#!/usr/bin/perl
# by Rafal Wijata http://www.wijata.com

$outfile = "erup_conf.h";

#defaults
$erup_setid = 0;
$erup_setgroups = 0;
$erup_chroot = 0;
$erup_quota = 0;
$erup_check_path = 0;
$erup_check_path_strict = 0;
$erup_check_symlink = 0;


print << "EOF";
This will allow You to configure the erup module

NOTE: If kernel is already configured with erup support
      this config has no meaning
EOF



print << "EOF";

Erup can allow regular users (not root) to successfully call
set*id() syscalls. It means, that You can disable all
setuid/setgid flags from Your executables, then You can instruct kernel
to allow some users to switch uid to another user.
EOF
print("Compile in set*id support [yY/any]? ");
chop($key = <STDIN>);
$erup_setid = 1 if ($key eq "Y" or $key eq "y");



print << "EOF";

Erup can allow regular users (not root) to successfully call
setgroups() syscall.
EOF
print("Compile in setgroups support [yY/any]? ");
chop($key = <STDIN>);
$erup_setgroups = 1 if ($key eq "Y" or $key eq "y");



print << "EOF";

Erup can allow regular users to successfully call chroot() syscall.
It means that program, which for security reasons works in chroot jail,
may be started as regular user - not root.
EOF
print("Compile in chroot support [yY/any]? ");
chop($key = <STDIN>);
$erup_chroot = 1 if ($key eq "Y" or $key eq "y");



if ($erup_chroot) {
print << "EOF";

Erup can allow users to do chroot to any dir or only to dirs
specified during granting privilege.
If You want erup to check if user tries chroot to other
directores than he is allowed answer Yes - otherwise answer No, which
result in increased speed.
EOF
print("Should erup check for path on chroot calls [yY/any]? ");
chop($key = <STDIN>);
$erup_check_path = 1 if ($key eq "Y" or $key eq "y");
};



if ($erup_check_path) {
print << "EOF";

When user wants chroot to dir, erup checks only whether he is allowed
to do chroot to one of parents dirs. As a result if user is allowed to
do chroot to /usr dir, he is also allowed to do chroot to any dir inside
/usr (ex. /usr/local/bin).
If You want that erup allows chroot only to allowed dir (so user can do
chroot only to /usr in above example) answer Yes here - otherwise answer No.
EOF
    print("Should erup check for path on chroot calls in strict mode [yY/any]? ");
    chop($key = <STDIN>);
    $erup_check_path_strict = 1 if ($key eq "Y" or $key eq "y");

print << "EOF";

If erup is configured to check path without strict mode, the user may create
inside allowed dir symlink pointing to outside of this dir. Then he can do
chroot to it. If You want this was impossible for user answer Yes here -
otherwise answer No, which result in increased speed.
EOF
    print("Should erup check for symlinks in path on chroot calls [yY/any]? ");
    chop($key = <STDIN>);
    $erup_check_symlink = 1 if ($key eq "Y" or $key eq "y");
};



print << "EOF";

Erup can allow regular users to successfully call quotactl() syscall.
Normally user can only read itself limits and usage.
With this support user can read quotas for others. If allowed, it also
may set those values for others, but root.
EOF
print("Compile in quotactl support [yY/any]? ");
chop($key = <STDIN>);
$erup_quota = 1 if ($key eq "Y" or $key eq "y");


print("Saving $outfile\n");
open(FILE, ">$outfile")	|| die("can't create $outfile: $!\n");
print(FILE ($erup_setid ? "#define":"#undef"), "\tERUP_SETID\n");
print(FILE ($erup_setgroups ? "#define":"#undef"), "\tERUP_SETGROUPS\n");
print(FILE ($erup_chroot ? "#define":"#undef"), "\tERUP_CHROOT\n");
print(FILE ($erup_check_path ? "#define":"#undef"), "\tERUP_CHECK_PATH\n");
print(FILE ($erup_check_path_strict ? "#define":"#undef"), "\tERUP_CHECK_PATH_STRICT\n");
print(FILE ($erup_check_symlink ? "#define":"#undef"), "\tERUP_CHECK_SYMLINK\n");
print(FILE ($erup_quota ? "#define":"#undef"), "\tERUP_QUOTA\n");
unless ($erup_setid || $erup_chroot || $erup_quota) {
    print(FILE "#error \"No option selected. You don't need ERUP or reconfigure it.\"\n");
};
close(FILE) || die ("can't close $outfile: $!\n");

print("All done OK\n");
