#!/bin/sh
#
# attempting to create lower privileged user/group for dhcpy6d
# take from http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s-bpp-lower-privs
#

set -e

case "$1" in
    configure)

    # Sane defaults:

    [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/dhcpy6d
    [ -z "$SERVER_USER" ] && SERVER_USER=dhcpy6d
    [ -z "$SERVER_NAME" ] && SERVER_NAME="DHCPv6 server dhcpy6d"
    [ -z "$SERVER_GROUP" ] && SERVER_GROUP=dhcpy6d

    # Groups that the user will be added to, if undefined, then none.
    ADDGROUP=""

    # create user to avoid running server as root
    # 1. create group if not existing
    if ! getent group | grep -q "^$SERVER_GROUP:" ; then
      echo -n "Adding group $SERVER_GROUP.."
      addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true
      echo "..done"
    fi
    # 2. create homedir if not existing
    test -d $SERVER_HOME || mkdir $SERVER_HOME
    # 3. create user if not existing
    if ! getent passwd | grep -q "^$SERVER_USER:"; then
     echo -n "Adding system user $SERVER_USER.."
     adduser --quiet \
             --system \
             --ingroup $SERVER_GROUP \
             --no-create-home \
             --home $SERVER_HOME \
             --gecos "$SERVER_NAME" \
             --disabled-password \
             $SERVER_USER 2>/dev/null || true
     echo "..done"
    fi
    # 4. adjust file and directory permissions
    chown -R $SERVER_USER:$SERVER_GROUP $SERVER_HOME
    chmod -R 0770 $SERVER_HOME
    if [ ! -e /var/log/dhcpy6d.log ]; then
        touch /var/log/dhcpy6d.log
    fi
    if [ ! -e /var/lib/dhcpy6d/volatile.sqlite ]; then
        cp /usr/share/dhcpy6d/volatile.sqlite /var/lib/dhcpy6d/volatile.sqlite
    fi
    chown $SERVER_USER:$SERVER_GROUP /var/log/dhcpy6d.log /var/lib/dhcpy6d/volatile.sqlite
    chmod 0660 /var/log/dhcpy6d.log /var/lib/dhcpy6d/volatile.sqlite
    # 6. add DUID entry to /etc/default/dhcpy6d if not yet existing
    TMPFILE=`mktemp`
    cat /usr/share/dhcpy6d/default/dhcpy6d  > "${TMPFILE}"
    echo                                   >> "${TMPFILE}"
    echo "# LLT DUID generated by Debian"  >> "${TMPFILE}"
    if [ ! -e /etc/default/dhcpy6d ] || ! grep -q "DUID=" /etc/default/dhcpy6d; then
        echo "DUID=$(dhcpy6d --generate-duid)" >> "${TMPFILE}"
    else
        egrep "^DUID=" /etc/default/dhcpy6d    >> "${TMPFILE}"
    fi
    ucf "${TMPFILE}" /etc/default/dhcpy6d
    ucfr dhcpy6d /etc/default/dhcpy6d
    ;;
esac

#DEBHELPER#
