#!/bin/ksh93 # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2019,2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # @(#) 7d4c34b 43haes/lib/ksh93/hacmp/KLIB_HACMP_cluster_rbac_refresh.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM #============================================================================ # # Name: KLIB_HACMP_cluster_rbacrefresh # # Description: This is the function that is invoked by clmgr rbac_refresh # It uses the "cl_rbac_cmds" utility to generate list of # commands and refresh the Power HA commands by setting the # innate privileges and inherit privileges for the identified # commands. # Inputs: # NA # Outputs: # NA # Returns: # 0 -- success # 1 -- failure #============================================================================ function KLIB_HACMP_cluster_rbac_refresh { . /usr/es/sbin/cluster/cspoc/cl_federatedsec_source fsec_init . $HALIBROOT/log_entry "$0()" "$CL" : version=@(#) 7d4c34b 43haes/lib/ksh93/hacmp/KLIB_HACMP_cluster_rbac_refresh.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM : INPUTS: $* # Declare and initialize variables typeset -i rc=$RC_UNKNOWN typeset FSECFUNCNAME="run_on_allnode" # File to fetch PowerHA SM commands to categorize roles CMDS_FILE=${HA_BASE_PATH}/cspoc/cl_rbac_cmds #reading POWERHASM commands file while read LINE do [[ $LINE == \#* ]] && continue if echo $LINE |grep -qw "ADMIN" ; then CMD_AUTH="PowerHASM.admin" elif echo $LINE |grep -qw "OPERATOR" ; then CMD_AUTH="PowerHASM.op" elif echo $LINE |grep -qw "MONITOR" ; then CMD_AUTH="PowerHASM.mon" elif echo $LINE |grep -qw "VIEW" ; then CMD_AUTH="PowerHASM.view" fi CMD_PATH=$(echo $LINE | cut -f2 -d":") [[ -z $CMD_PATH ]] && ret_fail "Command not found." 1 # Skipping the further process if command is listed in cl_rbac_cmds but it #is not found on the node in any path, as there may be a case #that the fileset is not installed. # In that case we will continue to enable RBAC for other commands instead of #exiting with an error. if [[ ! -s $CMD_PATH ]];then fileset=$(lslpp -wc $CMD_PATH | grep $CMD_PATH | grep -v "#" | cut -d: -f2) if [[ -z $fileset ]];then cl_dspmsg -s $CLMGR_SET $CLMGR_MSGS 1438 "\nWARNING: Failed to enable \"%1\$s\" for RBAC because fileset is not installed. Please run the operation after installing the missing fileset.\n\n" "$CMD_PATH" else cl_dspmsg -s $CLMGR_SET $CLMGR_MSGS 1439 "\nWARNING: Failed to enable \"%1\$s\" for RBAC because \"%2\$s\" is not properly installed. Please run the operation after installing the fileset properly.\n\n" "$CMD_PATH" "$fileset" fi continue fi # This can be made more secure with respect to privileges by running each command with all #the options. Get a unique list of all the privileges for a particular command. # Basically each command has to run for all code paths using "tracepriv" just like truss to #get complete list of privileges required to run a particular command. # Get innate and inherit privileges for each command in cl_rbac_cmds file CMD_PRIVS="" INHERIT_PRIVS="" CMD_PRIVS=$(echo $LINE | cut -f3 -d":") INHERIT_PRIVS=$(echo $LINE | cut -f4 -d":") # Privilege "PV_LIVE_UPDATE" is introduced to support live update feature of AIX. # Remove this privilege from inherit privilege list on older version of AIX, where # lvupdate feature is not supported. lspriv -v | grep -wq "PV_LIVE_UPDATE" if (( $? != 0 ));then if echo $INHERIT_PRIVS | grep -wq "PV_LIVE_UPDATE" ; then INHERIT_PRIVS=$(echo "$INHERIT_PRIVS" | sed "s/,PV_LIVE_UPDATE//g;s/PV_LIVE_UPDATE,//g") fi fi # Set security attibutes and innate privileges identified for the command if [[ -z $CMD_PRIVS ]] then STD_ERR=$(setsecattr -R LDAP -c accessauths=$CMD_AUTH secflags=FSF_EPS $CMD_PATH >/dev/null 2>&1) if [[ -n $STD_ERR ]]; then log_return_msg "$RC_ERROR" "$0()" "$LINENO" return $? fi else STD_ERR=$(setsecattr -R LDAP -c accessauths=$CMD_AUTH innateprivs="$CMD_PRIVS" secflags=FSF_EPS $CMD_PATH >/dev/null 2>&1) if [[ -n $STD_ERR ]]; then log_return_msg "$RC_ERROR" "$0()" "$LINENO" return $? fi fi # Set inherit privileges identified for the command. if [[ -n $INHERIT_PRIVS ]] then STD_ERR=$(setsecattr -R LDAP -c inheritprivs="$INHERIT_PRIVS" $CMD_PATH 2>&1) if [[ -n $STD_ERR ]]; then log_return_msg "$RC_ERROR" "$0()" "$LINENO" return $? fi fi # Command "cl_mkvg" requires effective user ID as 0 in order to execute successfully. # Set euid to 0 for this utility if echo $CMD_PATH | grep -wq "cl_mkvg" ; then STD_ERR=$(setsecattr -R LDAP -c euid=0 $CMD_PATH 2>&1) if [[ -n $STD_ERR ]]; then log_return_msg "$RC_ERROR" "$0()" "$LINENO" return $? fi fi done < $CMDS_FILE # Changing file permission so that other users cannot access it unless they have required role run_on_allnode "find /var/hacmp -type f|xargs -i chmod o-rwx {}" >/dev/null || ret_fail "chmod failed." $? # Setting read auths for all hacmp log files hacmp_FILES=$(find /var/hacmp -type f) || ret_fail "finding other log files failed." $? for X in $hacmp_FILES do STD_ERR=$(setsecattr -R LDAP -f readauths="PowerHASM.view" $X 2>&1 1>/dev/null) if [[ -n $STD_ERR ]]; then log_return_msg "$RC_ERROR" "$0()" "$LINENO" return $? fi done log_return_msg "$RC_SUCCESS" "$0()" "$LINENO" return $? } #End of "KLIB_HACMP_cluster_rbac_refresh()"