#!/usr/bin/ksh93 # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2019,2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # @(#) 7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_rbac_acl_conf.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM # Name: cl_rbac_acl_conf # Description: # This utility enables or disables the extended ACL permissions for a file or # a directory. This is called during enable or disable operation of role base access # control(RBAC) configuration in PowerHA SystemMirror. All files and directories listed in # file "cl_rbac_acl_perm_list" will be considered to enable/disable ACL permissions. # Inputs: # file_name - File or directory to which extended ACL permission need to be enabled/disabled # action - Enable or Disable ACL permisison # Output: # NA # # Return: # NA #including source file for initialization . /usr/es/sbin/cluster/cspoc/cl_federatedsec_source fsec_init ################################################################# # Global variables ################################################################# ACL_SAVE="/tmp/acl_save.txt" ACL_INFO="/tmp/acl_info.txt" ACL_TMP="/tmp/acl_tmp.txt" typeset file_name=$1 typeset action=$2 typeset -i num_of_fields=0 export PATH="$(/usr/es/sbin/cluster/utilities/cl_get_path all)" [[ "$VERBOSE_LOGGING" == "high" ]] && set -x # The list of files or directories for which ACL permission to be enabled or disabled # is stored in file "cl_rbac_acl_perm_list" typeset perms_list_file="/usr/es/sbin/cluster/cspoc/cl_rbac_acl_perm_list" # Fetch the ACL information of the input file and store it in variable ACL_SAVE aclget -o "$ACL_SAVE" "$file_name" || ret_fail "aclget failed!" $? # Fetch the permission identified to the file perms=$(LC_ALL=C grep -w "$file_name" "$perms_list_file"|cut -d ':' -f 2) # If the action is enable, then apply identified permission to input file or directory. if [[ $action == "enable" ]];then # Check if the extended permission attribute is enabled or not # Example: aclget /var/hacmp/log # * ACL_type AIXC # attributes: # base permissions # owner(root): rwx # group(system): r-x # others: r-x # extended permissions # disabled grep -qw "disabled" "$ACL_SAVE" if (( $?==0 ));then # Update the extended permission attribute to 'enable' and permit the # identified ldapha group permissions for to the file or directory. sed 's/disabled/enabled/g' "$ACL_SAVE" > "$ACL_INFO" echo "\tpermit $perms g:ldapha" >> "$ACL_INFO" aclput -i "$ACL_INFO" "$file_name" || ret_fail "aclput failed" $? else grep -qw "enabled" "$ACL_SAVE" if (( $?==0 ));then line=$(grep -qw "permit.*ldapha" "$ACL_SAVE") if (( $?==0 ));then # # In some cases, ldapha group is already added along with some other group that # might have a different permission for directory. # Example: # extended permissions # enabled # permit rw- g:ldapha,g:group1 # so, ensure to remove the ldapha group and add it again with proper permissions. # Now the updated permits will be as below, # extended permissions # enabled # permit rwx g:ldapha # permit rw- g:group1 echo $line|awk -F "," '{print NF}'|read num_of_fields sed 's/g:ldapha,//g' "$ACL_SAVE" > "$ACL_INFO" sed 's/,g:ldapha//g' "$ACL_INFO" > "$ACL_TMP" if (( $num_of_fields<=1 ));then sed '/ldapha/d' "$ACL_TMP" > "$ACL_INFO" echo "\tpermit $perms g:ldapha" >> "$ACL_INFO" aclput -i "$ACL_INFO" "$file_name" || ret_fail "aclput failed" $? else echo "\tpermit $perms g:ldapha" >> "$ACL_TMP" aclput -i "$ACL_TMP" "$file_name" || ret_fail "aclput failed" $? fi else echo "\tpermit $perms g:ldapha" >> "$ACL_SAVE" aclput -i "$ACL_SAVE" "$file_name" || ret_fail "aclput failed" $? fi else # Update the extended permission attribute to 'enable' and permit the # identified ldapha group permissions for to the file or directory. echo "\tenabled" >> "$ACL_SAVE" echo "\tpermit $perms g:ldapha" >> "$ACL_SAVE" aclput -i "$ACL_SAVE" "$file_name" || ret_fail "aclput failed" $? fi fi else #if action is not enable, disabling the ACL configuration for ldapha group of input file or # directory. line=$(grep -qw "permit.*ldapha" "$ACL_SAVE") if (( $?==0 ));then echo $line|awk -F "," '{print NF}'|read num_of_fields # Remove the permit of ldapha group of the input file or directory sed 's/g:ldapha,//g' "$ACL_SAVE" > "$ACL_INFO" sed 's/,g:ldapha//g' "$ACL_INFO" > "$ACL_TMP" if (( $num_of_fields<=1 ));then sed '/ldapha/d' "$ACL_INFO" > "$ACL_TMP" grep -qw "permit" "$ACL_TMP" if (( $? !=0 ));then # Disable the extended permissions attribute of ACL sed 's/enabled/disabled/g' "$ACL_TMP" > "$ACL_INFO" aclput -i "$ACL_INFO" "$file_name" || ret_fail "aclput failed" $? else aclput -i "$ACL_TMP" "$file_name" || ret_fail "aclput failed" $? fi else aclput -i "$ACL_TMP" "$file_name" || ret_fail "aclput failed" $? fi fi fi # Remove all the temporary files created rm -f "$ACL_INFO" "$ACL_TMP" "$ACL_SAVE"