1#!/bin/bash -p
2
3# Copyright (c) 2009 The Chromium Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# Called as root before Keystone ticket promotion to ensure a suitable
8# environment for Keystone installation.  Ultimately, these features should be
9# integrated directly into the Keystone installation.
10#
11# If the two branding paths are given, then the branding information is also
12# copied and the permissions on the system branding file are set to be owned by
13# root, but readable by anyone.
14#
15# Note that this script will be invoked with the real user ID set to the
16# user's ID, but the effective user ID set to 0 (root).  bash -p is used on
17# the first line to prevent bash from setting the effective user ID to the
18# real user ID (dropping root privileges).
19#
20# TODO(mark): Remove this script when able.  See http://b/2285921 and
21# http://b/2289908.
22
23set -e
24
25# This script runs as root, so be paranoid about things like ${PATH}.
26export PATH="/usr/bin:/usr/sbin:/bin:/sbin"
27
28# Output the pid to stdout before doing anything else.  See
29# chrome/browser/cocoa/authorization_util.h.
30echo "${$}"
31
32if [ ${#} -ne 0 ] && [ ${#} -ne 2 ] ; then
33  echo "usage: ${0} [USER_BRAND SYSTEM_BRAND]" >& 2
34  exit 2
35fi
36
37if [ ${#} -eq 2 ] ; then
38  USER_BRAND="${1}"
39  SYSTEM_BRAND="${2}"
40
41  # Make sure that USER_BRAND is an absolute path and that it exists.
42  if [ -z "${USER_BRAND}" ] || \
43     [ "${USER_BRAND:0:1}" != "/" ] || \
44     [ ! -f "${USER_BRAND}" ] ; then
45    echo "${0}: must provide an absolute path naming an existing user file" >& 2
46    exit 3
47  fi
48
49  # Make sure that SYSTEM_BRAND is an absolute path.
50  if [ -z "${SYSTEM_BRAND}" ] || [ "${SYSTEM_BRAND:0:1}" != "/" ] ; then
51    echo "${0}: must provide an absolute path naming a system file" >& 2
52    exit 4
53  fi
54
55  # Make sure the directory for the system brand file exists.
56  SYSTEM_BRAND_DIR=$(dirname "${SYSTEM_BRAND}")
57  if [ ! -e "${SYSTEM_BRAND_DIR}" ] ; then
58    mkdir -p "${SYSTEM_BRAND_DIR}"
59    # Permissions on this directory will be fixed up at the end of this script.
60  fi
61
62  # Copy the brand file
63  cp "${USER_BRAND}" "${SYSTEM_BRAND}" >& /dev/null
64
65  # Ensure the right ownership and permissions
66  chown "root:wheel" "${SYSTEM_BRAND}" >& /dev/null
67  chmod "a+r,u+w,go-w" "${SYSTEM_BRAND}" >& /dev/null
68
69fi
70
71OWNER_GROUP="root:admin"
72CHMOD_MODE="a+rX,u+w,go-w"
73
74LIB_GOOG="/Library/Google"
75if [ -d "${LIB_GOOG}" ] ; then
76  # Just work with the directory.  Don't do anything recursively here, so as
77  # to leave other things in /Library/Google alone.
78  chown -h "${OWNER_GROUP}" "${LIB_GOOG}" >& /dev/null
79  chmod -h "${CHMOD_MODE}" "${LIB_GOOG}" >& /dev/null
80
81  LIB_GOOG_GSU="${LIB_GOOG}/GoogleSoftwareUpdate"
82  if [ -d "${LIB_GOOG_GSU}" ] ; then
83    chown -Rh "${OWNER_GROUP}" "${LIB_GOOG_GSU}" >& /dev/null
84    chmod -R "${CHMOD_MODE}" "${LIB_GOOG_GSU}" >& /dev/null
85
86    # On the Mac, or at least on HFS+, symbolic link permissions are
87    # significant, but chmod -R and -h can't be used together.  Do another
88    # pass to fix the permissions on any symbolic links.
89    find "${LIB_GOOG_GSU}" -type l -exec chmod -h "${CHMOD_MODE}" {} + >& \
90        /dev/null
91
92    # TODO(mark): If GoogleSoftwareUpdate.bundle is missing, dump TicketStore
93    # too?
94  fi
95fi
96
97exit 0
98