Bug 1597 – webstack-ui screws permissions

Bug 1597 - webstack-ui screws permissions


Summary:	webstack-ui screws permissions

Status:	RESOLVED FIXED

Product:	opensolaris
Component:	software
Version:	unspecified
Platform:	ANY/Generic OpenSolaris

Importance:	P1 critical (vote)
Target Milestone:	---
Assigned To:	ludo
QA Contact:

URL:
Whiteboard:	sst-osp
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-04-25 09:21 UTC by Alexander Vlasov
Modified:	2008-04-29 00:21 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description Alexander Vlasov 2008-04-25 09:21:04 UTC

Steps to reproduce: 
Install Indiana RC2. Boot it, install webstackui. run Applications->Developer
Tools->Web stack initialize. try to run pfexec bash

Actual result: 
no privileges

Expected Results: 
superuser privileges

Additional info: 
System Administrator role has been removed from /etc/user_attrs during
initialization. User is not System Administrator anymore.

Build date and Platform: 
OpenSolaris RC2, Apr 23, 2008

Comment 1 ludo 2008-04-25 15:27:37 UTC

Fix implemented.
Testing it and will publish soon

Comment 2 ludo 2008-04-25 17:02:22 UTC

workaround is to try log as root (su) and edit 
/etc/user_attr
and add in your user name entry the profile called "Primary Administrator" in
the list of profiles (no "" needed)

An ugly side effect if that apparnetly, you can not shutdown via the Desktop
menu.

Comment 3 David Comay 2008-04-25 22:18:25 UTC

Um, I hope that running webstackui isn't going to change any of the system
files such as /etc/user_attr. :-)

Comment 4 ludo 2008-04-26 03:28:45 UTC

running once the initialize script of webstackui (asking for root passwd, and
telling what will happen) does run the usermod -P command to add the apache22
and mysql5 admin profiles so that the user can start, stop the SMF services for
these runtimes. 

the issue with usemod -P is that the -P param has to contain the list of
existing profiles + the 2 new ones for this user. The fix is to now loop via
the profiles command, parse, check if the 2 new profiles are thee or not and
add them if not there, and then run the usermod command.

Is there a better way? Not sure why there is no command to add/remove 1 profile
at a time for a given user...

Comment 5 ludo 2008-04-26 04:30:56 UTC

Just testing more on a fresh install. 
Does the profile 'Primary Administrator' allows to do all actions that the
Apache22 or Mysql profiles could do? it seems to...
if this is true, I could just check if the user has the 'Primary Administrator'
profile, and if yes, do not issue anymore the usermod -P command with
additional profiles, since these additional profiles are enabled via the
'Primary Administrator'

David, let me know, and I'll adapt to this.

Comment 6 David Comay 2008-04-26 14:42:02 UTC

Yes, I suspect that the Primary Administrator profile allows everything that
the Apache and MySQL ones have (and then some, of course.)

Comment 7 ludo 2008-04-26 15:56:13 UTC

Thanks david.
What is is the indiana dock now contains the fix for this.
If the user has the 'Primary Administrator' profile, no usermod is performed at
all since it is not necessary.
Otherwise, we perform it with the lists of profiles +mysql+apache22 ones.

Comment 8 ludo 2008-04-28 00:59:47 UTC

in indiana dock. Not sure when it wil show up in IPS, but the fix is delivered.

Comment 9 Vit Hrachovy 2008-04-29 00:21:54 UTC

keyword: sst-osp

Comment 10 ludo 2008-05-02 14:37:46 UTC

*** Bug 1767 has been marked as a duplicate of this bug. ***