#!/bin/bash

#########################################

. /usr/lib/common-criteria/scripts/libcc

#########################################
# screenrc

CFG="/etc/screenrc"
[ ! -f "$CFG" ] && {
	cc_echo "screen not installed - skipping configuration changes"
	cc_exit 0
}

SCRADDON='
#
## CC Configuration START
#
# Prevent startup license message
startup_message off
#
# No auditible bell
vbell on
#
# The following line configures the inactivity threshold before activating
# the screen saver. To enforce the screen saver, the screen command needs
# to be executed, such as from /etc/profile - see
# /etc/profile for an example on how to automatically start screen
#
# You MAY change that setting to any value
#
idle 600 lockscreen
#
# The following setting is optional and causes screen to terminate if it
# receives a SIGHUP. This ensures that screen is terminated upon each
# logout.
#
autodetach off
#
# Start every shell as a login shell to ensure that the user files of
# ~/.bash* are invoked. As screen is invoked with exec in /etc/profile,
# the shells cannot complete their initialization.
shell -$SHELL
#
## CC configuration END
'

#########################################
# shells

PROFILE=/etc/profile
CSHLOGIN=/etc/csh.login
ADDONINIT='
## CC Configuration START
# 
# This trap prevents the interruption of the execution of /etc/profile.
# To prevent interruption of /etc/profile is particularly important for
# ensuring that the screen saver is started (see the last lines of this
# file).
#
if [ -t 0 -a "${TERM%%.*}" != "screen" ] ; then
	trap "" 1 2 3 15
fi
#
## CC configuration END
'

CSHADDONINIT='
## CC Configuration START
# 
# This trap prevents the interruption of the execution of /etc/csh.login.
# To prevent interruption of /etc/csh.login is particularly important for
# ensuring that the screen saver is started (see the last lines of this
# file).
#
if ($?loginsh && -w "`tty`") then
	onintr -
endif
#
## CC configuration END
'

ADDON='
#
## CC Configuration START
# 
# Enable the following lines to enforce a screen saver for every
# user after a given period of inactivity. The configuration of the
# inactivity threshold is done in /etc/screenrc by modifying the
# value in the line:
#
#	idle XXX lockscreen
#
# where XXX is the threshold value in seconds
#
# You MAY disable the screen functionality completely by commenting the
# following out if the functionality of locking the screen is not desired.
# If you disable screen here, make sure you also remove the trap command
# at the beginning of this file.
#
# Note: waiting for 10 seconds allows the user to read the banner information
#
# if you want to prevent users to set their own threshold value, you
# have to append the option "-c /dev/null" to the following call
# which prevents the loading of ~/.screenrc
SCREENEXEC="screen"
# SCREENEXEC="screen -c /dev/null"
#
# The pipe directories for the screen operation must reside in the home
# directories due to:
# - screen is not SGID, preventing the use of a common directory
# Note, that directory is automatically created by screen if it does not exist
#
# The locking application is vlock which is SUID root to perform authentication
# of the user password. The screen-builtin authentication mechanism does not
# work.
#
export SCREENDIR=$HOME/.screen
if [ -t 0 -a "${TERM%%.*}" != "screen" ] ; then
	case $0 in
		/sbin/conf*)
        ;;
        *)
		trap "exec $SCREENEXEC" 1 2 3 15
		echo -n "Starting session in 10 seconds"
		LOCKPRG="/usr/bin/vlock"
		export LOCKPRG
		sleep 10
		exec $SCREENEXEC
	;;
	esac
fi
#
## CC configuration END
'

CSHADDON='
#
## CC Configuration START
#
# Enable the following lines to enforce a screen saver for every
# user after a given period of inactivity. The configuration of the
# inactivity threshold is done in /etc/screenrc by modifying the
# value in the line:
#
#	idle XXX lockscreen
#
# where XXX is the threshold value in seconds
#
# You MAY disable the screen functionality completely by commenting the
# following out if the functionality of locking the screen is not desired.
# If you disable screen here, make sure you also remove the onintr command
# at the beginning of this file.
#
# The pipe directories for the screen operation must reside in the home
# directories due to:
# - screen is not SGID, preventing the use of a common directory
# Note, that directory is automatically created by screen if it does not exist
setenv SCREENDIR $HOME/.screen
#
# Note: waiting for 10 seconds allows the user to read the banner information
#
# The locking application is vlock which is SUID root to perform authentication
# of the user password. The screen-builtin authentication mechanism does not
# work.
#
if ($?loginsh && -w "`tty`") then
	onintr -
	switch ("$TERM")
	case screen*:
		breaksw
	default:
		echo -n "Starting session in 10 seconds"
		sleep 10
		setenv LOCKPRG /usr/bin/vlock

		# if you want to prevent users to set their own threshold value, you
		# have to append the option "-c /dev/null" to the following call
		# which prevents the loading of ~/.screenrc
        	exec screen
		breaksw
	endsw
endif
#
## CC configuration END
'

#############################################
# actual work

trap "cc_exec_log rm -f $CFG.$$ $PROFILE.$$ $CSHLOGIN.$$" 0 1 2 3 15

perl -ne 'print unless /CC Configuration START/../CC configuration END/' < $CFG >$CFG.$$
printf "$SCRADDON\n" >> $CFG.$$
cc_replace $CFG.$$ $CFG
cc_echo "$CFG brought into CC evaluated configuration"

printf "$ADDONINIT\n" > $PROFILE.$$
perl -ne 'print unless /CC Configuration START/../CC configuration END/' < $PROFILE >> $PROFILE.$$
printf "$ADDON\n" >> $PROFILE.$$
cc_replace $PROFILE.$$ $PROFILE
cc_echo "$PROFILE brought into CC evaluated configuration"

printf "$CSHADDONINIT\n" > $CSHLOGIN.$$
perl -ne 'print unless /CC Configuration START/../CC configuration END/' < $CSHLOGIN >> $CSHLOGIN.$$
printf "$CSHADDON\n" >> $CSHLOGIN.$$
cc_replace $CSHLOGIN.$$ $CSHLOGIN
cc_echo "$CSHLOGIN brought into CC evaluated configuration"

cc_exit 0
