#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 1999-2003 Mitel Networks Corporation
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 		
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 		
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
# 
# Technical support for this program is available from Mitel Networks 
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------
package esmith;

use strict;
use Errno;
use esmith::util;
use esmith::ConfigDB;

my $conf = esmith::ConfigDB->open_ro
    or die "Could not open Config DB";

my $ldapauth = $conf->get('ldap')->prop('Authentication') || 'disabled';

# create group "shared" if not already present
if ($ldapauth eq 'enabled')
{
    system(qw(/usr/sbin/cpu groupadd shared)) unless getgrnam("shared");
}
else
{
    system(qw(/usr/sbin/groupadd -r shared)) unless getgrnam("shared");
}

# Create other required groups and users
system(qw(/usr/sbin/groupadd -g 21 -r -f slocate))
    unless getgrnam("slocate");
system(qw(/usr/sbin/useradd -u 38 -s /sbin/nologin -d /etc/ntp ntp))
    unless (getpwnam("ntp"));
system(qw(/usr/sbin/groupadd -g 102 -r -o -f apache))
    unless getgrnam("apache");

# create user "admin" if not already present;
if ( !getpwnam("admin") )
{
    if ($ldapauth eq 'enabled')
    {
        `/usr/sbin/cpu useradd -f 'e-smith' -E 'administrator' -d /home/e-smith -G shared -M -s /sbin/e-smith/console admin`;
        `/usr/bin/gpasswd -a admin root`;
    }
    else
    {
        `/usr/sbin/useradd -c 'e-smith administrator' -d /home/e-smith -G root,shared -M -s /sbin/e-smith/console admin`;
    }
}
else
{
    #--------------------------------------------------
    # admin account already exists. Change shell, and also make sure
    # that it is in groups "root" and "shared" without disturbing any
    # other group memberships.  First get list of existing groups for
    # admin.
    #--------------------------------------------------
    
    my $cmd = "/usr/bin/id -G -n admin";
    my $groups = `$cmd 2>/dev/null`; 
    if ($? != 0)
    {
	die "Failed to get supplementary group list for admin.\n";
    }
    chomp ($groups);

    my @groupList = split (/\s+/, $groups);

    #--------------------------------------------------
    # Modify group list to make sure "root" and "shared"
    # are listed exactly once each.
    #--------------------------------------------------

    @groupList = grep (!/^admin$/, @groupList);
    @groupList = grep (!/^root$/, @groupList);
    @groupList = grep (!/^shared$/, @groupList);
    @groupList = grep (!/^(www|apache)$/, @groupList);

    push @groupList, 'shared', 'www';

    # Only push root if not using ldap (root not in ldap)
    push @groupList, 'root' if ($ldapauth ne 'enabled');

    #--------------------------------------------------
    # Run usermod command to update group list for admin.
    #--------------------------------------------------

    $groups = join (',', sort (@groupList));
    if ($ldapauth eq 'enabled')
    {
        $cmd = "/usr/sbin/cpu usermod -f 'e-smith' -E 'administrator' -d /home/e-smith -G '$groups' -s /sbin/e-smith/console admin";
    }
    else
    {
        $cmd = "/usr/sbin/usermod -c 'e-smith administrator' -d /home/e-smith -G '$groups' -s /sbin/e-smith/console admin";
    }
    `$cmd`;
    if ($? != 0)
    {
	die "Failed to change shell and modify supplementary group list for admin.\n";
    }
    `/usr/bin/gpasswd -a admin root` if ($ldapauth eq 'enabled');
}

#--------------------------------------------------
# create user "public" if not already present
#--------------------------------------------------

if ( !getpwnam("public") )
{
    `/usr/sbin/useradd  -c 'e-smith guest' -d /home/e-smith -G shared -M -s /bin/false public`;
}

#--------------------------------------------------
# create user "www" if not already present; otherwise change comment to
# "e-smith private web server" (used to just say "e-smith web server")
#--------------------------------------------------

if ( !getpwnam("www") )
{
    if ($ldapauth eq 'enabled')
    {
        `/usr/sbin/cpu useradd -c 'e-smith web server' -d /home/e-smith -G shared -M -s /bin/false www`;
    }
    else
    {
        `/usr/sbin/useradd -c 'e-smith web server' -d /home/e-smith -G shared -M -s /bin/false www`;
    }
}
else
{
    #--------------------------------------------------
    # www account already exists. Make sure that it is in groups "admin"
    # and "shared" without disturbing any other group memberships.
    # First get list of existing groups for www.
    #--------------------------------------------------
    
    my $groups = `/usr/bin/id -G -n www 2>/dev/null`; 
    if ($? != 0)
    {
	die "Failed to get supplementary group list for www.\n";
    }
    chomp ($groups);

    my @groupList = split (/\s+/, $groups);

    #--------------------------------------------------
    # Modify group list to make sure "admin" and "shared"
    # are listed exactly once each.
    #--------------------------------------------------

    @groupList = grep (!/^(www|apache)$/, @groupList);
    @groupList = grep (!/^shared$/, @groupList);

    push @groupList, 'shared';

    #--------------------------------------------------
    # Run usermod command to update group list for www.
    #--------------------------------------------------

    $groups = join (',', sort (@groupList));
    if ($ldapauth eq 'enabled')
    {
        `/usr/sbin/cpu usermod -c 'e-smith web server' -d /home/e-smith -G '$groups' -s /bin/false www`;
    }
    else
    {
        `/usr/sbin/usermod -c 'e-smith web server' -d /home/e-smith -G '$groups' -s /bin/false www`;
    }
    if ($? != 0)
    {
	die "Failed to modify supplementary group list for www.\n";
    }
}

# Now that www exists, change uid/gid of user and group apache
# so they become alias of the www account
if ( !getpwnam("apache") )
{
    die "Error creating apache user or group" unless (
        system("/usr/sbin/groupadd -g 102 -o apache") == 0 &&
        system("/usr/sbin/useradd -u 102 -g 102 -o -c 'Apache' -d /var/www -M -s /bin/nologin apache") == 0
    );
}
else
{
    my $id = `/usr/bin/id -u apache`;
    chomp($id);
    if ( $id ne '102')
    {
        die "Error changing apache uid or gid" unless (
            system("/usr/sbin/groupmod -g 102 -o apache") == 0 &&
            system("/usr/sbin/usermod -u 102 -g 102 -o apache") == 0
        );
        warn "failed to fix permissions for apache" unless (
            system("/bin/rpm --setugids httpd mod_auth_tkt mod_ssl php 2> /dev/null") == 0
        );
    }
}

# delete unwanted user accounts
foreach my $user (qw(halt shutdown sync))
{
    `/usr/sbin/userdel $user` if getpwnam($user);
}


exit (0);
