#!/usr/bin/ksh
# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# bos72L src/bos/usr/sbin/C2admin/mkCCadmin.sh 1.2.1.1 
#  
# Licensed Materials - Property of IBM 
#  
# Restricted Materials of IBM 
#  
# COPYRIGHT International Business Machines Corp. 2002,2018 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 
# @(#)94	1.2.1.1  src/bos/usr/sbin/C2admin/mkCCadmin.sh, cmdsadm, bos72L, l2018_12A5 3/19/18 06:33:34
#
# mkCCadmin
#
# Initialize the security directories for use in a CC system
# configuration.
#
# Usage:
#   mkCCadmin { [ -m ] | [ -a address ] hostname }
#

umask 027
unset PATH
export PATH=/usr/bin:/etc:/usr/sbin:/sbin:/usr/ucb

# ignore signals to prevent inconsistent state
trap "" INT HUP TERM QUIT EXIT

###
# This array exists in mkCCadmin and rmCCadmin.
# It should be changed in both places.
#
# /etc/security/audit/objects MUST be the first entry.
###

#opt? orig file            targ file   owner   group     mode TCB fileset?
set -A SHARED \
 0 "/etc/security/audit/objects"    "objects"    "root" "audit"   0640  "" \
 0 "/etc/security/.ids"    ".ids"      "root" "security" 0600 "" \
 0 "/etc/security/environ" "environ"   "root" "security" 0640 "" \
 0 "/etc/group"            "etc.group" "root" "security" 0644 bos.rte.security \
 0 "/etc/passwd"          "etc.passwd" "root" "security" 0644 bos.rte.security \
 0 "/etc/security/group"   "group"     "root" "security" 0640 bos.rte.security \
 0 "/etc/hosts"            "hosts"     "root" "system"   0644 "" \
 0 "/etc/security/limits"  "limits"    "root" "security" 0640 "" \
 0 "/etc/security/passwd"  "passwd"    "root" "security" 0600 bos.rte.security \
 0 "/etc/security/user"    "user"      "root" "security" 0640 bos.rte.security \
 0 "/etc/security/services" "services" "root" "security" 0640 "" \
 0 "/etc/security/priv"    "priv"      "root" "security" 0640 "" \
 0 "/etc/security/acl"     "acl"       "root" "security" 0640 "" \
 0 "/etc/security/audit/bincmds"    "bincmds"    "root" "audit"   0640  "" \
 0 "/etc/security/audit/config"     "config"     "root" "audit"   0640  "" \
 0 "/etc/security/audit/events"     "events"     "root" "audit"   0640  "" \
 0 "/etc/security/audit/streamcmds" "streamcmds" "root" "audit"   0640  "" \
 1 "/etc/security/.profile"         ".profile"   "root" "security" 0660  ""

function find_opt_file {
	# Usage:
	# find_opt_file file
	# returns 0 if file is shared
	# returns 1 otherwise.

	[[ -z $1 ]] && return 1

	awk -F\| -vfile=$1 '
		BEGIN{rc=1}
		/^#/ || /^[ 	]*$/ {next}
		$2 == file {
			if (match($1, /^[ 	]*[yY][ 	]*$/))
				rc=0
			exit
		}
		END{exit rc}' /etc/security/files.config 2>/dev/null

	return $?
}

function copy_shared_files {
	# Usage:
	# copy_shared_files dir

	typeset -i i=0;
	typeset -r d=${1?}
	typeset opt orig targ owner group mode tcb

	while [[ $i -lt ${#SHARED[*]} ]] ; do

		opt=${SHARED[$i]}    ; i=$i+1
		orig=${SHARED[$i]}   ; i=$i+1
		targ=${SHARED[$i]}   ; i=$i+1
		owner=${SHARED[$i]}  ; i=$i+1
		group=${SHARED[$i]}  ; i=$i+1
		mode=${SHARED[$i]}   ; i=$i+1
		tcb=${SHARED[$i]}    ; i=$i+1

		[[ $opt -eq 1 ]] && {
			find_opt_file $orig || continue
		}

		cp $orig $d/$targ || return 1
		chown "$owner"."$group" $d/$targ || return 1
		chmod "$mode" $d/$targ || return 1

	done

	return 0;
}

function link_shared_files {
	# Usage:
	# link_shared_files dir

	typeset -i i=0;
	typeset -r d=${1?}
	typeset opt orig targ owner group mode tcb

	while [[ $i -lt ${#SHARED[*]} ]] ; do

		opt=${SHARED[$i]}    ; i=$i+1
		orig=${SHARED[$i]}   ; i=$i+1
		targ=${SHARED[$i]}   ; i=$i+1
		owner=${SHARED[$i]}  ; i=$i+1
		group=${SHARED[$i]}  ; i=$i+1
		mode=${SHARED[$i]}   ; i=$i+1
		tcb=${SHARED[$i]}    ; i=$i+1

