#!/bin/sh
# /sbin/pamconfig - Adds appropriate entries to /etc/pam.conf
# Unless otherwise specified, takes defaults for each service type
# from the appropriate "DEFAULT" (case-sensitive) entry in /etc/pam.conf.
# Only adds entries if *no* entries for the service type exist yet.
# When asked to remove a service type, it only removes it if all
# the service types are set to the current default.  Otherwise they
# are preserved.
# FIXME: removing not implemented.

usage ()
{
	if [ ! -z "$1" ] ; then
		echo $1 1>&2
	fi
	echo 'usage: /sbin/pamconfig --add|--remove --service=<service> <options>
	<options> include:
		--authlist=<list of auth modules>
		--acctlist=<list of account modules>
		--password=<list of password modules (should only be one)>
		--sesslist=<list of session modules>
	module lists are lists of triples of requirement, module name, options,
	done like this (for the most common case of an empty options list):
	--authlist='"'sufficient /lib/security/pam_rhosts_auth.so \"\"
		    required /lib/security/pam_unix_auth.so \"\"'"'
	To leave out a type, uses "none", like this: --sesslist=none' 1>&2
	exit 1
}

while [ ! -z "$1" ] ; do
  case $1 in
    --add)
	action=add
	;;
    --remove)
	action=remove
	;;
    --service*)
	service=$(echo $1 | sed 's/--service=//')
	;;
    --authlist*)
	authlist=$(echo $1 | sed 's/--authlist=//')
	;;
    --acctlist*)
	acctlist=$(echo $1 | sed 's/--acctlist=//')
	;;
    --password*)
	password=$(echo $1 | sed 's/--password=//')
	;;
    --sesslist*)
	sesslist=$(echo $1 | sed 's/--sesslist=//')
	;;
    *)
	usage
	;;
  esac
  shift
done

if [ -z "$action" ] ; then
	usage "Need to specify --add or --remove"
fi
if [ -z "$service" ] ; then
	usage "Need to specify --service=<service>"
fi
# the $5 thing is a hack so that everything works for now with a
# single argument.  We need something which works better in the
# future; this will at least allow us to keep the calling convention
# compatible as we upgrade this script to handle multiple arguments
# later.
if [ -z "$authlist" ] ; then
	authlist=$(egrep '^DEFAULT[	 ]+auth[	 ]+' /etc/pam.conf | \
		   awk '{print $3 " " $4 " \"" $5 "\"" }')
fi
if [ -z "$acctlist" ] ; then
	acctlist=$(egrep '^DEFAULT[	 ]+account[	 ]+' /etc/pam.conf | \
		   awk '{print $3 " " $4 " \"" $5 "\"" }')
fi
if [ -z "$password" ] ; then
	password=$(egrep '^DEFAULT[	 ]+password[	 ]+' /etc/pam.conf | \
		   awk '{print $3 " " $4 " \"" $5 "\"" }')
fi
if [ -z "$sesslist" ] ; then
	sesslist=$(egrep '^DEFAULT[	 ]+session[	 ]+' /etc/pam.conf | \
		   awk '{print $3 " " $4 " \"" $5 "\"" }')
fi

if [ "$action" = add ] ; then
	if egrep "^$service[	 ]+" /etc/pam.conf > /dev/null 2>&1 ; then
		# service has already been added; don't configure it
		# because that could damage a user's system!
		exit 0
	fi
	echo "# $service authorization" >> /etc/pam.conf
	eval set $authlist
	while [ ! -z "$2" ] ; do
		echo "$service	auth       $1	$2	$3" >> /etc/pam.conf
		shift; shift; shift
	done
	eval set $acctlist
	while [ ! -z "$2" ] ; do
		echo "$service	account    $1	$2	$3" >> /etc/pam.conf
		shift; shift; shift
	done
	eval set $password
	while [ ! -z "$2" ] ; do
		echo "$service	password   $1	$2	$3" >> /etc/pam.conf
		shift; shift; shift
	done
	eval set $sesslist
	while [ ! -z "$2" ] ; do
		echo "$service	session    $1	$2	$3" >> /etc/pam.conf
		shift; shift; shift
	done
	echo "" >> /etc/pam.conf
else
	# action must be remove
	# this is a stub until I write it; it won't hurt anything to
	# leave things in for now...
	:
fi

exit 0