#!/bin/bash

ENABLED=yes
[[ ${ENABLED} == "yes" ]] || exit 0
DEBUGMODE=no

SELF_NAME="42-access-suid-sgid"

unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
SOURCE=${ROOTFS}/usr/lib/ublinux/default; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
debug_mode "$0" "$@"

SYSCONF="${ROOTFS}/${SYSCONF}"
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null

exec_access_allowed_suid(){
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
    if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
	for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
	    EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
	    [[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} +
#	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID})
	done
    fi
}
exec_access_allowed_sgid(){
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
    if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
	for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
	    EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
	    [[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
	    find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} +
	done
    fi
}

################
##### MAIN #####
################

# Возможность подключить как source из любого скрипта и вызов встроенных функций

    if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
        while read -r FUNCTION; do
            $"${FUNCTION##* }"
        done < <(declare -F | grep "declare -f exec_")
    elif [[ ${0##*/} == ${SELF_NAME} ]]; then
#        for FUNCTION in $@; do
#            declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
#        done
	while [[ $# -gt 0 ]]; do
	    declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; }
	done
	eval ${FUNCTION#*; }
    else
	true
    fi
