#!/bin/sh

# cerberus-securetty – securetty support for cerberus
# 
# Copyright © 2015  Mattias Andrée (m@maandree.se)
# 
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.


# Login username, client hostname if non-local, ttyname, cerberus-hook
username=
hostname=
ttyname="$(tty <&2 | cut -d / -f 1,2 --complement)"
hook="${1}"
# Remove the hookname from $@
shift 1

# Parse the command line, excluding the hookname
# This is the arguments cerberus was spawned with
hostname_on_next=0
dash=0
for arg in "$@"; do
	if test -z "${arg}"; then
		:
	elif test "${arg::1}" = "-" && test ${dash} = 0; then
		arg="${arg:1}"
		while test -z "${arg}"; do
			c="${arg::1}"
			arg="${arg:1}"
			if test "${c}" = "h"; then # hostname
				if test -n "${arg}"; then
					hostname="${arg}"
				else
					hostname_on_next=1
				fi
				break
			elif test "${c}" = "f"; then # force
				if test -n "${arg}"; then
					username="${arg}"
				fi
				break
			elif test "${c}" = "-"; then # username
				dash=1
				break
			fi
		done
	elif test ${hostname_on_next} = 1; then
		hostname="${arg}"
		hostname_on_next=0
	else
		username="${arg}"
	fi
done


# Verify that the user may log in
if test "${hook}" = verify; then
	if test ! "${username}" = root; then
		exit 0 # Not root: may log in
	elif test -n "${hostname}"; then
		printf '%s\n' "Sorry, root may not log in remotely" >&2
		exit 1 # Remote root: may not log in
	elif test ! -f "/etc/securetty"; then
		exit 0 # /etc/securetty does not exist: may log in
	elif grep -q "^${ttyname}$" < "/etc/securetty" 2> "/dev/null"; then
		exit 0 # Root on whitelisted tty: may log in
	else
		printf '%s\n' "Sorry, root may not log in on ${ttyname}, see /etc/securetty for available TTYs" >&2
		exit 1 # Root on non-whitelisted tty: may not log in
	fi
fi