#!/bin/bash

ENABLED=yes
[[ ${ENABLED} == "yes" ]] || exit 0
DEBUGMODE=no

SELF_NAME="42-access-suid-sgid"

unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
SOURCE=${ROOTFS}/usr/lib/ublinux/default; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
debug_mode "$0" "$@"

SYSCONF="${ROOTFS}${SYSCONF}"
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null

exec_access_allowed_suid(){
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
    if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
	for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
	    EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
	    [[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} +
#	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID})
	done
    fi
}
exec_access_allowed_sgid(){
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
    if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
	for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
	    EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
	    [[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
	    find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} +
	done
    fi
}

################
##### MAIN #####
################

    # Если файл подключен как ресурс с функциями, то выйти
    return 0 2>/dev/null && return 0
    if [[ -z $@ ]]; then
        while read -r FUNCTION; do
            $"${FUNCTION##* }"
        done < <(declare -F | grep "declare -f exec_")
    else
	FUNCTION=
#        for FUNCTION in $@; do
#            declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
#        done
	while [[ $# -gt 0 ]]; do
	    [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; }
	    shift 
	done
	eval ${FUNCTION#*; }
    fi