#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # #ident "%Z%%M% %I% %E% SMI" # # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # PATH="/usr/bin:/usr/sbin:${PATH}" export PATH while read src dest do if [ ! -f $dest ] ; then cp $src $dest else # # Copy copyright and ident from new file ($src); # update the AUTHS_GRANTED and PROFS_GRANTED field. # Add the latter if it does not exist. # Strip trailing spaces. # ag="AUTHS_GRANTED=solaris.device.cdrw" pg="PROFS_GRANTED=Basic Solaris User" wo="CONSOLE_USER=Console User" sed -n -e '/^[^#]/q;p' < $src > $dest.$$ sed -n \ -e "s/^#AUTHS_GRANTED=$/$ag/" \ -e "s/^#PROFS_GRANTED=$/$pg/" \ -e "s/^PROFS_GRANTED=Default/$pg/" \ -e "s/ *$//" \ -e '/^[^#]/,$p' < $dest >> $dest.$$ grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1 if [ $? != 0 ] ; then sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\ $pg" cat $dest > $dest.$$ fi if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1 then cat $dest.$$ > $dest else sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\ $wo" echo "${dest} updating entries for CONSOLE_USER," \ "see policy.conf(4) for details." \ >> ${CLEANUP_FILE} fi rm -f $dest.$$ grep 'CRYPT_' $dest > /dev/null 2>&1 if [ $? = 1 ] ; then echo "${dest} updating entries for crypt(3c)," \ "see policy.conf(4) for details." \ >> ${CLEANUP_FILE} cat >> $dest <<EOM # crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords. This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5 # To deprecate use of the traditional unix algorithm, uncomment below # and change CRYPT_DEFAULT= to another algorithm. For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # #CRYPT_ALGORITHMS_DEPRECATE=__unix__ # The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # CRYPT_DEFAULT=__unix__ EOM fi grep PRIV_ $dest >/dev/null 2>&1 if [ $? = 1 ]; then echo "${dest} updating entries for privileges(5)," \ "see policy.conf(4) for details." \ >> ${CLEANUP_FILE} cat >> $dest <<EOM # # These settings determine the default privileges users have. If not set, # the default privileges are taken from the inherited set. # There are two different settings; PRIV_DEFAULT determines the default # set on login; PRIV_LIMIT defines the Limit set on login. # Individual users can have privileges assigned or taken away through # user_attr. Privileges can also be assigned to profiles in which case # the users with those profiles can use those privileges through pfexec(1m). # For maximum future compatibility, the specifications should # always include "basic" or "all"; privileges should then be removed using # the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the # sys_linkdir privilege, regardless of future additional privileges. # Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the # file_link_any privilege from the basic privilege set; only that notation # is immune from a future addition of currently unprivileged operations to # the basic privilege set. # NOTE: removing privileges from the the Limit set requires EXTREME care # as any set-uid root program may suddenly fail because it lacks certain # privilege(s). # #PRIV_DEFAULT=basic #PRIV_LIMIT=all EOM fi grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1 if [ $? = 1 ] ; then echo "${dest} updating entry for LOCK_AFTER_RETRIES," \ "see pam_unix_auth(5) for details." \ >> ${CLEANUP_FILE} cat >> $dest <<EOM # # LOCK_AFTER_RETRIES specifies the default account locking policy for local # user accounts (passwd(4)/shadow(4)). The default may be overridden by # a user's user_attr(4) "lock_after_retries" value. # YES enables local account locking, NO disables local account locking. # The default value is NO. # #LOCK_AFTER_RETRIES=NO EOM fi fi done exit 0