On Thu, Mar 22, 2007 at 02:24:15PM -0700, Michael Shapiro wrote:
> 2.4.1. export changes, introduction of export -a
>
> 'svccfg export' is modified to export the values of properties in
> SPGs as if they had no values, regardless of whether the user performing
> the operation has the required authorization. This prevents accidental
> exposure of sensitive data in XML documents used for interchange
> purposes.
>
> To provide the ability to export documents containing the values of
> sensitive properties, we introduce the '-a' option to the export
> subcommand. With this option, 'export' will export all properties in
> SPGs if the user has sufficient authorization to read them. Otherwise,
> upon encountering a property which cannot be read due to access
> controls, the command terminates and displays an appropriate error
> message.
It's been brought to my attention that the man page diffs for
svccfg(1M) that describe this functionality are incorrect in the case
materials. The only error is that the functionality described here
under export -a was incorrectly defined under a new exportall command.
The above description is the correct one and is unchanged, as is the
behaviour itself. I've attached the corrected svccfg.1m and diffs.
The rest of the materials are correct. The diffs should read as
follows:
--- svccfg.1m.orig Thu Mar 15 11:28:46 2007
+++ svccfg.1m Tue Mar 27 17:53:09 2007
@@ -183,6 +183,15 @@
properties such as service
state, and is suitable for a
relocatable repository backup.
+ If one or more property groups
+ contains sensitive information
+ (identified by the presence of
+ the read_authorization property
+ - see smf_security(5)), and
+ insufficient privileges exist
+ to read the values of the
+ persistent properties in those
+ groups, an error results.
@@ -211,7 +220,8 @@
- export service_FMRI [>file] The service description for the |
+ export [-a] service_FMRI [>file] |
+ The service description for the
specified service and its
instances is written to stan-
dard output or redirected to
@@ -220,7 +230,17 @@
perty set to true are omitted
in the belief that they were
created on behalf of another
- service. |
+ service. Without the -a option, |
+ property groups containing |
+ sensitive information |
+ (identified by the presence of |
+ the read_authorization property |
+ - see smf_security(5)) will be |
+ exported without their property |
+ values. When the -a option is |
+ given, an error results if |
+ there are insufficient |
+ privileges to read these values. |
Apologies for the error.
--
Keith M Wesolowski "Sir, we're surrounded!"
FishWorks "Excellent; we can attack in any direction!"
-------------- next part --------------
System Administration Commands svccfg(1M)
NAME
svccfg - import, export, and modify service configurations
SYNOPSIS
/usr/sbin/svccfg [-v] [-s FMRI]
/usr/sbin/svccfg [-v] [-s FMRI] subcommand [args]...
/usr/sbin/svccfg [-v] [-s FMRI] -f command-file
DESCRIPTION
The svccfg command manipulates data in the service confi-
guration repository. svccfg can be invoked interactively,
with an individual subcommand, or by specifying a command
file that contains a series of subcommands.
Changes made to an existing service in the repository typi-
cally do not take effect for that service until the next
time the service instance is refreshed. See the refresh sub-
command on the svcadm(1M) man page for more details.
OPTIONS
The following options are supported:
-f command-file Reads and executes svccfg subcommands from
command-file.
-s FMRI Selects the entity indicated by FMRI (a
fault management resource identifier)
before executing any subcommands.
-v Verbose.
SUBCOMMANDS
The following subcommands are supported:
SunOS 5.11 Last change: 8 Apr 2005 1
System Administration Commands svccfg(1M)
end Exits immediately.
exit
quit
set [-v|-V] Sets optional behavior. If no options
are specified, set displays the options
currently in effect.
-v Turns on verbose mode.
-V Turns off verbose mode.
repository repfile Uses repfile as a private repository. By
default, svccfg(1M) uses the system
repository.
Service profile subcommands
apply file If file is a service profile, then service
instances specified within the file are
enabled or disabled according to it. See
smf(5) for a description of service pro-
files. This command requires privileges to
modify the "general/enabled" property of
the service instances. See smf_security(5)
for the privileges required to modify pro-
perties. If file is not a service profile,
the subcommand fails.
extract [> file] Prints a service profile which represents
the enabled status of the service
instances in the repository to standard
output. The output may be redirected to a
file.
