# This is a 'e' type class action delivery script (simplified) based off: # # @(#)i.script 1.16 07/07/02 SMI # # @(#)simplified_i.e_script.DEFLT 1.1 08/01/18 # # Simplified merge version. Lookup i_casfcs() function for instructions. # # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # placeholder for pkg i.CAS: BEGIN i_casfcs() { ### drop the package's CAS here and reaplce its 'exit 0' with 'return 0' ### do so with care though to make sure there are no one time actions outside ### the while loop to be merged at the bottom of this script instead #!/bin/sh # #ident "@(#)i.pamconf 1.27 08/02/04 SMI" # # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # CLEANUP_FILE=/tmp/CLEANUP PAM_TMP=/tmp/pam_conf.$$ KERB_ENTRIES=$PAM_TMP/scr.$$ PPP_ENTRIES=$PAM_TMP/scp.$$ CRON_ENTRIES=$PAM_TMP/scc.$$ mkdir $PAM_TMP || return 1 PATH="/usr/bin:/usr/sbin:${PATH}" export PATH setup_kerb_changes() { # # No comments or blanks lines allowed in entries below # cat > ${KERB_ENTRIES} << EOF krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 EOF } setup_ppp_changes() { # # No comments or blanks lines allowed in entries below # cat > ${PPP_ENTRIES} << EOF ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 EOF } setup_cron_changes(){ # # No comments or blanks lines allowed in entries below # cat > ${CRON_ENTRIES} << EOF cron account required pam_unix_account.so.1 EOF } # Returns zero (success) if system is labeled (aka Trusted Extensions). # 1 otherwise. # is_system_labeled() { [ ! -x /bin/plabel ] && return 1 /bin/plabel > /dev/null 2>&1 return $? } # Add any entries for Trusted Extensions, during initial install. # This is dependent on whether TX is enabled. add_tx_entries() { is_system_labeled if [ $? = 0 ] ; then grep '^[ ]*other.*account.*pam_tsol_account' $dest \ > /dev/null 2>&1 if [ $? -ne 0 ] ; then # Append new entry cat >> $dest << EOF other account required pam_tsol_account.so.1 EOF echo "${dest} entry added for Trusted Extensions; \c" \ >> ${CLEANUP_FILE} fi fi } # setup_kerb_changes setup_ppp_changes setup_cron_changes while read src dest do if [ ! -f $dest ] ; then cp $src $dest # Dynamically add any entries for Trusted Extensions if it's enabled add_tx_entries else echo "${dest} default entries updated, \c" \ >> ${CLEANUP_FILE} echo "please examine/update customized entries" \ >> ${CLEANUP_FILE} # #Update pam.conf with relative pathname # if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then sed 's,/usr/lib/security/$ISA/, ', \ $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then sed 's,/usr/lib/security/, ', \ $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # # Update pam.conf with entries for PAM modules pam_authtok_get, # pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account, # pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth # echo "${dest} updating pam_unix with default PAM entries \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} nawk '/^#/ { print; next } \ $4 ~ /pam_unix.so/ && $2 == "auth" { \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_get.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_dhkeys.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_cred.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_auth.so.1"; \ next \ } \ $4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \ if ($1 == "passwd") \ passwd_seen = 1;\ }\ $4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \ print $1 "\t" $2 " " "sufficient\t\t" $4; \ print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \ next \ }\ $4 ~ /pam_unix_cred/ && $3 == "required" { \ cred_seen = 1;\ print; \ next \ }\ $4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \ if (cred_seen == 0) { \ print $1 "\t" $2 " " "required\t\t" \ "pam_unix_cred.so.1"; \ } \ next \ } \ $4 ~ /pam_unix_auth/ && $3 == "required" { \ if (cred_seen == 0) { \ print $1 "\t" $2 " " "required\t\t" \ "pam_unix_cred.so.1"; \ } \ print ; \ next \ }\ END { if (passwd_seen == 0) { \ print "passwd" "\t" "auth required\t\t" \ "pam_passwd_auth.so.1"; \ } \ } \ $4 ~ /pam_unix.so/ && $2 == "account" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_account.so.1"; \ next \ } \ $4 ~ /pam_unix.so/ && $2 == "session" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_unix_session.so.1"; \ next \ } \ $4 ~ /pam_unix.so/ && $2 == "password" { \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_dhkeys.so.1"; \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_get.so.1"; \ print $1 "\t" $2 " " "requisite\t\t" \ "pam_authtok_check.so.1"; \ print $1 "\t" $2 " " $3 "\t\t" \ "pam_authtok_store.so.1"; \ next \ } \ { print }' $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ # #update pam.conf with entries for roles # grep 'pam_roles.so' $dest > /dev/null 2>&1 if [ $? = 1 ] ; then echo "${dest} updating default entries for roles, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} nawk '/^#/ { print; next } \ $4 ~ /pam_role_auth/ { next } \ $2 == "account" && $4 ~ /pam_unix/ { \ print $1 "\t" $2 " requisite\t\t" \ "pam_roles.so.1"; \ print; \ next \ } \ { print }' $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # #update pam.conf with entries for projects # grep 'pam_projects.so' $dest > /dev/null 2>&1 if [ $? = 0 ] ; then echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE} grep -v pam_projects.so $dest > /tmp/pamconf.$$ cp /tmp/pamconf.$$ $dest rm -f /tmp/pamconf.$$ fi # # update pam.conf to append PPP entries if not already present # (note: default list above already has role added, so we # must do this after the upgrade above has run.) # rm -f /tmp/pamconf.$$ while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi done < ${PPP_ENTRIES} # Append PPP lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries for PPP; \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # update pam.conf to append cron entries if not already present # (note: the kerberos default list above already has the cron entried added.) # rm -f /tmp/pamconf.$$ while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi done < ${CRON_ENTRIES} # Append cron lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries for cron, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # update pam.conf to remove the rlogin entry that uses pam_krb5.so.1 # rm -f /tmp/pamconf.$$ sed -e "/^[# ]*rlogin.*pam_krb5.so.1/d" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \ updated to remove pam_krb5.so.1." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to remove obsolete flags used with pam_krb5.so.1 # rm -f /tmp/pamconf.$$ sed -e "s/\(pam_krb5.so.1.*\)acceptor/\1/g" \ -e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \ -e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \ acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to remove the unnecessary unix_auth entries for the # kerberized services. # rm -f /tmp/pamconf.$$ sed -e "/^[# ]*krlogin[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "/^[# ]*krsh[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "/^[# ]*ktelnet[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ -e "s/^\([# ]*krlogin[ ]*auth[ ]*\)binding/\1required/" \ -e "s/^\([# ]*krsh[ ]*auth[ ]*\)binding/\1required/" \ -e "s/^\([# ]*ktelnet[ ]*auth[ ]*\)binding/\1required/" \ $dest > /tmp/pamconf.$$ if [ $? -ne 0 ]; then echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \ still have pam_unix_auth in their stacks." \ >> ${CLEANUP_FILE} else cp /tmp/pamconf.$$ $dest fi # # update pam.conf to append kerberos entries if not already present # rm -f /tmp/pamconf.$$ cat ${KERB_ENTRIES} | (while read e1 e2 e3 e4 e5 do # See if the entry already exists grep \ "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >/dev/null 2>&1 if [ $? = 1 ] ; then # Check if service name is 'dtlogin' and it is # mentioned explicitly, then add kerberos 'dtlogin' if [ $e1 = "dtlogin" ]; then if grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ $dest >/dev/null 2>&1; then echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ fi else # Doesn't exist, enter into pam.conf echo "$e1\t$e2 $e3\t\t$e4 $e5" >> \ /tmp/pamconf.$$ fi else # Does exist. To maintain proper stacking order: remove it # and append it to the bottom of the conf file. grep "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ $dest >> /tmp/pamconf.$$ 2>/dev/null sed -e "/^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4/d" \ $dest > /tmp/pamconf2.$$ mv /tmp/pamconf2.$$ $dest fi done) # Append kerberos lines if any were not present already. if [ -f /tmp/pamconf.$$ ] ; then cat /tmp/pamconf.$$ >> $dest echo "${dest} updating entries to add kerberos, \c" \ >> ${CLEANUP_FILE} echo "please examine/update any new entries" \ >> ${CLEANUP_FILE} rm -f /tmp/pamconf.$$ fi # # notify pam_ldap users to manually intervene and examine/update their pam.conf # due to the change in pam_ldap functionalty. # grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1 if [ $? = 0 ] ; then echo "${dest} please examine/update the pam_ldap configuration \c" \ >> ${CLEANUP_FILE} echo "because its functionality has changed, \c" \ >> ${CLEANUP_FILE} echo "refer to pam_ldap(5) documentation for more information" \ >> ${CLEANUP_FILE} fi # fi done # rm -rf $PAM_TMP return 0 } # placeholder for pkg i.CAS: END # "e" backout magic definitions BEGIN DIFF="/usr/bin/diff" OLD_PATCH_SEPARATOR="___Old_File_Diff_Separator_aBcDeFgHiJkLmN___OjK___5924894_6548915___" # "e" backout magic definitions END PATH=/usr/sadm/bin:$PATH ECHO="/usr/bin/echo" SED="/usr/bin/sed" PKGPROTO="/usr/bin/pkgproto" EXPR="/usr/bin/expr" # used by dirname MKDIR="/usr/bin/mkdir" CP="/usr/bin/cp" RM="/usr/bin/rm" MV="/usr/bin/mv" KSH="/usr/bin/ksh" DIRNAME="/usr/bin/dirname" BASENAME="/usr/bin/basename" PATCH_COMMON_LIB="/usr/lib/patch/patch_common_lib" SAFEMODE_FAILED="Exiting! Patch deferred activation failed" recovery="no" Pn=$$ procIdCtr=0 CMDS_USED="$KSH $ECHO $SED $PKGPROTO $EXPR $MKDIR $CP $RM $MV" LIBS_USED="" if [ "$PKG_INSTALL_ROOT" = "/" ]; then PKG_INSTALL_ROOT="" fi # Check to see if this is a patch installation retry. if [ "$INTERRUPTION" = "yes" ]; then if [ -d "$PKG_INSTALL_ROOT/var/tmp/$SUNW_PATCHID.$PKGINST" ] || [ -d "$PATCH_BUILD_DIR/$SUNW_PATCHID.$PKGINST" ]; then recovery="yes" fi fi if [ -n "$PATCH_BUILD_DIR" -a -d "$PATCH_BUILD_DIR" ]; then BUILD_DIR="$PATCH_BUILD_DIR/$SUNW_PATCHID.$PKGINST" else BUILD_DIR="$PKG_INSTALL_ROOT/var/tmp/$SUNW_PATCHID.$PKGINST" fi FILE_DIR=$BUILD_DIR/files RELOC_DIR=$FILE_DIR/reloc ROOT_DIR=$FILE_DIR/root BO_Deletes=$FILE_DIR/deletes PROGNAME=`basename $0` if [ "$PATCH_PROGRESSIVE" = "true" ]; then PATCH_NO_UNDO="true" fi # Since this is generic, figure out the class. Class=`echo $PROGNAME | nawk ' { print substr($0, 3) }'` if [ "$SAFEMODE_INSTALL" = "true" -a "$Class" = "none" ] ; then if [ ! -s "$PATCH_COMMON_LIB" ]; then puttext "$SAFEMODE_FAILED" exit 1 fi . $PATCH_COMMON_LIB InitSafemode || { puttext $SAFEMODE_FAILED exit 1 } fi # Since this is an update, $BASEDIR is guaranteed to be correct BD=${BASEDIR:-/} cd $BD # # First, figure out the dynamic libraries that can trip us up. # if [ -z "$PKG_INSTALL_ROOT" ]; then if [ -x /usr/bin/ldd ]; then LIB_LIST=`/usr/bin/ldd $CMDS_USED | sort -u | nawk ' $1 ~ /\// { continue; } { printf "%s ", $3 } '` else LIB_LIST="/usr/lib/libc.so.1 /usr/lib/libdl.so.1 /usr/lib/libw.so.1 /usr/lib/libintl.so.1 /usr/lib/libgen.so.1 /usr/lib/libadm.so.1 /usr/lib/libelf.so.1" fi fi # # Now read the list of files in this class to be replaced. If the file # is already in place, then this is a change and we need to copy it # over to the build directory if undo is allowed. If it's a new entry # (No $dst), then it goes in the deletes file for the backout package. # LD_LIB_DIR=$PKG_INSTALL_ROOT/var/tmp/LDLIB.