#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # CLEANUP_FILE=/tmp/CLEANUP PAM_TMP=/tmp/pam_conf.$$ KERB_ENTRIES=$PAM_TMP/scr.$$ PPP_ENTRIES=$PAM_TMP/scp.$$ CRON_ENTRIES=$PAM_TMP/scc.$$ CUPS_ENTRIES=$PAM_TMP/scd.$$ mkdir $PAM_TMP || exit 1 PATH="/usr/bin:/usr/sbin:${PATH}" export PATH setup_kerb_changes() { # # No comments or blanks lines allowed in entries below # cat > ${KERB_ENTRIES} << EOF krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 EOF } setup_ppp_changes() { # # No comments or blanks lines allowed in entries below # cat > ${PPP_ENTRIES} << EOF ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 EOF } setup_cron_changes(){ # # No comments or blanks lines allowed in entries below # cat > ${CRON_ENTRIES} << EOF cron account required pam_unix_account.so.1 EOF } setup_cups_changes(){ # # No comments or blanks lines allowed in entries below # cat > ${CUPS_ENTRIES} << EOF cups account required pam_unix_account.so.1 EOF } # Returns zero (success) if system is labeled (aka Trusted Extensions). # 1 otherwise. # is_system_labeled() { [ ! -x /bin/plabel ] && return 1 /bin/plabel > /dev/null 2>&1 return $? } # Add any entries for Trusted Extensions, during initial install. # This is dependent on whether TX is enabled. add_tx_entries() { is_system_labeled if [ $? = 0 ] ; then grep '^[ ]*other.*account.*pam_tsol_account' $dest \ > /dev/null 2>&1 if [ $? -ne 0 ] ; then # Append new entry cat >> $dest << EOF other account required pam_tsol_account.so.1 EOF echo "${dest} entry added for Trusted Extensions; \c" \ >> ${CLEANUP_FILE} fi fi } # setup_kerb_changes setup_ppp_changes setup_cron_changes setup_cups_changes while read src dest do if [ ! -f $dest ] ; then cp $src $dest # Dynamically add any entries for Trusted Extensions if it's enabled add_tx_entries else echo "${dest} default entries updated, \c" \ >> ${CLEANUP_FILE} echo "please examine/update customized entries" \ >> ${CLEANUP_FILE} # #Update pam.conf with relative pathname # if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then sed 's,/usr/lib/security/$ISA/, ', \ $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then sed 's,/usr/lib/security/, ', \ $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # # Update pam.conf with entries for PAM modules pam_authtok_get, # pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account, # pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth # echo "${dest} updating pam_unix with default PAM entries \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} nawk '/^#/ { print; next } \ $4 ~ /pam_unix.so/ && $2 == "auth" { \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_get.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_dhkeys.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_cred.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_auth.so.1"; \ next \ } \ $4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \ if ($1 == "passwd") \ passwd_seen = 1;\ }\ $4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \ print $1 "\t" $2 " " "sufficient\t\t" $4; \ print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \ next \ }\ $4 ~ /pam_unix_cred/ && $3 == "required" { \ cred_seen = 1;\ print; \ next \ }\ $4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \ if (cred_seen == 0) { \ print $1 "\t" $2 " " "required\t\t" \ "pam_unix_cred.so.1"; \ } \ next \ } \ $4 ~ /pam_unix_auth/ && $3 == "required" { \ if (cred_seen == 0) { \ print $1 "\t" $2 " " "required\t\t" \ "pam_unix_cred.so.1"; \ } \ print ; \ next \ }\ END { if (passwd_seen == 0) { \ print "passwd" "\t" "auth required\t\t" \ "pam_passwd_auth.so.1"; \ } \ } \ $4 ~ /pam_unix.so/ && $2 == "account" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_account.so.1"; \ next \ } \ $4 ~ /pam_unix.so/ && $2 == "session" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_session.so.1"; \ next \ } \ $4 ~ /pam_unix.so/ && $2 == "password" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_dhkeys.so.1"; \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_get.so.1"; \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_check.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_authtok_store.so.1"; \ next \ } \ { print }' $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ # #update pam.conf with entries for roles # grep 'pam_roles.so' $dest > /dev/null 2>&1 if [ $? = 1 ] ; then echo "${dest} updating default entries for roles, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} nawk '/^#/ { print; next } \ $4 ~ /pam_role_auth/ { next } \ $2 == "account" && $4 ~ /pam_unix/ { \ print $1 "\t" $2 " requisite\t\t" \ "pam_roles.so.1"; \ print; \ next \ } \ { print }' $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # #update pam.conf with entries for projects # grep 'pam_projects.so' $dest > /dev/null 2>&1 if [ $? = 0 ] ; then echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE} grep -v pam_projects.so $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # # update pam.conf to append PPP entries if not already present # (note: default list above already has role added, so we # must do this after the upgrade above has run.) # rm -f /tmp/pamconf.$$ while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi done < ${PPP_ENTRIES} # Append PPP lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries for PPP; \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # update pam.conf to append cron entries if not already present # (note: the kerberos default list above already has the cron entried added.) # rm -f /tmp/pamconf.$$ while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi done < ${CRON_ENTRIES} # Append cron lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries for cron, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # update pam.conf to append cups entries if not already present # rm -f /tmp/pamconf.$$ while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi done < ${CUPS_ENTRIES} # Append cups lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries for cups, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # update pam.conf to remove the rlogin entry that uses pam_krb5.so.1 # rm -f /tmp/pamconf.$$ sed -e "/^[# ]*rlogin.*pam_krb5.so.1/d" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \ updated to remove pam_krb5.so.1." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to remove obsolete flags used with pam_krb5.so.1 # rm -f /tmp/pamconf.$$ sed -e "s/\(pam_krb5.so.1.*\)acceptor/\1/g" \ -e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \ acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to remove the unnecessary unix_auth entries for the # kerberized services. # rm -f /tmp/pamconf.$$ sed -e "/^[# ]*krlogin[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "/^[# ]*krsh[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "/^[# ]*ktelnet[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "s/^\([# ]*krlogin[ ]*auth[ ]*\)binding/\1required/" \ -e "s/^\([# ]*krsh[ ]*auth[ ]*\)binding/\1required/" \ -e "s/^\([# ]*ktelnet[ ]*auth[ ]*\)binding/\1required/" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \ still have pam_unix_auth in their stacks." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to append kerberos entries if not already present # rm -f /tmp/pamconf.$$ cat ${KERB_ENTRIES} | (while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Check if service name is 'dtlogin' and it is # mentioned explicitly, then add kerberos 'dtlogin' if [ $e1 = "dtlogin" ]; then if grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ $dest >/dev/null 2>&1; then echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi else # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> \ /tmp/pamconf.$$ fi else # Does exist. To maintain proper stacking order: remove it # and append it to the bottom of the conf file. grep "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >> /tmp/pamconf.$$ 2>/dev/null sed -e "/^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4/d" \ $dest > /tmp/pamconf2.$$ mv /tmp/pamconf2.$$ $dest fi done) # Append kerberos lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries to add kerberos, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # notify pam_ldap users to manually intervene and examine/update their pam.conf # due to the change in pam_ldap functionalty. # grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1 if [ $? = 0 ] ; then echo "${dest} please examine/update the pam_ldap configuration \c" \ >> ${CLEANUP_FILE} echo "because its functionality has changed, \c" \ >> ${CLEANUP_FILE} echo "refer to pam_ldap(5) documentation for more information" \ >> ${CLEANUP_FILE} fi fi done # rm -rf $PAM_TMP exit 0