OpenSolaris_b135/pkgdefs/common_files/i.policyconf

#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#ident	"%Z%%M%	%I%	%E% SMI"
#
# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

while read src dest
do
	if [ ! -f $dest ] ; then
		cp $src $dest
	else
		#
		# Copy copyright and ident from new file ($src);
		# update the AUTHS_GRANTED and PROFS_GRANTED field.
		# Add the latter if it does not exist.
		# Strip trailing spaces.
		#
		ag="AUTHS_GRANTED=solaris.device.cdrw"
		pg="PROFS_GRANTED=Basic Solaris User"
		wo="CONSOLE_USER=Console User"
		sed -n -e '/^[^#]/q;p' < $src > $dest.$$
		sed -n \
		    -e "s/^#AUTHS_GRANTED=$/$ag/" \
		    -e "s/^#PROFS_GRANTED=$/$pg/" \
		    -e "s/^PROFS_GRANTED=Default/$pg/" \
		    -e "s/  *$//" \
		    -e '/^[^#]/,$p' < $dest >> $dest.$$

		grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
		if [ $? != 0 ] ; then
			sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
$pg"
			cat $dest > $dest.$$
		fi

		if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1
		then
			cat $dest.$$ > $dest
		else
			sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\
$wo"
			echo "${dest} updating entries for CONSOLE_USER," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
		fi

		rm -f $dest.$$

		grep 'CRYPT_' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entries for crypt(3c)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
EOM
		fi
		grep PRIV_ $dest >/dev/null 2>&1
		if [ $? = 1 ]; then
			echo "${dest} updating entries for privileges(5)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# These settings determine the default privileges users have.  If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr.  Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
EOM
		fi
		grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entry for LOCK_AFTER_RETRIES," \
			    "see pam_unix_auth(5) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
EOM
		fi
	fi
done

exit 0