michael@480: #!/bin/sh
michael@480: ##
michael@480: ##  pamtool -- OpenPKG PAM Auxiliary Tool
michael@480: ##  Copyright (c) 2000-2007 OpenPKG Foundation e.V. <http://openpkg.net/>
michael@480: ##  Copyright (c) 2000-2007 Ralf S. Engelschall <http://engelschall.com/>
michael@480: ##
michael@480: ##  Permission to use, copy, modify, and distribute this software for
michael@480: ##  any purpose with or without fee is hereby granted, provided that
michael@480: ##  the above copyright notice and this permission notice appear in all
michael@480: ##  copies.
michael@480: ##
michael@480: ##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
michael@480: ##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
michael@480: ##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
michael@480: ##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
michael@480: ##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
michael@480: ##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
michael@480: ##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
michael@480: ##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
michael@480: ##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
michael@480: ##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
michael@480: ##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
michael@480: ##  SUCH DAMAGE.
michael@480: ##
michael@480: 
michael@480: #   program name, version and date
michael@480: progname="pamtool"
michael@480: progvers="0.9.0"
michael@480: progdate="11-Mar-2002"
michael@480: 
michael@480: #   the OpenPKG instance information
michael@480: l_prefix="@l_prefix@"
michael@480: l_platform="@l_platform@"
michael@480: 
michael@480: #   default parameters
michael@480: verbose=no
michael@480: help=no
michael@480: add=no
michael@480: remove=no
michael@480: smart=no
michael@480: name=""
michael@480: id=""
michael@480: 
michael@480: #   iterate over argument line
michael@480: while [ $# -gt 0 ]; do
michael@480:     opt=$1
michael@480:     case $opt in
michael@480:         -*=*) arg=`echo "$opt" | sed 's/^[-_a-zA-Z0-9]*=//'` ;;
michael@480:            *) arg='' ;;
michael@480:     esac
michael@480:     case $opt in
michael@480:         -v|--verbose ) verbose=yes   ;;
michael@480:         -h|--help    ) help=yes      ;;
michael@480:         -a|--add     ) add=yes       ;;
michael@480:         -r|--remove  ) remove=yes    ;;
michael@480:         -s|--smart   ) smart=yes     ;;
michael@480:         --name=*     ) name=$arg     ;;
michael@480:         --id=*       ) id=$arg       ;;
michael@480:         -*           ) help="Invalid option \`$opt'"; break ;;
michael@480:         *            ) break         ;;
michael@480:     esac
michael@480:     shift
michael@480: done
michael@480: if [ ".$help" = .yes ]; then
michael@480:     echo "$progname --add|--remove --name=NAME [--smart] [--id=ID]";
michael@480:     exit 0
michael@480: fi
michael@480: if [ ".$add" = .no -a ".$remove" = .no ]; then
michael@480:     echo "$progname:ERROR: either option -a/--add or -r/--remove have to be specified" 1>&2
michael@480:     exit 1
michael@480: fi
michael@480: if [ ".$add" = .yes -a ".$remove" = .yes ]; then
michael@480:     echo "$progname:ERROR: option -a/--add and -r/--remove cannot be specified in parallel" 1>&2
michael@480:     exit 1
michael@480: fi
michael@480: if [ ".$name" = . ]; then
michael@480:     echo "$progname:ERROR: option --name has to be specified" 1>&2
michael@480:     exit 1
michael@480: fi
michael@480: if [ ".$id" = . ]; then
michael@480:     id="$l_prefix:$name"
michael@480: fi
michael@480: 
michael@480: 
michael@480: #   find a reasonable temporary location
michael@480: if [ ".$TMPDIR" != . ]; then
michael@480:     tmpdir="$TMPDIR"
michael@480: elif [ ".$TEMPDIR" != . ]; then
michael@480:     tmpdir="$TEMPDIR"
michael@480: else
michael@480:     tmpdir="/tmp"
michael@480: fi
michael@480: tmpfile="$tmpdir/pamtool.$$.tmp"
michael@480: 
michael@480: #   determine PAM information from OpenPKG configuration
michael@480: if [ ! -f "$l_prefix/etc/rc" ]; then
michael@480:     echo "$progname:$ERROR: OpenPKG run-command facility not found under $l_prefix" 1>&2
michael@480:     exit 1
michael@480: fi
michael@480: pam_enable=`$l_prefix/bin/openpkg rc --query pam_enable`
michael@480: pam_cfgloc=`$l_prefix/bin/openpkg rc --query pam_cfgloc`
michael@480: pam_modpfx=`$l_prefix/bin/openpkg rc --query pam_modpfx`
michael@480: 
michael@480: #   perform operation
michael@480: if [ ! -f "$l_prefix/lib/openpkg/rpmtool" ]; then
michael@480:     echo "$progname:$ERROR: OpenPKG rpmtool not found under $l_prefix/sbin/" 1>&2
michael@480:     exit 1
michael@480: fi
michael@480: rpmtool_config="$l_prefix/lib/openpkg/rpmtool config"
