#!/usr/bin/ksh
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos72L src/bos/usr/sbin/C2admin/rmC2admin.sh 1.8.1.1
#
# Licensed Materials - Property of IBM
#
# Restricted Materials of IBM
#
# COPYRIGHT International Business Machines Corp. 1998,2018
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
# @(#)81 1.8.1.1 src/bos/usr/sbin/C2admin/rmC2admin.sh, cmdsadm, bos72L, l2018_12A5 3/19/18 07:18:16
#
# rmC2admin
#
# Remove the configuration files for a C2 system host
#
# Usage:
# rmC2admin [ -m ]
#
umask 027
unset PATH
export PATH=/usr/bin:/etc:/usr/sbin:/sbin:/usr/ucb
# ignore signals to prevent inconsistent state
trap "" INT HUP TERM QUIT EXIT
###
# This array exists in mkC2admin and rmC2admin.
# It should be changed in both places.
#
# /etc/security/audit/objects MUST be the first entry.
###
#opt? orig file targ file owner group mode TCB fileset?
set -A SHARED \
0 "/etc/security/audit/objects" "objects" "root" "audit" 0640 "" \
0 "/etc/security/.ids" ".ids" "root" "security" 0600 "" \
0 "/etc/security/environ" "environ" "root" "security" 0640 "" \
0 "/etc/group" "etc.group" "root" "security" 0644 bos.rte.security \
0 "/etc/passwd" "etc.passwd" "root" "security" 0644 bos.rte.security \
0 "/etc/security/group" "group" "root" "security" 0640 bos.rte.security \
0 "/etc/hosts" "hosts" "root" "system" 0644 "" \
0 "/etc/security/limits" "limits" "root" "security" 0640 "" \
0 "/etc/security/passwd" "passwd" "root" "security" 0600 bos.rte.security \
0 "/etc/security/user" "user" "root" "security" 0640 bos.rte.security \
0 "/etc/security/services" "services" "root" "security" 0640 "" \
0 "/etc/security/priv" "priv" "root" "security" 0640 "" \
0 "/etc/security/acl" "acl" "root" "security" 0640 "" \
0 "/etc/security/audit/bincmds" "bincmds" "root" "audit" 0640 "" \
0 "/etc/security/audit/config" "config" "root" "audit" 0640 "" \
0 "/etc/security/audit/events" "events" "root" "audit" 0640 "" \
0 "/etc/security/audit/streamcmds" "streamcmds" "root" "audit" 0640 "" \
1 "/etc/security/.profile" ".profile" "root" "security" 0660 ""
function find_opt_file {
# Usage:
# find_opt_file file
# returns 0 if file is shared
# returns 1 otherwise.
[[ -z $1 ]] && return 1
awk -F\| -vfile=$1 '
BEGIN{rc=1}
/^#/ {next}
$2 == file {
if (match($1, /^[ ]*[yY][ ]*$/))
rc=0
exit
}
END{exit rc}' /etc/security/files.config 2>/dev/null
return $?
}
function rm_shared_files {
typeset -i i=0;
typeset opt orig targ owner group mode tcb
while [[ $i -lt ${#SHARED[*]} ]] ; do
opt=${SHARED[$i]} ; i=$i+1
orig=${SHARED[$i]} ; i=$i+1
targ=${SHARED[$i]} ; i=$i+1
owner=${SHARED[$i]} ; i=$i+1
group=${SHARED[$i]} ; i=$i+1
mode=${SHARED[$i]} ; i=$i+1
tcb=${SHARED[$i]} ; i=$i+1
[[ $opt -eq 1 ]] && {
find_opt_file $orig || continue
}
[[ -L $orig ]] && {
rm -f $orig || return 1
ex - /etc/security/audit/objects <<EOF
g?/etc/data.shared/$targ?s??$orig?
w!
