i.policyconf revision 499fd60129a966ad9d9e752e65f591c3a6a1c697
246N/A#!/bin/sh
246N/A#
246N/A# CDDL HEADER START
246N/A#
246N/A# The contents of this file are subject to the terms of the
246N/A# Common Development and Distribution License (the "License").
246N/A# You may not use this file except in compliance with the License.
246N/A#
246N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
246N/A# or http://www.opensolaris.org/os/licensing.
246N/A# See the License for the specific language governing permissions
246N/A# and limitations under the License.
246N/A#
246N/A# When distributing Covered Code, include this CDDL HEADER in each
246N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
246N/A# If applicable, add the following below this CDDL HEADER, with the
246N/A# fields enclosed by brackets "[]" replaced with your own identifying
246N/A# information: Portions Copyright [yyyy] [name of copyright owner]
246N/A#
246N/A# CDDL HEADER END
3996N/A#
246N/A#
246N/A#ident "%Z%%M% %I% %E% SMI"
246N/A#
246N/A# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
1424N/A# Use is subject to license terms.
618N/A#
246N/A
246N/APATH="/usr/bin:/usr/sbin:${PATH}"
246N/Aexport PATH
844N/A
1424N/Awhile read src dest
1273N/Ado
246N/A if [ ! -f $dest ] ; then
3661N/A cp $src $dest
3661N/A else
3996N/A #
3996N/A # Copy copyright and ident from new file ($src);
3996N/A # update the AUTHS_GRANTED and PROFS_GRANTED field.
246N/A # Add the latter if it does not exist.
246N/A # Strip trailing spaces.
246N/A #
246N/A ag="AUTHS_GRANTED=solaris.device.cdrw"
246N/A pg="PROFS_GRANTED=Basic Solaris User"
246N/A wo="CONSOLE_USER=Console User"
1424N/A sed -n -e '/^[^#]/q;p' < $src > $dest.$$
1424N/A sed -n \
1424N/A -e "s/^#AUTHS_GRANTED=$/$ag/" \
1424N/A -e "s/^#PROFS_GRANTED=$/$pg/" \
1424N/A -e "s/^PROFS_GRANTED=Default/$pg/" \
246N/A -e "s/ *$//" \
246N/A -e '/^[^#]/,$p' < $dest >> $dest.$$
1424N/A
1424N/A grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
246N/A if [ $? != 0 ] ; then
1424N/A sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
1424N/A$pg"
1424N/A cat $dest > $dest.$$
1424N/A fi
1424N/A
246N/A if grep 'CONSOLE_USER=' $dest > /dev/null 2>&1
1424N/A then
1424N/A cat $dest.$$ > $dest
1424N/A else
1424N/A sed < $dest.$$ > $dest -e "/^PROFS_GRANTED=/a\\
1424N/A$wo"
246N/A echo "${dest} updating entries for CONSOLE_USER," \
246N/A "see policy.conf(4) for details." \
246N/A >> ${CLEANUP_FILE}
246N/A fi
246N/A
246N/A rm -f $dest.$$
246N/A
246N/A grep 'CRYPT_' $dest > /dev/null 2>&1
246N/A if [ $? = 1 ] ; then
3996N/A echo "${dest} updating entries for crypt(3c)," \
3996N/A "see policy.conf(4) for details." \
3996N/A >> ${CLEANUP_FILE}
cat >> $dest <<EOM
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
EOM
fi
grep PRIV_ $dest >/dev/null 2>&1
if [ $? = 1 ]; then
echo "${dest} updating entries for privileges(5)," \
"see policy.conf(4) for details." \
>> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# These settings determine the default privileges users have. If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr. Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
EOM
fi
grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1
if [ $? = 1 ] ; then
echo "${dest} updating entry for LOCK_AFTER_RETRIES," \
"see pam_unix_auth(5) for details." \
>> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
EOM
fi
fi
done
exit 0