#! /bin/sh
#
# Copyright (c) 1993, 2012, Oracle and/or its affiliates. All rights reserved.
#
# ident	"@(#)bsmunconv.sh	1.28	12/02/16 SMI"
#

PROG=bsmunconv
TEXTDOMAIN="SUNW_OST_OSCMD"
export TEXTDOMAIN

# Perform required permission checks, depending on value of LOCAL_ROOT
# (whether we are converting the active OS or just alternative boot
# environments).
permission()
{
cd /usr/lib
ZONE=`/sbin/zonename`
if [ ! "$ZONE" = "global" -a "$LOCAL_ROOT" = "true" ]
then
	form=`gettext "%s: ERROR: you must be in the global zone to run this script."`
	printf "${form}\n" $PROG
	exit 1
fi

WHO=`id | cut -f1 -d" "`
if [ ! "$WHO" = "uid=0(root)" ]
then
	form=`gettext "%s: ERROR: you must be super-user to run this script."`
	printf "${form}\n" $PROG
	exit 1
fi

set -- `/usr/bin/who -r`
RUNLEVEL="$3"
if [ "$RUNLEVEL" -ne "S" -a "$LOCAL_ROOT" = "true" ]
then
	form=`gettext "%s: ERROR: this script should be run at run level S."`
	printf "${form}\n" $PROG
	form=`gettext "Are you sure you want to continue? [y/n]"`
	echo "$form \c"
	read RESP
	case $RESP in
		`gettext "n"`*|`gettext "N"`* ) exit 1 ;;
	esac
fi

RESP="x"
while [ "$RESP" != `gettext "y"` -a "$RESP" != `gettext "n"` ]
do
gettext "This script is used to disable the Basic Security Module (BSM).\n"
form=`gettext "Shall we continue the reversion to a non-BSM system now? [y/n]"`
echo "$form \c"
read RESP
done

if [ "$RESP" = `gettext "n"` ]
then
	form=`gettext "%s: INFO: aborted, due to user request."`
	printf "${form}\n" $PROG
	exit 2
fi
}

bsmunconvert()
{
# Turn off device allocation. This is not currently done for alternate
# boot environments.
if [ -z "$ROOT" -o "$ROOT" = "/" ]
then
	/usr/sbin/devfsadm -d
fi

# disable auditd service on next boot
cat >> ${ROOT}/var/svc/profile/upgrade <<SVC_UPGRADE
/usr/sbin/svcadm disable system/auditd 
SVC_UPGRADE

# restore volume manager startup on next boot using the
# previous state saved by bsmconv.sh
state="enable"
if [ -f ${ROOT}/etc/security/spool/vold.state ]; then 
	prev_state=`cat ${ROOT}/etc/security/spool/vold.state`
	if [ ${prev_state} != "online" ]; then
		state="disable"
	fi
fi
cat >> ${ROOT}/var/svc/profile/upgrade <<SVC_UPGRADE
svcadm ${state} svc:/system/filesystem/volfs:default
SVC_UPGRADE

# Turn off auditing in the loadable module

if [ -f ${ROOT}/etc/system ]
then
	form=`gettext "%s: INFO: removing c2audit:audit_load from %s/etc/system."`
	printf "${form}\n" $PROG $ROOT
	grep -v "c2audit:audit_load" ${ROOT}/etc/system > /etc/security/etc.system.$$
	mv /etc/security/etc.system.$$ ${ROOT}/etc/system
else
	form=`gettext "%s: ERROR: can't find %s/etc/system."`
	printf "${form}\n" $PROG $ROOT
	form=`gettext "%s: ERROR: audit module may not be disabled."`
	printf "${form}\n" $PROG
fi

# If we are currently converting the active host (${ROOT}="/") we will
# need to ensure that cron is not running. cron should not be running
# at run-level S, but it may have been started by hand.

if [ -z "$ROOT" -o "$ROOT" = "/" ]
then
	/usr/bin/pgrep -u root -f /usr/sbin/cron > /dev/null
	if [ $? -eq 0 ]; then
		form=`gettext "%s: INFO: stopping the cron daemon."`
		printf "${form}\n" $PROG

		/usr/sbin/svcadm disable -t system/cron
	fi
fi

rm -f ${ROOT}/var/spool/cron/atjobs/*.au
rm -f ${ROOT}/var/spool/cron/crontabs/*.au

}

# main

if [ $# -eq 0 ]
then

	# converting local root, perform all permission checks
	LOCAL_ROOT=true
	permission

	# begin conversion
	ROOT=
	bsmunconvert
	echo
	gettext "The Basic Security Module has been disabled.\n"
	gettext "Reboot this system now to come up without BSM.\n"
else

	# determine if local root is being converted ("/" passed on
	# command line), if so, full permission check required
	LOCAL_ROOT=false
	for ROOT in $@
	do
		if [ "$ROOT" = "/" ]
		then
			LOCAL_ROOT=true
		fi
	done

	# perform required permission checks (depending on value of
	# LOCAL_ROOT)
	permission

	for ROOT in $@
	do
		bsmunconvert $ROOT
	done

	echo
	gettext "The Basic Security Module has been disabled.\n"
	gettext "Reboot each system that was disabled to come up without BSM.\n"
fi

exit 0