SunOS 5.11 Last change: 8 Apr 2005 2
System Administration Commands svccfg(1M)
Service manifest subcommands
import file If file is a service manifest,
then the services and instances
it specifies are imported into
the repository. According to
the file, dependencies may be
created in other services. See
smf(5) for a description of
service manifests. See
smf_security(5) for the
privileges required to create
and modify service configura-
tions.
For existing services and
instances, properties which
have not changed since the last
import snapshot was taken are
upgraded to those specified by
the manifest. Conflicts (pro-
perties which have been changed
both in the repository and the
manifest) are reported on the
standard error stream. svccfg
will never upgrade the
"general/enabled" and
"general/restarter" properties,
since they represent adminis-
trator preference.
archive Dumps a full XML service
description for all services,
instances, and their persistent
properties in the repository.
This does not include transient
properties such as service
state, and is suitable for a
relocatable repository backup.
If one or more property groups
contains sensitive information
(identified by the presence of
the read_authorization property
- see smf_security(5)), and
insufficient privileges exist
to read the values of the
persistent properties in those
groups, an error results.
validate file file is processed similarly to
import, but no changes are made
SunOS 5.11 Last change: 8 Apr 2005 3
System Administration Commands svccfg(1M)
to the repository. If any
errors are detected, svccfg(1M)
exits with a nonzero exit
status.
export [-a] service_FMRI [>file]
The service description for the
specified service and its
instances is written to stan-
dard output or redirected to
the given file. Dependencies
with a boolean "external" pro-
perty set to true are omitted
in the belief that they were
created on behalf of another
service. Without the -a option,
property groups containing
sensitive information
(identified by the presence of
the read_authorization property
- see smf_security(5)) will be
exported without their property
values. When the -a option is
given, an error results if
there are insufficient
privileges to read these values.
inventory file If file is determined to be a
service manifest, then the
FMRIs of the services and
instances the file describes
are printed. For each service,
the FMRIs of its instances are
displayed before the FMRI of
the service.
Entity selection, modification, and navigation subcommands
An "entity" refers to a scope, service, or service instance.
select {name | fmri} If the argument names a child of
the current selection, it becomes
the current selection. Otherwise,
the argument is interpreted as an
FMRI and the entity that the
argument specifies becomes the
current selection.
SunOS 5.11 Last change: 8 Apr 2005 4
System Administration Commands svccfg(1M)
unselect The parent of the current selec-
tion becomes the current selec-
tion.
list [pattern] The child entities of the current
selection whose names match the
glob pattern pattern are
displayed (see fnmatch(5)).
':properties' is also listed for
property-bearing entities, namely
services and service instances.
add name A new entity with the given name
is created as a child of the
current selection. See
smf_security(5) for the
privileges required to create
entities.
delete [-f] {name | fmri} The named child of the current
selection or the entity specified
by fmri is deleted. Attempts to
delete service instances in the
"online" or "degraded" state will
fail unless the -f flag is speci-
fied. If a service or service
instance has a "dependents" pro-
perty group of type "framework",
then for each of its properties
with type "astring" or "fmri", if
the property has a single value
which names a service or service
instance then the dependency pro-
perty group in the indicated ser-
vice or service instance with the
same name as the property will be
deleted. See smf_security(5) for
the privileges required to delete
service configurations.
SunOS 5.11 Last change: 8 Apr 2005 5
System Administration Commands svccfg(1M)
Property inspection and modification subcommands
listpg [pattern]
Displays the names, types, and flags of property groups
of the current selection. If an argument is given, it is
taken as a glob pattern and only property groups with
names which match the argument are listed.
addpg name type [flags]
Adds a property group with the given name and type to
the current selection. flags is a string of characters
which designates the flags with which to create the pro-
perty group. 'P' represents SCF_PG_FLAG_NONPERSISTENT
(see scf_service_add_pg(3SCF)). See smf_security(5) for
the privileges required to create property groups.
delpg name
Deletes the property group name of the current selec-
tion. See smf_security(5) for the privileges required to
delete property groups.
listprop [pattern]
Lists property groups and properties of the current
selection. For property groups, names, types, and flags
are listed. For properties, names (prepended by the pro-
perty group name and a slash (/)), types, and values are
listed. See scf_value_create(3SCF) for a list of avail-
able property types. If an argument is supplied it is
taken as a glob pattern and only property groups and
properties with names which match the argument are
listed.
