#!/bin/bash
#-------------------------------------------------------------------------------
# Script to set up the basic infrastructure required to allow the use of
# FTP "guest" users by the HMC.  This script ensures the following:
# . The FTP guest-root directory exists and has proper ownership and permissions.
# . /etc subdirectory of the guest-root directory exists and has proper
#   ownership and permissions.
# . The FTP-only shell does NOT exist.
# . The FTP-only shell is listed in /etc/shells.
# . The FTP guest users group is defined in /etc/group
# . The HMC manager login is a member of the FTP guest users group
#
# This script must be run during HMC startup, before any incoming FTP
# requests from SE's or other HMC's are to be handled.  It must be run
# in a shell with root authority.
#
# Many of the directory and file names used in this script are known to
# HMC code.  Thus, a change here may require HMC code changes, too.
# For example, actzManageFTPGuestUsers.h contains many of the same
# configuration values.
#
# Syntax:
#    ftpsetup [hmc_mgr_login_id]
#
# Module History:
#     09/27/01  L. Brocious      Initial version
#     03/19/02  L. Brocious      Add /usr/sbin to PATH, for groupmod and usermod
#     03/21/02  L. Brocious      Add optional parameter of HMC manager logon, and
#                                add that user to FTP guest users group, not the
#                                current user.
# -01 09/26/03  K. Schroeder     Add code to make sure the FTP server is running.
# -02 09/22/04  K. Schroeder     Add code to allow hmcmanager FTP access.
#-------------------------------------------------------------------------------

# -01 start
checkFtpServer() {
   local service="ftp"
   local cfgfile="/etc/xinetd.d/wu-ftpd"
   local tmpcfg="/tmp/wu-ftpd"
   local present=""     #-02
   local hmcuser="$1"   #-02
   netstat -tlv | grep --silent -e '^.*'$service'.*$';
   if [ $? -eq 0 ]; then
      echo "The $service service is running."
   else
      echo "The $service service NOT is running."
      cat "$cfgfile" | sed -e '/^[[:space:]]*disable[[:space:]]*=[[:space:]]*yes[[:space:]]*$/!n' -e 's/yes/no/1' > "$tmpcfg"
      cp "$tmpcfg" "$cfgfile"
      rm -f "$tmpcfg"
      echo "$cfgfile updated to enable the $service service."
      /etc/init.d/xinetd restart
   fi
   #-02 start
   if [ -e "/console/bringup.tgz" ]; then
      present=`cat /etc/ftpaccess | sed -e "/realuser $hmcuser/!d"`
      if [ -z "$present" ]; then
         echo "Adding realuser statement to /etc/ftpaccess for user $hmuser."
         echo "realuser $hmcuser" >> /etc/ftpaccess
         /etc/init.d/xinetd restart
      else
         echo "realuser statement for user $hmcuser already exists in /etc/ftpaccess."  
      fi
      echo "Adding firewall rule to allow bringup FTP access."
      /console/native/runAsRoot/editFirewallChainByDest.sh -I 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tcp 21
   fi
   #-02 end
}
# -01 end

hmclogin=${1:-"hmcmanager"}  # If no HMC login id specified, use default

# Be sure the HMC manager userid exists
x=$(cat /etc/passwd | sed -e /$hmclogin:/!D)
if [ -z "$x" ]; then
   echo "The user $hmclogin does not exist."
   exit 0
fi

# Add directory containing groupmod and usermod to PATH
PATH=$PATH:/usr/sbin

# Name of FTP guest-root directory.
guestroot='/console/ftp'

# Name of the /etc subdirectory of the FTP guest root directory.
guestrootetc=$guestroot/etc

# Name of non-existent shell.  This shell is specified for FTP guest users so
# that they are prevented from using login and telnet to access the system.
# This shell must not exist, but it must be listed in /etc/shells.
guestshell='/etc/ftponly'

# Name of group for FTP guest users.  All FTP guest users will have this as
# their primary (and only) group in /etc/group.
guestgroup='hmcftpguest'

# Create the FTP guest root directory if it doesn't exist.
if [ ! -d $guestroot ]; then
   echo "Creating FTP guest root directory: $guestroot"
   mkdir -p $guestroot
fi
# Set ownership and permissions
chown root:root $guestroot
chmod 755 $guestroot

# Create the FTP guest root /etc directory if it doesn't exist.
if [ ! -d $guestrootetc ]; then
   echo "Creating FTP guest root /etc directory: $guestrootetc"
   mkdir $guestrootetc
fi
# Set ownership and permissions
chown root:root $guestrootetc
chmod 750 $guestrootetc

# Be sure that the FTP guest shell does not exist.  If it does, rename it.
if [ -f $guestshell ]; then
   guestshellhide=$guestshell.hide
   echo "$guestshell exists; renaming it to $guestshellhide"
   mv $guestshell $guestshellhide
fi

# Be sure that the FTP guest shell is listed in /etc/shells
if [ -f /etc/shells ]; then
   # This check is not foolproof, but it will catch the expected case.
   if ! grep $guestshell /etc/shells >/dev/null; then
      echo "$guestshell is not in /etc/shells; adding it now."
      echo $guestshell >> /etc/shells
   fi
else
   echo "/etc/shells does not exist; creating it now."
   echo $guestshell > /etc/shells
fi

# Add the FTP guest users group.  Use groupmod to determine if group already exists.
if ! groupmod $guestgroup 2>/dev/null; then
   echo "Creating FTP guest user group: $guestgroup"
   groupadd $guestgroup 2>/dev/null
fi

# Get the names of the user's groups
groups=$(groups $hmclogin)  # Get names of all of user's groups
# Remove the login name and " : " from the output of the groups command above
hmcloginlen=${#hmclogin}    # Length of userid
let off=$hmcloginlen+3      # Account for " : "
groups=${groups:$off}       # Remove them

# Determine if the current user is already in the FTP guest users group
let found=0                 # Assume user not in the group
for group in $groups; do    # Loop through all groups looking for FTP guest group
   if [ $group = $guestgroup ]; then
      let found=1
   fi
done

# If the hmc user is not in the FTP guest users group, add it now.
if [[ found -eq 0 ]]; then      # Not in the group, need to add
   groups=$(echo $groups|sed y/' '/,/)  # Change blanks to commas (for usermod)
   echo "Adding user $hmclogin to the $guestgroup group."
   usermod -G $groups,$guestgroup $hmclogin   # Add group to user's group list
fi

# -01 make sure FTP server is running
checkFtpServer "$hmclogin"   #-02