		[[ $opt -eq 1 ]] && {
			find_opt_file $orig || continue
		}

		ln -sf $d/$targ $orig || return 1
		ex - /etc/security/audit/objects <<EOF
g?$orig?s??$d/$targ?
w!
q
EOF
	done

	return 0;
}

function update_sysck_cfg {
	typeset -r d=${1?}
	typeset -i i=0;
	typeset opt orig targ owner group mode tcb

	while [[ $i -lt ${#SHARED[*]} ]] ; do

		opt=${SHARED[$i]}    ; i=$i+1
		orig=${SHARED[$i]}   ; i=$i+1
		targ=${SHARED[$i]}   ; i=$i+1
		owner=${SHARED[$i]}  ; i=$i+1
		group=${SHARED[$i]}  ; i=$i+1
		mode=${SHARED[$i]}   ; i=$i+1
		tcb=${SHARED[$i]}    ; i=$i+1

		[[ $opt -eq 1 ]] && {
			find_opt_file $orig || continue
		}

		[[ ! -z $tcb ]] && {
			tcbck -d $orig || return 1

			tcbck -a $orig \
				owner=root \
				group=system \
				mode=TCB,777 \
				type=SYMLINK \
				target=$d/$targ \
				class=apply,inventory,$tcb || return 1

			tcbck -a $d/$targ \
				owner=$owner \
				group=$group \
				mode=$mode \
				class=apply,inventory,$tcb
		}

	done

	return 0;
}

function create_data_dir {
	# Usage:
	# create_data_dir dir
	typeset -r dir=${1?}

	[[ ! -d $dir ]] && {
		mkdir $dir || return 1
	}
	chown root.security $dir || return 1
	chmod 755 $dir || return 1

	return 0;
}

###############################################

isCChost -i 2>/dev/null
case $? in
	0):
		# check if currently in CC mode
		[[ -d /etc/data.shared ]] && {
			dspmsg CC.cat 7 "%s: This system is already configured to operate in CC mode.\n" ${0##*/} >&2
			exit 3
		}
		;;
	1):
		# CC installed but not initialized
		;;
	2):
		# check if CC is installed
	   dspmsg CC.cat 2 "%s: This system was not installed using the CC option.\n" ${0##*/} >&2
		exit 1
		;;
	*):
	   dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2
		;;
esac

while getopts a:m var
do
	case $var in
	a)	address="$OPTARG";;
	m)	mflg=1;
		hostname=loopback;;
	*)	dspmsg CC.cat 8 "Usage: mkCCadmin { [ -m ] | [ -a address ] hostname }" >&2
		exit 2
		;;
	esac
done

shift $(( $OPTIND - 1 ))

dspmsg CC.cat  14 "%s: The system may be left in an inconsistent state if this script is interrupted.\n" ${0##*/}

[[ -z $mflg ]] && hostname=$1

# verify the supplied hostname
if ! host "$hostname" >/dev/null 2>&1
then
	if [[ -z $address ]]
	then
	   dspmsg CC.cat 5 "%s: Administrative host \"%s\" is unknown.\n" ${0##*/} "$hostname" >&2
		exit 2
	else
		# add to /etc/hosts
		hostent -a $address -h $hostname >/dev/null || {
			dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
			exit 2;
		}
	fi
fi

# update admin_host file
echo "$hostname" > /etc/security/admin_host || {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 3;
}

# create /etc/data.shared
create_data_dir /etc/data.shared || {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 2;
}
[[ ! -f /etc/security/.ids ]] && touch /etc/security/.ids
copy_shared_files /etc/data.shared &&
link_shared_files /etc/data.shared
[[ $? -ne 0 ]] && {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 2;
}
update_sysck_cfg /etc/data.shared || {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 2;
}

# if mflg=1, create /etc/data.master
[[ ! -z $mflg ]] && {
	# create /dev/hd10sec
	mklv -y'hd10sec' -tjfs2 rootvg 2 >/dev/null || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}
	locale yesstr | awk -F: '{print $1}' | read y
	locale nostr  | awk -F: '{print $1}' | read n
	crfs -v jfs2 -d'hd10sec' -m'/etc/data.master' -A$y -p'rw' -t$n >/dev/null || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}

	create_data_dir /etc/data.master || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}
	mount /etc/data.master >/dev/null || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}
	chown root.security /etc/data.master
	chmod 755 /etc/data.master
	copy_shared_files /etc/data.master || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}
	mknfsexp -d /etc/data.master -t rw -a 0 -B >/dev/null || {
		dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
		exit 2;
	}
}

# mount /etc/data.shared
mknfsmnt -f /etc/data.shared -d /etc/data.master -h $hostname -k tcp -n -I -a -t rw -w bg -Y -Z -X -H >/dev/null || {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 2;
}

# add items to /etc/inittab
mkitab -i rc "isCChost:2:wait:/usr/sbin/isCChost -s >/dev/console 2>&1" && 
	mkitab -i rcnfs "rcCC:2:wait:/etc/rc.CC >/dev/console 2>&1" && 
	mkitab -i rcCC "rcdacinet:2:wait:/etc/rc.dacinet >/dev/console 2>&1"

[[ $? -ne 0 ]] && {
	dspmsg CC.cat 6 "%s: An error occured while initializing the administrative host.\n" ${0##*/} >&2
	exit 2;
}

dspmsg -s 1 CC.cat 11 "%s: The system must be rebooted for this change to take effect.\n" ${0##*/}

exit 0;