#!/bin/bash
# 
# This script is used for Administration of RSBAC general user attributes
#
#
# Make sure we're really running bash.
#
[ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; }

#
# Cache function definitions, turn off posix compliance
#
set -h +o posix

ATTRIBUTES="security_level mac_role fc_role sim_role ms_role ff_role
auth_role pm_role pseudo rc_def_role min_caps max_caps"

# Set conf filename
RSBACCONF=/etc/rsbac.conf
# Read settings
if test -f $RSBACCONF
then . $RSBACCONF
fi
if test -f ~/.rsbacrc
then . ~/.rsbacrc
fi
if test -z "$RSBACMOD"
then RSBACMOD='GEN MAC FC SIM PM MS FF RC AUTH ACL CAP JAIL'
fi
for i in $RSBACMOD
do
  export SHOW_${i}=yes
done

# The dir for tmp files
if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi

# This must be a unique temporary filename
if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX`
then
  TMPFILE=$TMPDIR/rsbac_dialog.$$
  if test -e $TMPFILE
  then rm $TMPFILE
  fi
fi
if ! TMPFILETWO=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX`
then
  TMPFILETWO=$TMPDIR/rsbac_dialog.$$.2
  if test -e $TMPFILETWO
  then rm $TMPFILETWO
  fi
fi

# set this to rsbac bin dir, if not in path (trailing / is mandatory!)
#
#if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi

# set this to initial dir on script startup
LASTDIR='.'

# which dialog tool to use - dialog or kdialog or xdialog...
if test -z $DIALOG
then DIALOG=${RSBACPATH}dialog
fi
if ! $DIALOG --clear
then
  echo $DIALOG menu program required! >&2
  exit
fi
if ! $DIALOG --help 2>&1 | grep -q "help-button"
then
  echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2
  echo "required, please use dialog from admin tools contrib dir or set" >&2
  echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2
  exit
fi

# test for LINES and COLUMNS (should be exported e.g. in /etc/profile)
if test -z "$LINES" ; then LINES=25 ; fi
if test -z "$COLUMNS" ; then COLUMNS=80 ; fi
export LINES
export COLUMNS
declare -i BL=$LINES-4
declare -i BC=$COLUMNS-4
declare -i MAXLINES=$LINES-10
gl () {
  if test $1 -gt $MAXLINES
  then echo $MAXLINES
  else echo $1
  fi
}

if test -z "$BACKTITLE"
  then BACKTITLE="RSBAC Administration Tools v1.2.1" ; fi
TITLE="`whoami`@`hostname`: RSBAC User Administration"
ERRTITLE="RSBAC User Administration - ERROR"


show_help () {
  case "$RSBACLANG" in
    DE)
      show_help_german "$1"
      ;;
    RU)
      show_help_russian "$1"
      ;;
    *)
      show_help_english "$1"
      ;;
  esac
}

show_help_english () {
 {
  echo "$1"
  echo ""
  case "$1" in
    User:)
        echo "Enter the user name or id."
      ;;

    Userlist:)
        echo "Choose user from list."
      ;;

    'MAC Security Level:')
        echo "MAC model security level for this user."
        echo ""
        $RSBACPATH""attr_get_user -A security_level
      ;;

    'MAC Categories:')
        echo "MAC model categories for this user."
        echo ""
        $RSBACPATH""attr_get_user -A mac_categories
      ;;

    'MAC Role:')
        echo "MAC model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A mac_role
      ;;

    'FC Role:')
        echo "FC model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A fc_role
      ;;

    'SIM Role:')
        echo "SIM model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A sim_role
      ;;

    'MS Role:')
        echo "MS model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A ms_role
      ;;

    'FF Role:')
        echo "FF model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A ff_role
      ;;

    'AUTH Role:')
        echo "AUTH model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A auth_role
      ;;

    'PM Role:')
        echo "PM model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A pm_role
      ;;

    'PM Task Set:')
        echo "PM model set ID of allowed tasks for this user. This value is only an"
        echo "index into the PM task_set data structures and thus read-only."
        echo ""
        $RSBACPATH""attr_get_user -A pm_task_set
      ;;

    'Pseudo:')
        echo "Logging pseudonym for this user. If this value is not 0, it will be used"
        echo "as pseudonym instead of the user id for all request and set_attr logging"
        echo "messages."
        echo ""
        $RSBACPATH""attr_get_user -A pseudo
      ;;

    'RC Default Role:')
        echo "RC model default role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A rc_def_role
      ;;

    'CAP Min Caps:')
        echo "Specify a set of Linux capabilities, which will always be set, when a"
        echo "process changes to this user, or when this user executes a program."
        echo "The Max Caps set for the user is ignored, but the Max Caps set of the"
        echo "executed program will be applied."
        echo "Useful to start privileged (root) programs as normal user."
        echo ""
        $RSBACPATH""attr_get_user -A min_caps
      ;;

    'CAP Max Caps:')
        echo "Specify the maximum set of Linux capabilities, which can be set, when a"
        echo "process changes to this user, or when this user executes a program."
        echo "Useful to limit the privileges of a user running setuid root programs,"
        echo "e.g. the passwd command."
        echo ""
        $RSBACPATH""attr_get_user -A max_caps
      ;;

    'CAP Role:')
        echo "CAP model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A cap_role
      ;;

