i.policyconf revision 499fd60129a966ad9d9e752e65f591c3a6a1c697
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#ident "%Z%%M% %I% %E% SMI"
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH
while read src dest
do
if [ ! -f $dest ] ; then
cp $src $dest
else
#
# Copy copyright and ident from new file ($src);
# update the AUTHS_GRANTED and PROFS_GRANTED field.
# Add the latter if it does not exist.
# Strip trailing spaces.
#
ag="AUTHS_GRANTED=solaris.device.cdrw"
pg="PROFS_GRANTED=Basic Solaris User"
wo="CONSOLE_USER=Console User"
sed -n -e '/^[^#]/q;p' < $src > $dest.$$
sed -n \
-e "s/^#AUTHS_GRANTED=$/$ag/" \
-e "s/^#PROFS_GRANTED=$/$pg/" \
-e "s/^PROFS_GRANTED=Default/$pg/" \
-e "s/ *$//" \
-e '/^[^#]/,$p' < $dest >> $dest.$$
grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
if [ $? != 0 ] ; then
sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
$pg"
cat $dest > $dest.$$
fi
if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1
then
cat $dest.$$ > $dest
else
sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\
$wo"
echo "${dest} updating entries for CONSOLE_USER," \
"see policy.conf(4) for details." \
>> ${CLEANUP_FILE}
fi
rm -f $dest.$$
grep 'CRYPT_' $dest > /dev/null 2>&1
if [ $? = 1 ] ; then
echo "${dest} updating entries for crypt(3c)," \
"see policy.conf(4) for details." \
>> ${CLEANUP_FILE}
cat >> $dest <<EOM
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
EOM
fi
grep PRIV_ $dest >/dev/null 2>&1
if [ $? = 1 ]; then
echo "${dest} updating entries for privileges(5)," \
"see policy.conf(4) for details." \
>> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# These settings determine the default privileges users have. If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr. Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
EOM
fi
grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1
if [ $? = 1 ] ; then
echo "${dest} updating entry for LOCK_AFTER_RETRIES," \
"see pam_unix_auth(5) for details." \
>> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
EOM
fi
fi
done
exit 0