SunOS 5.11 Last change: 8 Apr 2005 6
System Administration Commands svccfg(1M)
setprop pg/name = [type:] value
setprop pg/name = [type:] ([values ...])
Sets the name property of the pg property group of the
current selection to the given values of type type. See
scf_value_create(3SCF) for a list of available property
types. If the property already exists and the type
disagrees with the existing type on the property, the
subcommand fails. Values may be enclosed in double-
quotes. String values which contain double-quotes or
backslashes must be enclosed by double-quotes and the
contained double-quotes and backslashes must be quoted
by backslashes. If the named property does not exist, it
is created, as long as the type is specified. See
smf_security(5) for the privileges required to create or
modify properties.
delprop pg[/name]
Deletes the named property group or property of the
current selection. See smf_security(5) for the
privileges required to delete properties.
editprop
Comments of commands to reproduce the property groups
and properties of the current selection are placed in a
temporary file and the program named by the EDITOR
environment variable is invoked to edit it. Upon comple-
tion, the commands in the temporary file are executed.
The default editor is vi(1). See smf_security(5) for the
privileges required to create, modify, or delete proper-
ties.
addpropvalue pg/name [type:] value
Adds the given value to a property. If type is given and
the property exists, then if type does not agree with
the property's type, the subcommand fails. The values
SunOS 5.11 Last change: 8 Apr 2005 7
System Administration Commands svccfg(1M)
may be enclosed in double-quotes. String values contain-
ing double-quotes or backslashes must be enclosed by
double-quotes and the contained double-quotes and
backslashes must be quoted by backslashes. Nonexistent
properties are created, in which case the type specifier
must be present. See scf_value_create(3SCF) for a list
of available property types. See smf_security(5) for the
privileges required to modify properties.
delpropvalue pg/name globpattern
Deletes all values matching the given glob pattern in
the named property. Succeeds even if no values match.
See smf_security(5) for the privileges required to
modify properties.
setenv [-i | -s] [-m method_name] envvar value
Sets a method environment variable for a service or
instance by changing the "environment" property in the
method_name property group, if that property group has
type "method". If method_name is not specified and the
-i option is used, the "method_context" property group
is used, if an instance is currently selected. If the -s
option is used and a service is currently selected, its
"method_context" property group is used. If the -s
option is used and an instance is currently selected,
the "method_context" property group of its parent is
used. If neither the -i option nor the -s option is
used, the "start" property group is searched for in the
currently selected entity and, if an instance is
currently selected, its parent is also searched. If the
"inetd_start" property group is not located, it is
searched for in a similiar manner.
Once the property is located, all values which begin
with envvar followed by a "=" are removed, and the value
"envvar=value" is added. See smf_security(5) for the
privileges required to modify properties.
SunOS 5.11 Last change: 8 Apr 2005 8
System Administration Commands svccfg(1M)
unsetenv [-i | -s] [-m method_name] envvar value
Removes a method environment variable for a service or
instance by changing the "environment" property in the
method_name property group, if that property group has
type "method". If method_name is not specified and the
-i option is used, the "method_context" property group
is used, if an instance is currently selected. If the -s
option is used and a service is currently selected, its
"method_context" property group is used. If the -s
option is used and an instance is currently selected,
the "method_context" property group of its parent is
used. If neither the -i option nor the -s option is
used, the "start" property group is searched for in the
currently selected entity and, if an instance is
currently selected, its parent is also searched. If the
"inetd_start" property group is not located, it is
searched for in a similiar manner.
Once the property is located, all values which begin
with envvar followed by "=" are removed. See
smf_security(5) for the privileges required to modify
properties.
