works

.gitignore

@@ -0,0 +1,40 @@
+*.tgz*
+# Created by https://www.gitignore.io/api/ruby
+
+### Ruby ###
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

.ruby-version

@@ -0,0 +1 @@
+2.3

Gemfile

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+ruby '2.3.0'
+
+group :development do
+  gem 'guard'
+  gem 'guard-shell', '>= 0.6'
+  gem 'shlint'
+end

Makefile

@@ -0,0 +1,36 @@
+VERSION=0.0.1
+ARCHIVE=manray-$(VERSION).tgz
+CHECKSUM=$(ARCHIVE).md5
+
+all: $(CHECKSUM)
+
+$(CHECKSUM): $(ARCHIVE)
+	md5sum $(ARCHIVE) >$(CHECKSUM)
+
+$(ARCHIVE): clean-archive opt/custom/smf/*.xml opt/custom/smf/manray-load opt/custom/smf/manray-persist
+	tar cv opt | gzip -n >manray-$(VERSION).tgz
+
+lint: shfmt bashate shlint checkbashisms shellcheck
+
+shfmt:
+	stank . | xargs shfmt -w -i 4
+
+bashate:
+	stank . | xargs bashate
+
+shlint:
+	stank . | xargs shlint
+
+checkbashisms:
+	stank . | xargs checkbashisms -n -p
+
+shellcheck:
+	stank . | xargs shellcheck
+
+clean: clean-checksum clean-archive
+
+clean-checksum:
+	-rm *.md5
+
+clean-archive:
+	-rm *.tgz

README.md

@@ -0,0 +1,56 @@
+# manray: RBAC persistence for SmartOS global zones
+
+# EXAMPLE
+
+```console
+$ svcadm disable -s manray-persist
+
+$ passwd
+New password: vagrant
+Re-enter new password: vagrant
+
+$ svcadm enable -s manray-persist
+```
+
+# ABOUT
+
+manray enables modifiable, persistent UNIX user accounts and RBAC configuration for SmartOS global zones, by providing a pair of boot time services: `manray-load` and `manray-persist`, that assist administrators in loading and persisting custom account information.
+
+At boot, `manray-load` copies select configuration files from a `/usbkey` wallet to `/etc`, so that a user `patrick` may login, invoke RBAC privileges with `pfexec`, and so on. Once the `manray-load` service launches, `manray-persist` becomes enabled.
+
+While `manray-persist` is enabled, Patrick sees a read-only edition of `/etc` files. Administrators can disable `manray-persist`, which triggers writeable copies to be injected onto the system. Then, administrators can execute `passwd`, `usermod`, `groupadd`, and so on to modify UNIX user account and RBAC configuration. Finally, the administrator re-renables `manray-persist`, which backs up the configuration to `/usbkey`.
+
+Warning: Changes to UNIX accounts and RBAC configuration will be lost at next boot unless `manray-persist` is re-enabled beforehand.
+
+![Manray hands Patrick his Wallet](https://raw.githubusercontent.com/mcandre/manray/master/manray.png)
+
+# INSTALL
+
+```console
+$ curl -kLO https://github.com/mcandre/manray/releases/download/v0.0.1/manray-0.0.1.tgz
+$ tar xzvf manray-0.0.1.tgz -C /
+$ svccfg import /opt/custom/smf/manray-load.xml
+$ svccfg import /opt/custom/smf/manray-persist.xml
+```
+
+Warning: As SSL certificates are disregarded, the tarball should be verified against official release checksums with the `digest` utility.
+
+# RUNTIME REQUIREMENTS
+
+* SmartOS global zone
+
+# BUILDTIME REQUIREMENTS
+
+* make, e.g. [GNU make](https://www.gnu.org/software/make/)
+* tar, md5sum from coreutils, e.g., [GNU coreutils](https://www.gnu.org/software/coreutils/coreutils.html)
+* a build environment that preserves UNIX file permissions
+* [shfmt](https://github.com/mvdan/sh) (e.g. `go get mvdan.cc/sh/cmd/shfmt`)
+* [bashate](https://pypi.python.org/pypi/bashate/0.5.1)
+* [shlint](https://rubygems.org/gems/shlint)
+* [checkbashisms](https://sourceforge.net/projects/checkbaskisms/)
+* [ShellCheck](https://hackage.haskell.org/package/ShellCheck)
+* [stank](https://github.com/mcandre/stank) (e.g. `go get github.com/mcandre/stank/...`)
+
+# CREDITS
+
+* [vagrant-smartos-packager](https://github.com/vagrant-smartos/vagrant-smartos-packager) - provides a working example of how to setup a virtual machine for SmartOS global zones with persistent, modifiable UNIX accounts

