_properties(svcname, props)
-
+
# Update status in service's properties
props[PROP_STATUS] = STATUS_ON
set_service_props(svcname, props)
@@ -542,7 +542,8 @@
props[PROP_TXT_RECORD]]
try:
logging.log(com.XDEBUG, "Executing: %s", cmd)
- Popen.check_call(cmd)
+ with SetUIDasEUID():
+ Popen.check_call(cmd)
except CalledProcessError:
# Revert status in service's properties
props = {PROP_STATUS: STATUS_OFF}
--- a/usr/src/cmd/installadm/set_service.py Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/installadm/set_service.py Tue Apr 24 11:31:32 2012 -0600
@@ -39,6 +39,8 @@
from bootmgmt import BootmgmtError
from osol_install.auto_install.installadm_common import _, \
validate_service_name, cli_wrap as cw
+from solaris_install import check_auth_and_euid, SERVICE_AUTH, \
+ UnauthorizedUserError
SERVICE_PROPS = [config.PROP_DEFAULT_MANIFEST, 'aliasof', 'imagepath']
@@ -255,10 +257,11 @@
'''
Set a property of a service
'''
- # check that we are root
- if os.geteuid() != 0:
- raise SystemExit(_("Error: Root privileges are required for this "
- "command."))
+ # check for authorization and euid
+ try:
+ check_auth_and_euid(SERVICE_AUTH)
+ except UnauthorizedUserError as err:
+ raise SystemExit(err)
options = parse_options(cmd_options)
--- a/usr/src/cmd/rbac/Makefile Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/cmd/rbac/Makefile Tue Apr 24 11:31:32 2012 -0600
@@ -19,26 +19,31 @@
# CDDL HEADER END
#
#
-# Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
#
#
EXECATTRFILES = exec_attr.SUNWgui-install exec_attr.distribution-constructor \
- exec_attr.system%2Finstall%2Fmedia%2Finternal
+ exec_attr.system%2Finstall%2Fmedia%2Finternal \
+ exec_attr.install%2Finstalladm
-PROFATTRFILES = prof_attr.distribution-constructor
+PROFATTRFILES = prof_attr.distribution-constructor \
+ prof_attr.install%2Finstalladm
USERATTRFILES = user_attr.system%2Finstall%2Fauto-install \
user_attr.SUNWgui-install
+AUTHATTRFILES = auth_attr.install%2Finstalladm
+
include $(SRC)/cmd/Makefile.cmd
FILEMODE= 444
all:
-install: all $(ROOTEXECATTR) $(ROOTPROFATTR) $(ROOTUSERATTR) .WAIT \
- $(ROOTEXECATTRFILES) $(ROOTPROFATTRFILES) $(ROOTUSERATTRFILES)
+install: all $(ROOTEXECATTR) $(ROOTPROFATTR) $(ROOTUSERATTR) $(ROOTAUTHATTR) .WAIT \
+ $(ROOTEXECATTRFILES) $(ROOTPROFATTRFILES) $(ROOTUSERATTRFILES) \
+ $(ROOTAUTHATTRFILES)
install_h:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/cmd/rbac/auth_attr.install%2Finstalladm Tue Apr 24 11:31:32 2012 -0600
@@ -0,0 +1,27 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+solaris.autoinstall.client:RO::Administer Automated Install Clients::
+solaris.autoinstall.manifest:RO::Administer Automated Install Manifests::
+solaris.autoinstall.profile:RO::Administer Automated Install System Configuration Profiles::
+solaris.autoinstall.service:RO::Administer Automated Install Services::
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/cmd/rbac/exec_attr.install%2Finstalladm Tue Apr 24 11:31:32 2012 -0600
@@ -0,0 +1,26 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+Install Manifest Management:solaris:cmd:RO::/usr/sbin/installadm:euid=0
+Install Profile Management:solaris:cmd:RO::/usr/sbin/installadm:euid=0
+Install Service Management:solaris:cmd:RO::/usr/sbin/installadm-convert:euid=0
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/cmd/rbac/prof_attr.install%2Finstalladm Tue Apr 24 11:31:32 2012 -0600
@@ -0,0 +1,41 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+Install Manifest Management:RO::Install Manifest Administration:\
+auths=solaris.autoinstall.manifest
+
+Install Profile Management:RO::Install System Configuration Profile \
+Administration:auths=solaris.autoinstall.profile
+
+Install Client Management:RO::Install Client Administration:\
+profiles=Install Manifest Management,\
+Install Profile Management;\
+auths=solaris.autoinstall.client
+
+Install Service Management:RO::Install Service Administration:\
+profiles=Install Manifest Management,\
+Install Profile Management,\
+Install Client Management;\
+auths=solaris.autoinstall.service
+
+System Administrator:RO:::profiles=Install Service Management
--- a/usr/src/lib/install_common/Makefile Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/lib/install_common/Makefile Tue Apr 24 11:31:32 2012 -0600
@@ -20,9 +20,11 @@
#
#
-# Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
#
+MSG_DOMAIN = solaris_install_common
+
include ../Makefile.lib
all:= TARGET= all
@@ -30,6 +32,8 @@
clobber:= TARGET= clobber
install:= TARGET= install
+ROOTMSGS= $(POFILE:%=$(ROOTUSRSHAREMSGS)/%)
+
SRCPYFILES = __init__.py.src
GENERATEDPYFILES = __init__.py
@@ -38,16 +42,20 @@
PYCMODS= $(PYMODS:%.py=%.pyc)