q
EOF
}
cp -p /etc/data.shared/$targ $orig || return 1
chown "$owner"."$group" $orig || return 1
chmod "$mode" $orig || return 1
done
return 0;
}
function restore_sysck_cfg {
typeset -i i=0;
typeset opt orig targ owner group mode tcb
while [[ $i -lt ${#SHARED[*]} ]] ; do
opt=${SHARED[$i]} ; i=$i+1
orig=${SHARED[$i]} ; i=$i+1
targ=${SHARED[$i]} ; i=$i+1
owner=${SHARED[$i]} ; i=$i+1
group=${SHARED[$i]} ; i=$i+1
mode=${SHARED[$i]} ; i=$i+1
tcb=${SHARED[$i]} ; i=$i+1
[[ $opt -eq 1 ]] && {
find_opt_file $orig || continue
}
[[ ! -z $tcb ]] && {
tcbck -d $orig || return 1
tcbck -a $orig \
owner=$owner \
group=$group \
mode=TCB,$mode \
type=FILE \
class=apply,inventory,$tcb || return 1
tcbck -d /etc/data.shared/$targ
}
done
return 0;
}
###############################################
# check if properly configured
isC2host -i 2>/dev/null
case $? in
0):
# check if currently in C2 mode
[[ ! -d /etc/data.shared ]] && {
dspmsg C2.cat 3 "%s: This system was not configured to operate in C2 mode.\n" ${0##*/} >&2
exit 1
}
;;
1):
# C2 installed but not initialized
dspmsg C2.cat 3 "%s: This system was not configured to operate in C2 mode.\n" ${0##*/} >&2
exit 1
;;
2):
# C2 not installed
dspmsg C2.cat 2 "%s: This system was not installed using the C2 option.\n" ${0##*/} >&2
exit 1
;;
*):
dspmsg C2.cat 10 "%s: An error occurred removing the C2 distributed system information.\n" ${0##*/} >&2
exit 2
;;
esac
while getopts a:m var
do
case $var in
m) mflg=1;;
*) dspmsg C2.cat 9 "Usage: rmC2admin [ -m ]\n" >&2
exit 4
;;
esac
done
shift $(( $OPTIND - 1 ))
[[ $mflg -eq 1 ]] && {
# "loopback" is hard-coded in mkC2admin
if ! fgrep -q "loopback" /etc/security/admin_host 2>/dev/null
then
dspmsg C2.cat 16 "%s: This machine was not configured as a C2 administrative host.\n" ${0##*/} >&2
exit 3
fi
}
[[ $PWD = /etc/data.shared ]] && {
dspmsg C2.cat 15 "%s: Cannot unmount %s. Ensure that it is not your current directory.\n" ${0##*/} /etc/data.shared >&2
exit 2
}
dspmsg C2.cat 14 "%s: The system may be left in an inconsistent state if this script is interrupted.\n" ${0##*/}
rm -f /etc/security/admin_host
rm_shared_files || {
dspmsg C2.cat 10 "%s: An error occurred removing the C2 distributed system information.\n" ${0##*/} >&2
exit 2
}
restore_sysck_cfg || {
dspmsg C2.cat 10 "%s: An error occurred removing the C2 distributed system information.\n" ${0##*/} >&2
exit 2
}
umount -f /etc/data.shared >/dev/null
rmfs -r /etc/data.shared >/dev/null
rm -rf /etc/data.shared >/dev/null
[[ $mflg -eq 1 ]] && {
# remove /etc/data.master filesystem
# and the hd10sec logical volume.
exportfs -uv /etc/data.master >/dev/null
umount -f /etc/data.master >/dev/null
rmnfsexp -d /etc/data.master -B >/dev/null
rmfs -r /etc/data.master >/dev/null
}
# remove entries from /etc/inittab
rmitab isC2host >/dev/null &&
rmitab rcC2 >/dev/null &&
rmitab rcdacinet >/dev/null
[[ $? -ne 0 ]] && {
dspmsg C2.cat 10 "%s: An error occurred removing the C2 distributed system information.\n" ${0##*/} >&2
exit 2
}
dspmsg -s 1 C2.cat 11 "%s: The system must be rebooted for this change to take effect.\n" ${0##*/}
exit 0