pkgdefs/common_files/i.policyconf

	i.policyconf revision 7c478bd95313f5f23a4c958a745db2134aa03244


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#ident	"%Z%%M%	%I%	%E% SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

while read src dest
do
	if [ ! -f $dest ] ; then
		cp $src $dest
	else
		#
		# Copy copyright and ident from new file ($src);
		# update the AUTHS_GRANTED and PROFS_GRANTED field.
		# Add the latter if it does not exist.
		# Strip trailing spaces.
		#
		ag="AUTHS_GRANTED=solaris.device.cdrw"
		pg="PROFS_GRANTED=Basic Solaris User"
		sed -n -e '/^[^#]/q;p' < $src > $dest.$$
		sed -n \
		    -e "s/^#AUTHS_GRANTED=$/$ag/" \
		    -e "s/^#PROFS_GRANTED=$/$pg/" \
		    -e "s/^PROFS_GRANTED=Default/$pg/" \
		    -e "s/  *$//" \
		    -e '/^[^#]/,$p' < $dest >> $dest.$$

		if grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
		then
			cat $dest.$$ > $dest
		else
			sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
$pg"
		fi
		rm -f $dest.$$

		grep 'CRYPT_' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entries for crypt(3c)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
EOM
		fi
		grep PRIV_ $dest >/dev/null 2>&1
		if [ $? = 1 ]; then
			echo "${dest} updating entries for privileges(5)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# These settings determine the default privileges users have.  If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr.  Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
EOM
		fi
		grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entry for LOCK_AFTER_RETRIES," \
			    "see pam_unix_auth(5) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
EOM
		fi
	fi
done

exit 0