michael@480: if [ ".$smart" = .yes ]; then
michael@480:     rpmtool_config="$rpmtool_config -s"
michael@480: fi
michael@480: if [ ".$add" = .yes ]; then
michael@480:     #
michael@480:     #   add a PAM entry
michael@480:     #
michael@480: 
michael@480:     #   determine platform specific PAM entries
michael@480:     ( case "$l_platform" in
michael@480:           *-freebsd* ) 
michael@480:               echo "auth     sufficient ${pam_modpfx}pam_opie.so no_warn no_fake_prompts"
michael@480:               echo "auth     requisite  ${pam_modpfx}pam_opieaccess.so no_warn allow_local"
michael@480:               echo "auth     required   ${pam_modpfx}pam_unix.so try_first_pass"
michael@480:               echo "account  required   ${pam_modpfx}pam_unix.so"
michael@480:               echo "password required   ${pam_modpfx}pam_permit.so"
michael@480:               echo "session  required   ${pam_modpfx}pam_permit.so"
michael@480:               ;;
michael@480:           *-linux* ) 
michael@480:               echo "auth     required   ${pam_modpfx}pam_unix_auth.so shadow nodelay"
michael@480:               echo "auth     required   ${pam_modpfx}pam_nologin.so"
michael@480:               echo "account  required   ${pam_modpfx}pam_unix_acct.so"
michael@480:               echo "password required   ${pam_modpfx}pam_unix_passwd.so shadow nullok use_authtok" 
michael@480:               echo "session  required   ${pam_modpfx}pam_unix_session.so" 
michael@480:               echo "session  required   ${pam_modpfx}pam_limits.so"
michael@480:               ;;
michael@480:           *-sunos* ) 
michael@480:               echo "auth     required   ${pam_modpfx}pam_unix.so try_first_pass"
michael@480:               echo "account  required   ${pam_modpfx}pam_unix.so"
michael@480:               echo "password required   ${pam_modpfx}pam_unix.so" 
michael@480:               echo "session  required   ${pam_modpfx}pam_unix.so" 
michael@480:               ;;
michael@480:           *-aix* ) 
michael@480:               echo "auth     required   ${pam_modpfx}pam_aix try_first_pass"
michael@480:               echo "account  required   ${pam_modpfx}pam_aix"
michael@480:               echo "password required   ${pam_modpfx}pam_aix" 
michael@480:               echo "session  required   ${pam_modpfx}pam_aix" 
michael@480:               ;;
michael@480:           * ) 
michael@480:               echo "auth     required   ${pam_modpfx}pam_unix.so try_first_pass"
michael@480:               echo "account  required   ${pam_modpfx}pam_unix.so"
michael@480:               echo "password required   ${pam_modpfx}pam_unix.so" 
michael@480:               echo "session  required   ${pam_modpfx}pam_unix.so" 
michael@480:               ;;
michael@480:       esac
michael@480:     ) >$tmpfile
michael@480:      
michael@480:     #   add application name prefix if using combined configuration
michael@480:     if [ -f $pam_cfgloc ]; then
michael@480:         sed -e "s;^;$name ;" <$tmpfile >$tmpfile.n
michael@480:         mv $tmpfile.n $tmpfile
michael@480:     fi
michael@480:     
michael@480:     #   create entry
michael@480:     if [ -f $pam_cfgloc ]; then
michael@480:         if [ ".$verbose" = .yes ]; then
michael@480:             echo "++ adding entry to $pam_cfgloc"
michael@480:         fi
michael@480:         $rpmtool_config -a -i $id $pam_cfgloc <$tmpfile || exit $?
michael@480:     elif [ -d $pam_cfgloc ]; then
michael@480:         if [ ".$verbose" = .yes ]; then
michael@480:             echo "++ adding entry to $pam_cfgloc/$name"
michael@480:         fi
michael@480:         $rpmtool_config -a -i $id $pam_cfgloc/$name <$tmpfile || exit $?
michael@480:     fi
michael@480: 
michael@480: elif [ ".$remove" = .yes ]; then
michael@480:     #
michael@480:     #   remove a PAM entry
michael@480:     #
michael@480: 
michael@480:     #   remove entry
michael@480:     if [ -f $pam_cfgloc ]; then
michael@480:         if [ ".$verbose" = .yes ]; then
michael@480:             echo "++ removing entry from $pam_cfgloc"
michael@480:         fi
michael@480:         $rpmtool_config -r -i $id $pam_cfgloc || exit $?
michael@480:     elif [ -d $pam_cfgloc ]; then
michael@480:         if [ ".$verbose" = .yes ]; then
michael@480:             echo "++ removing entry from $pam_cfgloc/$name"
michael@480:         fi
michael@480:         $rpmtool_config -r -i $id $pam_cfgloc/$name || exit $?
michael@480:         if [ ! -s $pam_cfgloc/$name ]; then
michael@480:             rm -f $pam_cfgloc/$name >/dev/null 2>&1 || true
michael@480:         fi
michael@480:     fi
michael@480: fi
michael@480: 
michael@480: #   cleanup
michael@480: rm -f $tmpfile
michael@480: exit 0
michael@480: