#!/bin/sh
#
#ident	"@(#)i.policyconf	1.7	08/05/19 SMI"
#
# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

while read src dest
do
	if [ ! -f $dest ] ; then
		cp $src $dest
	else
		#
		# Copy copyright and ident from new file ($src);
		# update the AUTHS_GRANTED and PROFS_GRANTED field.
		# Add the latter if it does not exist.
		# Strip trailing spaces.
		#
		ag="AUTHS_GRANTED=solaris.device.cdrw"
		pg="PROFS_GRANTED=Basic Solaris User"
		sed -n -e '/^[^#]/q;p' < $src > $dest.$$
		sed -n \
		    -e "s/^#AUTHS_GRANTED=$/$ag/" \
		    -e "s/^#PROFS_GRANTED=$/$pg/" \
		    -e "s/^PROFS_GRANTED=Default/$pg/" \
		    -e "s/  *$//" \
		    -e '/^[^#]/,$p' < $dest >> $dest.$$

		if grep 'PROFS_GRANTED=' $dest > /dev/null 2>&1
		then
			cat $dest.$$ > $dest
		else
			sed < $dest.$$ > $dest -e "/^AUTHS_GRANTED=/a\\
$pg"
		fi
		rm -f $dest.$$

		grep 'CRYPT_' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entries for crypt(3c)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords.  This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm.  For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
EOM
		fi
		grep PRIV_ $dest >/dev/null 2>&1
		if [ $? = 1 ]; then
			echo "${dest} updating entries for privileges(5)," \
			     "see policy.conf(4) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# These settings determine the default privileges users have.  If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr.  Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation.  E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
EOM
		fi
		grep 'LOCK_AFTER_RETRIES' $dest > /dev/null 2>&1
		if [ $? = 1 ] ; then
			echo "${dest} updating entry for LOCK_AFTER_RETRIES," \
			    "see pam_unix_auth(5) for details." \
			    >> ${CLEANUP_FILE}
cat >> $dest <<EOM
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
EOM
		fi
	fi
done

exit 0