1 #!/bin/bash -p 2 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # Called as root before Keystone ticket promotion to ensure a suitable 8 # environment for Keystone installation. Ultimately, these features should be 9 # integrated directly into the Keystone installation. 10 # 11 # If the two branding paths are given, then the branding information is also 12 # copied and the permissions on the system branding file are set to be owned by 13 # root, but readable by anyone. 14 # 15 # Note that this script will be invoked with the real user ID set to the 16 # user's ID, but the effective user ID set to 0 (root). bash -p is used on 17 # the first line to prevent bash from setting the effective user ID to the 18 # real user ID (dropping root privileges). 19 # 20 # TODO(mark): Remove this script when able. See http://b/2285921 and 21 # http://b/2289908. 22 23 set -e 24 25 # This script runs as root, so be paranoid about things like ${PATH}. 26 export PATH="/usr/bin:/usr/sbin:/bin:/sbin" 27 28 # Output the pid to stdout before doing anything else. See 29 # base/mac/authorization_util.h. 30 echo "${$}" 31 32 if [ ${#} -ne 0 ] && [ ${#} -ne 2 ] ; then 33 echo "usage: ${0} [USER_BRAND SYSTEM_BRAND]" >& 2 34 exit 2 35 fi 36 37 if [ ${#} -eq 2 ] ; then 38 USER_BRAND="${1}" 39 SYSTEM_BRAND="${2}" 40 41 # Make sure that USER_BRAND is an absolute path and that it exists. 42 if [ -z "${USER_BRAND}" ] || \ 43 [ "${USER_BRAND:0:1}" != "/" ] || \ 44 [ ! -f "${USER_BRAND}" ] ; then 45 echo "${0}: must provide an absolute path naming an existing user file" >& 2 46 exit 3 47 fi 48 49 # Make sure that SYSTEM_BRAND is an absolute path. 50 if [ -z "${SYSTEM_BRAND}" ] || [ "${SYSTEM_BRAND:0:1}" != "/" ] ; then 51 echo "${0}: must provide an absolute path naming a system file" >& 2 52 exit 4 53 fi 54 55 # Make sure the directory for the system brand file exists. 56 SYSTEM_BRAND_DIR=$(dirname "${SYSTEM_BRAND}") 57 if [ ! -e "${SYSTEM_BRAND_DIR}" ] ; then 58 mkdir -p "${SYSTEM_BRAND_DIR}" 59 # Permissions on this directory will be fixed up at the end of this script. 60 fi 61 62 # Copy the brand file 63 cp "${USER_BRAND}" "${SYSTEM_BRAND}" >& /dev/null 64 65 # Ensure the right ownership and permissions 66 chown "root:wheel" "${SYSTEM_BRAND}" >& /dev/null 67 chmod "a+r,u+w,go-w" "${SYSTEM_BRAND}" >& /dev/null 68 69 fi 70 71 OWNER_GROUP="root:admin" 72 CHMOD_MODE="a+rX,u+w,go-w" 73 74 LIB_GOOG="/Library/Google" 75 if [ -d "${LIB_GOOG}" ] ; then 76 # Just work with the directory. Don't do anything recursively here, so as 77 # to leave other things in /Library/Google alone. 78 chown -h "${OWNER_GROUP}" "${LIB_GOOG}" >& /dev/null 79 chmod -h "${CHMOD_MODE}" "${LIB_GOOG}" >& /dev/null 80 81 LIB_GOOG_GSU="${LIB_GOOG}/GoogleSoftwareUpdate" 82 if [ -d "${LIB_GOOG_GSU}" ] ; then 83 chown -Rh "${OWNER_GROUP}" "${LIB_GOOG_GSU}" >& /dev/null 84 chmod -R "${CHMOD_MODE}" "${LIB_GOOG_GSU}" >& /dev/null 85 86 # On the Mac, or at least on HFS+, symbolic link permissions are 87 # significant, but chmod -R and -h can't be used together. Do another 88 # pass to fix the permissions on any symbolic links. 89 find "${LIB_GOOG_GSU}" -type l -exec chmod -h "${CHMOD_MODE}" {} + >& \ 90 /dev/null 91 92 # TODO(mark): If GoogleSoftwareUpdate.bundle is missing, dump TicketStore 93 # too? 94 fi 95 fi 96 97 exit 0 98