$$ procIdCtr=0 while read src dst; do if [ -z "$PKG_INSTALL_ROOT" ]; then Chk_Path=$dst for library in $LIB_LIST; do if [ "$Chk_Path" = "$library" ]; then if [ ! -d "$LD_LIB_DIR" ]; then $MKDIR $LD_LIB_DIR fi $CP $dst $LD_LIB_DIR LD_LIBRARY_PATH=$LD_LIB_DIR export LD_LIBRARY_PATH fi done fi if [ "$PATCH_PROGRESSIVE" = "true" ]; then # If this is being used in an old-style patch, insert # the old-style script commands here. #XXXOld_CommandsXXX# echo >/dev/null # dummy fi if [ "${PATCH_NO_UNDO}" != "true" ]; then # # Here we construct the path to the appropriate source # tree for the build. First we try to strip BASEDIR. If # there's no BASEDIR in the path, we presume that it is # absolute and construct the target as an absolute path # by stripping PKG_INSTALL_ROOT. FS_Path is the path to # the file on the file system (for deletion purposes). # Build_Path is the path to the object in the build # environment. # # The following rootPath variable accounts for a BASEDIR # that is used as a regular variable within the path and # not as a variable that a path needs to be relocated to. rootPath=`$ECHO $src | $SED s@"$INST_DATADIR/$PKGINST"@@ | \ nawk -F/ '{print $2}'` if [ "$rootPath" = "root" ]; then FS_Path=$dst elif [ "$BD" = "/" ]; then FS_Path=`$ECHO $dst | $SED s@"$BD"@@` else FS_Path=`$ECHO $dst | $SED "s|^$BD/||"` fi # If it's an absolute path the attempt to strip the # BASEDIR will have failed. if [ "$dst" = "$FS_Path" ]; then if [ -z "$PKG_INSTALL_ROOT" ]; then FS_Path=$dst Build_Path="$ROOT_DIR$dst" else Build_Path="$ROOT_DIR"`echo $dst | \ $SED "s|$PKG_INSTALL_ROOT||"` FS_Path=`echo $dst | \ $SED "s|$PKG_INSTALL_ROOT||"` fi else Build_Path="$RELOC_DIR/$FS_Path" fi if [ -f "$dst" ]; then # If this is replacing something cd $FILE_DIR # # Construct the prototype file entry. We replace # the pointer to the filesystem object with the # build directory object. # $PKGPROTO -c $Class $dst=$FS_Path | \ $SED -e "s|^f |e |" \ -e "s|=$dst|=$Build_Path|" >> \ $BUILD_DIR/prototype # Now copy over the file if [ "$recovery" = "no" ]; then DirName=`dirname $Build_Path` $MKDIR -p $DirName $CP -p $dst $Build_Path else # If this file is already in the build area skip it if [ -f "$Build_Path" ]; then cd $BD continue else DirName=`dirname $Build_Path` if [ ! -d "$DirName" ]; then $MKDIR -p $DirName fi $CP -p $dst $Build_Path fi fi cd $BD else # It's brand new $ECHO $FS_Path >> $BO_Deletes fi fi # If special processing is required for each src/dst pair, # add that here. # #XXXSpecial_CommandsXXX# # # "e" backout magic prepare BEGIN DST_EXIST="false" if [ "${PATCH_NO_UNDO}" != "true" ]; then if [ -f "${dst}" ] ; then DST_EXIST="true" else DST_EXIST="false" fi if [ "${DST_EXIST}" = "true" ] ; then #Save original file $MKDIR -p "`dirname $Build_Path`" $CP "${dst}" "$Build_Path.orig" $CP "${dst}" "$Build_Path.old_and_patch" fi fi # "e" backout magic prepare END #call merged script echo $src $dst | i_casfcs procIdCtr=`expr $procIdCtr + 1` # "e" backout magic store BEGIN if [ "${DST_EXIST}" = "true" ] ; then echo "${OLD_PATCH_SEPARATOR}" >> "$Build_Path.old_and_patch" $DIFF -C 3 "$Build_Path.orig" "$dst" >> "$Build_Path.old_and_patch" if [ "$?" -ne 0 ] ; then #Create a repository for original file and diff in the undo package $ECHO "e $Class $FS_Path.old_and_patch=$Build_Path.old_and_patch" >>$BUILD_DIR/prototype #Make sure this file does not remain on the system after the backout $ECHO "$FS_Path.old_and_patch" >>"$BO_Deletes" fi fi # "e" backout magic store END done # If additional operations are required for this package, place # those package-specific commands here. #XXXSpecial_CommandsXXX# # # Release the dynamic libraries # if [ -d "$LD_LIB_DIR" ]; then $RM -fr $LD_LIB_DIR fi exit 0