i.shadow revision 57c407852ad197a758d9fc3212bd9484cacf2a69
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
CLEANUP_FILE=/tmp/CLEANUP
PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH
#
# PASSREQ is enforced. We need to warn upgraders about the fact that
# they might be locked out if they don't have a root password or
# change PASSREQ
#
NOPASSWARN="Detected password-less accounts while PASSREQ=YES."
NOPASSWARN="${NOPASSWARN} Please examine ${BASEDIR}/etc/default/login before"
NOPASSWARN="${NOPASSWARN} rebooting."
if grep -i '^PASSREQ=YES' ${BASEDIR}/etc/default/login >/dev/null 2>&1 ; then
warn_nopass=1
else
warn_nopass=0
fi
while read src dest
do
if [ ! -f $dest ] ; then
cp $src $dest
else
#
# 2.6 & earlier versions had an smtp entry; remove it.
#
# Some accounts used to be shipped with "NP" they are now
# shipped as "*LK*" since they shouldn't be able to run
# cron jobs or login.
sed ' /^smtp:/d;
/^nobody:/s/:NP:/:*LK*:/;
/^nobody4:/s/:NP:/:*LK*:/;
/^noaccess/s/:NP:/:*LK*:/;' $dest > /tmp/d.$$
cp /tmp/d.$$ $dest
rm -f /tmp/d.$$
#
# Add the 'nobody' user from 4.x so that people don't
# assign it to a regular user and confuse themselves
#
NOBODY4_LINE="nobody4:*LK*:6445::::::"
if grep "^nobody4:" $dest 2>&1 >/dev/null; then
:
else
printf '/^noaccess:*LK*\na\n%s\n.\nw\nq\n' \
"$NOBODY4_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'smmsp' user for sendmail 8.12
#
SMMSP_LINE="smmsp:NP:6445::::::"
if grep "$SMMSP_LINE" $dest 2>&1 >/dev/null; then
:
else
printf '/^nobody4:*LK*\na\n%s\n.\nw\nq\n' \
"$SMMSP_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'gdm' reserved user if it doesn't exist.
#
GDM_LINE="gdm:*LK*:::::::"
if grep "^gdm:" $dest 2>&1 >/dev/null; then
:
else
printf '/^listen:\*LK\*\na\n%s\n.\nw\nq\n' \
"$GDM_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'webservd' reserved user if it doesn't exist.
#
WEBSERVD_LINE="webservd:*LK*:::::::"
if grep "^webservd:" $dest 2>&1 >/dev/null; then
:
else
printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \
"$WEBSERVD_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'postgres' reserved user if it doesn't exist.
#
POSTGRES_LINE="postgres:NP:::::::"
if grep "^postgres:" $dest 2>&1 >/dev/null; then
:
else
printf '/^webservd:\*LK\*\na\n%s\n.\nw\nq\n' \
"$POSTGRES_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'mysql' reserved user if it doesn't exist.
#
MYSQL_LINE="mysql:NP:::::::"
if grep "^mysql:" $dest 2>&1 >/dev/null; then
:
else
printf '/^postgres:\*LK\*\na\n%s\n.\nw\nq\n' \
"$MYSQL_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'svctag' reserved user if it doesn't exist.
#
SVCTAG_LINE="svctag:*LK*:6445::::::"
if grep "^svctag:" $dest 2>&1 >/dev/null; then
:
else
printf '/^postgres:NP\na\n%s\n.\nw\nq\n' \
"$SVCTAG_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'dladm' reserved user if it doesn't exist.
#
DLADM_LINE="dladm:*LK*:::::::"
if grep "^dladm:" $dest 2>&1 >/dev/null; then
:
else
printf '/^nuucp:NP\na\n%s\n.\nw\nq\n' \
"$DLADM_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'xvm' reserved user if it doesn't exist.
#
XVM_LINE="xvm:*LK*:::::::"
if grep "^xvm:" $dest 2>&1 >/dev/null; then
:
else
printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \
"$XVM_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'zfssnap' reserved user if it doesn't exist.
#
ZFSSNAP_LINE="zfssnap:NP:::::::"
if grep "^zfssnap:" $dest 2>&1 > /dev/null; then
:
else
printf '/^gdm:\*LK\*\na\n%s\n.\nw\nq\n' \
"$ZFSSNAP_LINE" | ed -s $dest > /dev/null
fi
#
# Add the 'openldap' reserved user if it doesn't exist.
#
OPENLDAP_LINE="openldap:*LK*:::::::"
if grep "^openldap:" $dest 2>&1 >/dev/null; then
:
else
printf '/^mysql:NP\na\n%s\n.\nw\nq\n' \
"$OPENLDAP_LINE" | ed -s $dest > /dev/null
fi
#
# Warn the user if an empty password is found and
# PASSREQ is set to yes.
#
if [ $warn_nopass -eq 1 ]; then
if grep '^[^:]*::' $dest > /dev/null 2>&1 ; then
echo "${dest} $NOPASSWARN" >> ${CLEANUP_FILE}
warn_nopass=0;
fi
fi
fi
done
exit 0