Snapshot navigation and selection subcommands
listsnap Displays snapshots available for the
currently selected instance.
selectsnap [name] Changes the current snapshot to the one
named by name. If no name is specified,
deselect the currently selected snapshot.
Snapshots are read-only.
revert [snapshot] Reverts the properties of the currently
selected instance and its service to
those recorded in the named snapshot. If
no argument is given, use the currently
SunOS 5.11 Last change: 8 Apr 2005 9
System Administration Commands svccfg(1M)
selected snapshot and deselect it on suc-
cess. The changed property values can be
made active via the refresh subcommand of
svcadm(1M). See smf_security(5) for the
privileges required to change properties.
All commands that accept FMRIs also accept abbreviated or
globbed patterns. Instances and services can be abbreviated
by specifying the instance name, or the trailing portion of
the service name. For example, given the FMRI:
svc:/network/smtp:sendmail
All the following are valid abbreviations:
sendmail
:sendmail
smtp
smtp:sendmail
network/smtp
While the following are invalid:
mail
network
network/smt
Abbreviated forms of FMRIs are unstable, and should not be
used in scripts or other permanent tools. If a pattern
matches more than one instance or service, an error message
is printed and no action is taken.
EXAMPLES
Example 1 Exporting a Service Description
SunOS 5.11 Last change: 8 Apr 2005 10
System Administration Commands svccfg(1M)
To export a service description on the local system:
$ svccfg export dumpadm >/tmp/dump.xml
Example 2 Deleting a Service Instance
To delete a service instance:
$ svccfg delete network/inetd-upgrade:default
Example 3 Importing a Service Description
To interactively import a service description into a private
repository:
$ svccfg
svc:> repository /tmp/repository
svc:> import /home/hjs/svc/box-factory.xml
svc:> end
Example 4 Modifying a Start Method
To modify LD_PRELOAD for a start method and enable the use
of libumem(3LIB) with debugging features active:
$ svccfg -s system/service setenv LD_PRELOAD libumem.so
$ svccfg -s system/service setenv UMEM_DEBUG default
ENVIRONMENTAL VARIABLES
EDITOR The command to run when the editprop subcommand is
used. The default editor is vi(1).
SunOS 5.11 Last change: 8 Apr 2005 11
System Administration Commands svccfg(1M)
EXIT STATUS
The following exit values are returned:
0 Successful execution.
1 One or more subcommands resulted in failure. Error mes-
sages are written to the standard error stream.
2 Invalid command line options were specified.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | See below. |
|_____________________________|_____________________________|
The interactive output is Unstable. The invocation and non-
interactive output are Evolving.
SEE ALSO
svcprop(1), svcs(1), svcadm(1M), svc.configd(1M),
libscf(3LIB), libumem(3LIB), scf_service_add_pg(3SCF),
scf_value_create(3SCF), contract(4), attributes(5),
fnmatch(5), smf(5), smf_method(5), smf_security(5)
SunOS 5.11 Last change: 8 Apr 2005 12
-------------- next part --------------
--- svccfg.1m.orig Thu Mar 15 11:28:46 2007
+++ svccfg.1m Tue Mar 27 17:53:09 2007
@@ -183,6 +183,15 @@
properties such as service
state, and is suitable for a
relocatable repository backup.
+ If one or more property groups
+ contains sensitive information
+ (identified by the presence of
+ the read_authorization property
+ - see smf_security(5)), and
+ insufficient privileges exist
+ to read the values of the
+ persistent properties in those
+ groups, an error results.
@@ -211,7 +220,8 @@
- export service_FMRI [>file] The service description for the
+ export [-a] service_FMRI [>file]
+ The service description for the
specified service and its
instances is written to stan-
dard output or redirected to
@@ -220,7 +230,17 @@
perty set to true are omitted
in the belief that they were
created on behalf of another
- service.
+ service. Without the -a option,
+ property groups containing
+ sensitive information
+ (identified by the presence of
+ the read_authorization property
+ - see smf_security(5)) will be
+ exported without their property
+ values. When the -a option is
+ given, an error results if
+ there are insufficient
+ privileges to read these values.