-CLOBBERFILES = $(GENERATEDPYFILES) $(PYCMODS)
+MSGFILES = $(PYMODS)
+
+CLOBBERFILES = $(GENERATEDPYFILES) $(PYCMODS) $(POFILE)
CLEANFILES = $(CLOBBERFILES)
-all: python
+all: python $(POFILE)
install: all .WAIT \
$(ROOTPYTHONVENDOR) \
$(ROOTPYTHONVENDORSOLINSTALL) \
$(ROOTPYTHONVENDORSOLINSTALLMODS) \
- $(ROOTPYTHONVENDORSOLINSTALLCMODS)
+ $(ROOTPYTHONVENDORSOLINSTALLCMODS) \
+ $(ROOTUSRSHAREMSGS) .WAIT \
+ $(ROOTMSGS)
install_h:
--- a/usr/src/lib/install_common/__init__.py.src Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/lib/install_common/__init__.py.src Tue Apr 24 11:31:32 2012 -0600
@@ -37,6 +37,7 @@
import logging
import os
import platform
+import pwd
import re
import shutil
import sys
@@ -51,7 +52,8 @@
from solaris_install.logger import INSTALL_LOGGER_NAME
-_ = gettext.translation('AI', '/usr/share/locale', fallback=True).gettext
+_ = gettext.translation('solaris_install_common', '/usr/share/locale',
+ fallback=True).gettext
# Useful common directories and path pieces
@@ -81,6 +83,13 @@
DTD_PATH_RE = ".*\.dtd\.\d+$"
__dtd_path_regexp = re.compile(DTD_PATH_RE)
+# AUTHORIZATIONS
+PROFILE_AUTH = "solaris.autoinstall.profile"
+MANIFEST_AUTH = "solaris.autoinstall.manifest"
+CLIENT_AUTH = "solaris.autoinstall.client"
+SERVICE_AUTH = "solaris.autoinstall.service"
+AUTHS = "/usr/bin/auths"
+
class CalledProcessError(subprocess.CalledProcessError):
'''Expansion of subprocess.CalledProcessError that may optionally
@@ -102,6 +111,19 @@
return "Command '%s' generated error output" % self.cmd
+class UnauthorizedUserError(Exception):
+ '''Exception raised when the user does not have a specified
+ authorization.
+ '''
+ def __init__(self, auth=None):
+ self.value = _("Insufficient permissions to perform operation.\n"
+ "Authorization <%s> required to perform this "
+ "operation.") % auth
+
+ def __str__(self):
+ return self.value
+
+
class _LogBuffer(object):
'''Class that reads from a filehandle (given by fileno), buffers
the output and dumps to a logger on newlines
@@ -438,6 +460,21 @@
return None
+class SetUIDasEUID(object):
+ """ SetUIDasEUID - context manager for running section of code
+ with the uid set as the user's euid.
+ """
+ def __enter__(self):
+ ''' set the uid as euid '''
+ self.euid = os.geteuid()
+ self.ruid = os.getuid()
+ os.setuid(self.euid)
+
+ def __exit__(self, *exc_info):
+ ''' reset the uid and euid '''
+ os.setreuid(self.ruid, self.euid)
+
+
# Utility methods to generate paths given files
def system_temp_path(file=None):
''' Return System Temporary Directory, with file string appended'''
@@ -498,3 +535,24 @@
else:
# x86 will always be GPT bootable due to GRUB2
return True
+
+
+def check_auth_and_euid(auth):
+ """
+ Checks whether the user has the specified authorization
+ and euid as 0.
+
+ Raises UnauthorizedUserError if euid is not 0 or user
+ doesn't have authorization.
+ """
+ # raise error if euid is not 0
+ if os.geteuid() != 0:
+ raise UnauthorizedUserError(auth)
+
+ user = pwd.getpwuid(os.getuid())[0]
+ cmd = [AUTHS, "check", "-u", user, auth]
+
+ try:
+ run(cmd)
+ except CalledProcessError as err:
+ raise UnauthorizedUserError(auth)
--- a/usr/src/pkg/manifests/install-installadm.mf Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/pkg/manifests/install-installadm.mf Tue Apr 24 11:31:32 2012 -0600
@@ -29,6 +29,14 @@
value="org.opensolaris.category.2008:System/Administration and Configuration"
set name=variant.arch value=$(ARCH)
set name=variant.opensolaris.zone value=global value=nonglobal
+dir path=etc group=sys
+dir path=etc/security group=sys
+dir path=etc/security/auth_attr.d group=sys
+file path=etc/security/auth_attr.d/install%2Finstalladm group=sys
+dir path=etc/security/exec_attr.d group=sys
+file path=etc/security/exec_attr.d/install%2Finstalladm group=sys
+dir path=etc/security/prof_attr.d group=sys
+file path=etc/security/prof_attr.d/install%2Finstalladm group=sys
dir path=lib
dir path=lib/svc
dir path=lib/svc/manifest group=sys
--- a/usr/src/pkg/manifests/install-message-files.mf Tue Apr 24 11:32:55 2012 -0600
+++ b/usr/src/pkg/manifests/install-message-files.mf Tue Apr 24 11:31:32 2012 -0600
@@ -20,7 +20,7 @@
#
#
-# Copyright (c) 2012 Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr/share/locale/C/(.*) -> set action.hash usr/share/locale/C/%<1>>
@@ -76,6 +76,7 @@
group=other
file path=usr/share/locale/C/LC_MESSAGES/solaris_install_autoinstall.po \
group=other
+file path=usr/share/locale/C/LC_MESSAGES/solaris_install_common.po group=other
file path=usr/share/locale/C/LC_MESSAGES/solaris_install_guiinstall.po \
group=other
file path=usr/share/locale/C/LC_MESSAGES/solaris_install_installadm.po \