UNIX TOOLS

    The addition of DB support to RATS implies that a number of standard UNIX tools will no longer function. This is generally true for any tool that needs to modify the password, shadow, and group files. Tools that only look up information in these files should continue to work as usual, if "well behaved" by which we mean that the use the standard get*() call which obey the nsswitch.conf rules. Applications which are "ill behaved" from this point of view are unlikely to work well now, and we are not very worried about supporting them.
    As far as we can tell there are three main classes of applications which modify the standard UNIX flat files that are not read only applications. The first class is comprised of the standard Solaris account manipulation tools such as useradd, userdel, groupadd, groupdel and so on. We do not believe that anyone uses these tools currently on systems which would also run the RATS system with DB support enabled. Consequently, we do not intend to modify these tools, provide replacements, or generally worry about them any further. In the extreme case we will provide a complete (or as complete as possible) list of these applications and the recommendation of disabling them by changing their permissions.
    The second class of tools, are those used by end users to modify various attributes of their account. Primary among these, are chfn, passwd and chsh.  In the trend of moving some of our services and applications to the Web, these tools will be redesigned as Web based applications. We will perhaps also provide small replacements for the current CLI tools which will point the users to the appropriate web page. Being that these are fairly simple tools we will not go into details of their implementation at this time other than to state that we will use them as templates for behavior and functionality as closely as possible while assuring they remain reasonably secure with the move to the web.
    Finally, the third class contains those tools used by the system administrator for various daily needs. Chief among this is vipw. I always believed that there should be a group file equivalent so we shall address that as well in this section. As far as we can tell there are two major uses for this class of tools, small changes and large bulk changes. However, in the current model, both kinds of changes perform the same type of locking and manipulation of the appropriate files. These locks are relatively long lived compared with the operations performed by RATS. Being that the purpose of the DB support is to eliminate or minimize lock contention, we plan to offer two different types of tools to replace the current ones. The first type of tool would be used for large changes to multiple users which would require a large amount of system administrator work and during which no other changes are expected or desired.  To do this we will provide a set of tools (perhaps even maintaining the vipw name scheme) which would perform a DB lock, dump the contents to a file and run the system administrators favorite editor on the resulting file. When all changes have been completed, the DB tables would be reloaded from the changed file, and the DB would be unlocked. Obviously, no other RATS process would be able to run during this time. However for smaller changes, which may involve only one or two modifications to the records of only one or two users, RATS will provide a Web interface to the live DB data, which will involve no locks or disruption of service. Further more this tool would provide quite a bit more functionality then described here, so a whole section of this design document is dedicated to it.