opt/custom/smf/manray-load

@@ -0,0 +1,49 @@
+#!/usr/bin/bash
+
+usage() {
+    echo "Usage: $0 <start|stop>"
+    exit 1
+}
+
+PATRICK='/etc'
+WALLET='/usbkey'
+PERSISTENT_FILES=(/etc/passwd
+    /etc/group
+    /etc/shadow
+    /etc/user_attr
+    /etc/ouser_attr
+    /etc/security/policy.conf
+    /etc/security/auth_attr
+    /etc/security/exec_attr
+    /etc/security/prof_attr)
+
+if [ "$#" -ne 1 ]; then
+    usage
+fi
+
+COMMAND="$1"
+
+case "$COMMAND" in
+start)
+    bootparams | grep '^smartos=true' >/dev/null
+    if [ "$?" -eq 0 ]; then
+        for file in ${PERSISTENT_FILES[*]}; do
+            file_wallet="${WALLET}/$(basename file)"
+
+            if [ -e "$file_wallet" ]; then
+                touch "$file_wallet"
+            fi
+        done
+
+        # Workaround SmartOS misupdating /etc/user_attr at boot
+        if [ -e "${WALLET}/user_attr" ]; then
+            cp "${WALLET}/user_attr" "${PATRICK}/user_attr"
+        fi
+    fi
+    ;;
+stop) ;;
+
+*)
+    usage
+    ;;
+esac

opt/custom/smf/manray-load.xml

@@ -0,0 +1,28 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='site/manray-load' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='fs-local' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <dependency name='fs-root' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/root'/>
+    </dependency>
+    <method_context/>
+    <exec_method name='start' type='method' exec='/opt/custom/smf/manray-load start' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec=':true' timeout_seconds='60'/>
+    <property_group name='startd' type='framework'>
+    <propval name='duration' type='astring' value='transient'/>
+    <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <property_group name='application' type='application'/>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Mount sensitive configuration files from /usbkey to /etc</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>

opt/custom/smf/manray-persist

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+usage() {
+    echo "Usage: $0 <start|stop>"
+    exit 1
+}
+
+PATRICK='/etc'
+WALLET='/usbkey'
+PERSISTENT_FILES=(/etc/passwd
+    /etc/group
+    /etc/shadow
+    /etc/user_attr
+    /etc/ouser_attr
+    /etc/security/policy.conf
+    /etc/security/auth_attr
+    /etc/security/exec_attr
+    /etc/security/prof_attr)
+
+# Synchronize configuration files bidirectionally between a persisted manray wallet and read-only loopbacks.
+#
+# Usage: seal_wallet
+seal_wallet() {
+    bootparams | grep '^smartos=true' >/dev/null
+    if [ "$?" -eq 0 ]; then
+        for file in ${PERSISTENT_FILES[*]}; do
+            file_wallet="${WALLET}/$(basename $file)"
+
+            mount -p | grep "$file" >/dev/null
+            if [ "$?" -ne 0 ]; then
+                if [[ "$file" -ot "$file_wallet" ]]; then
+                    cp "$file_wallet" "$file"
+                else
+                    cp "$file" "$file_wallet"
+                fi
+
+                touch "$file" "$file_wallet"
+                mount -F lofs "$file_wallet" "$file"
+            fi
+        done
+    fi
+}
+
+# Retract the persisted wallet for a transiently writeable edition of configuration files.
+# Warning: Change will be lost a the next boot unless the wallet is explicitly sealed beforehand.
+#
+# Usage: unseal_wallet
+unseal_wallet() {
+    for file in ${PERSISTENT_FILES[*]}; do
+        file_wallet="${WALLET}/$(basename $file)"
+
+        mount -p | grep "$file" >/dev/null
+        if [ "$?" -eq 0 ]; then
+            umount "$file" && touch "$file"
+        fi
+    done
+}
+
+if [ "$#" -ne 1 ]; then
+    usage
+fi
+
+COMMAND="$1"
+
+case "$COMMAND" in
+start)
+    seal_wallet
+    ;;
+stop)
+    unseal_wallet
+    ;;
+*)
+    usage
+    ;;
+esac

opt/custom/smf/manray-persist.xml

@@ -0,0 +1,28 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='site/manray-persist' type='service' version='0'>
+    <create_default_instance enabled='true'/>
+    <single_instance/>
+    <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <dependency name='userfiles' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/site/manray-load'/>
+    </dependency>
+    <method_context/>
+    <exec_method name='start' type='method' exec='/opt/custom/smf/manray-persist start' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec='/opt/custom/smf/manray-persist stop' timeout_seconds='60'/>
+    <property_group name='startd' type='framework'>
+      <propval name='duration' type='astring' value='transient'/>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <property_group name='application' type='application'/>
+    <stability value='Evolving'/>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>Bidirectionally synchronize sensitive configuration files between /usbkey and /etc</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>