#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Copyright 2010 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # CLEANUP_FILE=/tmp/CLEANUP PATH="/usr/bin:/usr/sbin:${PATH}" export PATH # # PASSREQ is enforced. We need to warn upgraders about the fact that # they might be locked out if they don't have a root password or # change PASSREQ # NOPASSWARN="Detected password-less accounts while PASSREQ=YES." NOPASSWARN="${NOPASSWARN} Please examine ${BASEDIR}/etc/default/login before" NOPASSWARN="${NOPASSWARN} rebooting." if grep -i '^PASSREQ=YES' ${BASEDIR}/etc/default/login >/dev/null 2>&1 ; then warn_nopass=1 else warn_nopass=0 fi while read src dest do if [ ! -f $dest ] ; then cp $src $dest else # # 2.6 & earlier versions had an smtp entry; remove it. # # Some accounts used to be shipped with "NP" they are now # shipped as "*LK*" since they shouldn't be able to run # cron jobs or login. sed ' /^smtp:/d; /^nobody:/s/:NP:/:*LK*:/; /^nobody4:/s/:NP:/:*LK*:/; /^noaccess/s/:NP:/:*LK*:/;' $dest > /tmp/d.$$ cp /tmp/d.$$ $dest rm -f /tmp/d.$$ # # Add the 'nobody' user from 4.x so that people don't # assign it to a regular user and confuse themselves # NOBODY4_LINE="nobody4:*LK*:6445::::::" if grep "^nobody4:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^noaccess:*LK*\na\n%s\n.\nw\nq\n' \ "$NOBODY4_LINE" | ed -s $dest > /dev/null fi # # Add the 'smmsp' user for sendmail 8.12 # SMMSP_LINE="smmsp:NP:6445::::::" if grep "$SMMSP_LINE" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^nobody4:*LK*\na\n%s\n.\nw\nq\n' \ "$SMMSP_LINE" | ed -s $dest > /dev/null fi # # Add the 'gdm' reserved user if it doesn't exist. # GDM_LINE="gdm:*LK*:::::::" if grep "^gdm:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^listen:\*LK\*\na\n%s\n.\nw\nq\n' \ "$GDM_LINE" | ed -s $dest > /dev/null fi # # Add the 'webservd' reserved user if it doesn't exist. # WEBSERVD_LINE="webservd:*LK*:::::::" if grep "^webservd:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \ "$WEBSERVD_LINE" | ed -s $dest > /dev/null fi # # Add the 'postgres' reserved user if it doesn't exist. # POSTGRES_LINE="postgres:NP:::::::" if grep "^postgres:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^webservd:\*LK\*\na\n%s\n.\nw\nq\n' \ "$POSTGRES_LINE" | ed -s $dest > /dev/null fi # # Add the 'mysql' reserved user if it doesn't exist. # MYSQL_LINE="mysql:NP:::::::" if grep "^mysql:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^postgres:\*LK\*\na\n%s\n.\nw\nq\n' \ "$MYSQL_LINE" | ed -s $dest > /dev/null fi # # Add the 'svctag' reserved user if it doesn't exist. # SVCTAG_LINE="svctag:*LK*:6445::::::" if grep "^svctag:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^postgres:NP\na\n%s\n.\nw\nq\n' \ "$SVCTAG_LINE" | ed -s $dest > /dev/null fi # # Add the 'unknown' reserved user if it doesn't exist. # UNKNOWN_LINE="unknown:*LK*:::::::" if grep "^unknown:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^svctag:*LK*\na\n%s\n.\nw\nq\n' \ "$UNKNOWN_LINE" | ed -s $dest > /dev/null fi # # Add the 'dladm' reserved user if it doesn't exist. # DLADM_LINE="dladm:*LK*:::::::" if grep "^dladm:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^nuucp:NP\na\n%s\n.\nw\nq\n' \ "$DLADM_LINE" | ed -s $dest > /dev/null fi # # Add the 'xvm' reserved user if it doesn't exist. # XVM_LINE="xvm:*LK*:::::::" if grep "^xvm:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \ "$XVM_LINE" | ed -s $dest > /dev/null fi # # Add the 'zfssnap' reserved user if it doesn't exist. # ZFSSNAP_LINE="zfssnap:NP:::::::" if grep "^zfssnap:" $dest 2>&1 > /dev/null; then : else printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \ "$ZFSSNAP_LINE" | ed -s $dest > /dev/null fi # # Add the 'upnp' reserved user if it doesn't exist. # UPNP_LINE="upnp:NP:::::::" if grep "^upnp:" $dest 2>&1 > /dev/null; then : else printf '/^zfssnap:\*LK\*\na\n%s\n.\nw\nq\n' \ "$UPNP_LINE" | ed -s $dest > /dev/null fi # # Add the 'openldap' reserved user if it doesn't exist. # OPENLDAP_LINE="openldap:*LK*:::::::" if grep "^openldap:" $dest >/dev/null 2>&1 >/dev/null; then : else printf '/^mysql:NP\na\n%s\n.\nw\nq\n' \ "$OPENLDAP_LINE" | ed -s $dest > /dev/null fi # # Add the 'netadm' reserved user if it doesn't exist. # NETADM_LINE="netadm:*LK*:::::::" if grep "^netadm:" $dest 2>&1 >/dev/null; then : else printf '/^dladm:\*LK\*\na\n%s\n.\nw\nq\n' \ "$NETADM_LINE" | ed -s $dest > /dev/null fi # # Add the 'netcfg' reserved user if it doesn't exist. # NETCFG_LINE="netcfg:*LK*:::::::" if grep "^netcfg:" $dest 2>&1 >/dev/null; then : else printf '/^netadm:\*LK\*\na\n%s\n.\nw\nq\n' \ "$NETCFG_LINE" | ed -s $dest > /dev/null fi # # Warn the user if an empty password is found and # PASSREQ is set to yes. # if [ $warn_nopass -eq 1 ]; then if grep '^[^:]*::' $dest > /dev/null 2>&1 ; then echo "${dest} $NOPASSWARN" >> ${CLEANUP_FILE} warn_nopass=0; fi fi fi done exit 0