#! /bin/sh

# This script is responsible for providing processing
# that follows an upgrade on the HMC
# This scripts runs right after the upgrade data has been restored during
# boot
runaddtlpostupgr()
{
  if [ -d /opt/hsc/data/post_upgr ]; then
      for i in /opt/hsc/data/post_upgr/*.post_upgr
      do
        if [ -x $i ]; then
           eval "$i"
        fi
      done
  fi

}

# Deal with old and new style /etc/pam.d config files format (320-330 MCPv5).
# If kerberos was previously configured, then we'll need to convert 
# to the new /etc/pam.d/sshd configuration file format.
/bin/grep -q pam_krb5.so /etc/pam.d/sshd
isKrbCfg=$?
/bin/cp /etc/pam.d/sshd_pam.d /etc/pam.d/sshd
/bin/chmod 664 /etc/pam.d/sshd
/bin/chown root.ccfw /etc/pam.d/sshd
/bin/cp /etc/pam.d/ipauth_pam.d /etc/pam.d/ipauth
/bin/chmod 664 /etc/pam.d/ipauth
/bin/chown root.ccfw /etc/pam.d/ipauth
/bin/cp -p /opt/hsc/data/HmcSessionConfig.330 /opt/hsc/data/HmcSessionConfig

# No need pam file should have kerberos/ldap enable all time
#if [ $isKrbCfg -eq 0 ]; then
#	/opt/hsc/bin/PAMKerberos enable
#fi

# Convert old-style UserLicence if enabled and it exists.
if [ -f /opt/hsc/data/user_license/.prompt_for_agreement ];then
   # Clean up old dot file.
   /bin/rm -f /opt/hsc/data/user_license/.prompt_for_agreement
   if [ -f /opt/hsc/data/user_license/UserLicense.html ];then
        /bin/cp /opt/hsc/data/user_license/UserLicense.html /opt/hsc/data/user_license/WelcomeFile.txt >/dev/null 2>&1
        /opt/hsc/bin/chusrtca -o a -f /opt/hsc/data/user_license/WelcomeFile.txt >/dev/null 2>&1
        /bin/rm -f /opt/hsc/data/user_license/UserLicense.html
        # Do not remove /opt/hsc/data/user_license/WelcomeFile.txt
        # Administrator may need to perform further work on the file.
   else
        for locale in `echo /opt/hsc/data/user_license/*`
        do
                if [ -f ${locale}/UserLicense.html ];then
                        /bin/cp ${locale}/UserLicense.html /opt/hsc/data/user_license/WelcomeFile.txt >/dev/null 2>&1
                        /opt/hsc/bin/chusrtca -o a -f /opt/hsc/data/user_license/WelcomeFile.txt >/dev/null 2>&1
                        /bin/rm -f ${locale}/UserLicense.html
                        /bin/rmdir ${locale} >/dev/null 2>&1
                        # Do not remove /opt/hsc/data/user_license/WelcomeFile.txt
                        # Administrator may need to perform further work on the file.
                        break;
                fi
        done
   fi
fi

# Enable sshd gssapi
/usr/bin/sed "s/^\#GSSAPIAuthentication no/GSSAPIAuthentication yes/" /etc/ssh/sshd_config >/tmp/gssapi.1.tmp
/usr/bin/sed "s/^\#GSSAPICleanupCredentials yes/GSSAPICleanupCredentials yes/" /tmp/gssapi.1.tmp >/tmp/gssapi.2.tmp
/usr/bin/sed "s/^\#GSSAPIEnableMITMAttack no/GSSAPIEnableMITMAttack yes/" /tmp/gssapi.2.tmp >/etc/ssh/sshd_config
/bin/rm -f /tmp/gssapi.1.tmp
/bin/rm -f /tmp/gssapi.2.tmp

# Enable sshd PermitUserEnvironment

# Enable PermitUserEnvironment
/usr/bin/sed "s/^\#PermitUserEnvironment no/PermitUserEnvironment yes/" /etc/ssh/sshd_config >/tmp/permituserenv.1.tmp
mv /tmp/permituserenv.1.tmp /etc/ssh/sshd_config

# make sure mdns is turned off
grep -q "^mdns off" /etc/host.conf
if [ $? -ne 0 ]; then
   echo "mdns off" >> /etc/host.conf
fi

# Remove all WebSM related files

for user in `echo /home/*`
do
 rm -f $user/WebSM.pref
 rm -f $user/websm.script
done
rm -f /var/websm/config*
rm -rf /var/websm/security
rm -f /usr/websm/codebase/SMpubkr.zip
grep -v "^SocketProvider" /opt/hsc/data/cim.properties > /tmp/_cim.properties_new
echo "SocketProvider=org.snia.wbemcmd.xml.PlainSocketProvider" >> /tmp/_cim.properties_new
mv /tmp/_cim.properties_new /opt/hsc/data/cim.properties

# Remove file used by websm client download
rm -f /usr/local/etc/httpd/*

# Now make sure permission are set correctly

chown -R ccfw.ccfw /var/hsc/profiles
chmod 400 /etc/shadow
chown root.ntp /etc/ntp.conf
/usr/sbin/usermod -G ccfw,root,hmc ccfw >/dev/null 2>&1

# Now upgrade access control
if [ -f /opt/hsc/sbin/upgrole ]; then
   /opt/hsc/sbin/upgrole 2>/dev/null
   if [ $? -ne 0 ]; then
      echo "Upgrade of access control from previous version has failed."
      echo "You will need to manually configure your access control."
   fi
fi
# Make sure Driver Keyboard is removed from XF86Config
grep -q "\"Keyboard\"$" /etc/X11/XF86Config
if [ $? -eq 0 ]; then
   sed -e 's/\"Keyboard\"$/\"kbd\"/g' /etc/X11/XF86Config > /tmp/_new_xf86_config_
   if [ $? -eq 0 ]; then
      mv /tmp/_new_xf86_config_ /etc/X11/XF86Config
   fi
fi
# Make sure i810 driver is replaced with vesa
grep -q "\"i810\"$" /etc/X11/XF86Config
if [ $? -eq 0 ]; then
   sed -e 's/\"i810\"$/\"vesa\"/g' /etc/X11/XF86Config > /tmp/_new_xf86_config_
   if [ $? -eq 0 ]; then
      mv /tmp/_new_xf86_config_ /etc/X11/XF86Config
   fi
fi

# Run any additional postupgr
runaddtlpostupgr
exit 0