    'Log User Based:')
        echo "Specify the request types, which should always be logged, when"
        echo "this user runs a program."
        echo ""
        $RSBACPATH""attr_get_user -A log_user_based
      ;;

    'ACL Menu:')
        echo "Go to ACL menu."
      ;;

    'Reset Attributes:')
        echo "Call attr_rm_user to get the attribute object for this user object"
        echo "removed. As result, all attribute values will be reset to their"
        echo "default values. Use with care!"
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

show_help_german () {
 {
  echo "$1"
  echo ""
  case "$1" in
    User:)
        echo "Benutzernamen oder ID eingeben."
      ;;

    Userlist:)
        echo "Whle Benutzer aus einer Liste."
      ;;

    'MAC Security Level:')
        echo "MAC-Modell-Security Level fr diesen Benutzer."
        echo ""
        $RSBACPATH""attr_get_user -A security_level
      ;;

    'MAC Categories:')
        echo "MAC-Modell-Kategorien dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A mac_categories
      ;;

    'MAC Role:')
        echo "MAC-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A mac_role
      ;;

    'FC Role:')
        echo "FC-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A fc_role
      ;;

    'SIM Role:')
        echo "SIM-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A sim_role
      ;;

    'MS Role:')
        echo "MS-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A ms_role
      ;;

    'FF Role:')
        echo "FF-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A ff_role
      ;;

    'AUTH Role:')
        echo "AUTH-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A auth_role
      ;;

    'PM Role:')
        echo "PM-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A pm_role
      ;;

    'PM Task Set:')
        echo "PM-Modell-Mengen-ID der erlaubten Aufgaben dieses Benutzers."
        echo "Dieser Wert wird als interner Index verwendet und ist deshalb"
        echo "nur lesbar."
        echo ""
        $RSBACPATH""attr_get_user -A pm_task_set
      ;;

    'Pseudo:')
        echo "Logging-Pseudonym dieses Benutzers. Ist der Wert nicht 0, wird er"
        echo "im Protokoll als Pseudonym anstelle des Benutzernamens verwendet."
        echo ""
        $RSBACPATH""attr_get_user -A pseudo
      ;;

    'RC Default Role:')
        echo "PM-Modell-Standardrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A rc_def_role
      ;;

    'CAP Min Caps:')
        echo "Whle eine Menge Linux capabilities, die immer gesetzt werden,"
        echo "wenn ein Proze in diese Benutzer-ID wechselt oder wenn dieser"
        echo "Benutzer ein Programm startet."
        echo "Die maximale Menge des Benutzer wird ignoriert, aber die maximale"
        echo "Menge des ausgefhrten Programmes wird durchgesetzt."
        echo "Sinnvoll, um privilegierte (root-)Programme als normaler Benutzer"
        echo "ausfhren zu knnen."
        echo ""
        $RSBACPATH""attr_get_user -A min_caps
      ;;

    'CAP Max Caps:')
        echo "Whle die maximale Menge von Linux Capabilities, die ein durch"
        echo "diesen Benutzer ausgefhrtes Programm haben darf."
        echo "Sinnvoll, um z.B. die Privilegien zu beschrnken, die ein Benutzer"
        echo "durch Ausfhrung eines setuid-Programmes wie passwd bekommt."
        echo ""
        $RSBACPATH""attr_get_user -A max_caps
      ;;

    'CAP Role:')
        echo "CAP-Modell-Systemrolle dieses Benutzers."
        echo ""
        $RSBACPATH""attr_get_user -A cap_role
      ;;

    'Log User Based:')
        echo "Auswahl der Anfragetypen, die fr diesen Benutzer immer protokolliert"
        echo "werden sollen."
        echo ""
        $RSBACPATH""attr_get_user -A log_user_based
      ;;

    'ACL Menu:')
        echo "Gehe zum ACL-Men."
      ;;

    'Reset Attributes:')
        echo "Rufe attr_rm_user auf, um die Attribut-Objekte fr diesen Benutzer"
        echo "zu entfernen. Als Ergebnis werden alle Attribute auf ihre"
        echo "Standardwerte zurckgesetzt. Mit Vorsicht verwenden!"
      ;;

    Quit)
        echo "Beende dieses Men."
      ;;

    *)
        echo "Keine Hilfe fr $1 verfgbar!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

show_help_russian () {
 {
  echo "$1"
  echo ""
  case "$1" in
    User:)
        echo "Enter the user name or id."
      ;;

    Userlist:)
        echo "Choose user from list."
      ;;

    'MAC Security Level:')
        echo "MAC model security level for this user."
        echo ""
        $RSBACPATH""attr_get_user -A security_level
      ;;

    'MAC Categories:')
        echo "MAC model categories for this user."
        echo ""
        $RSBACPATH""attr_get_user -A mac_categories
      ;;

    'MAC Role:')
        echo "MAC model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A mac_role
      ;;

    'FC Role:')
        echo "FC model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A fc_role
      ;;

    'SIM Role:')
        echo "SIM model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A sim_role
      ;;

    'MS Role:')
        echo "MS model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A ms_role
      ;;

    'FF Role:')
        echo "FF model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A ff_role
      ;;

    'AUTH Role:')
        echo "AUTH model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A auth_role
      ;;

    'PM Role:')
        echo "PM model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A pm_role
      ;;

    'PM Task Set:')
        echo "PM model set ID of allowed tasks for this user. This value is only an"
        echo "index into the PM task_set data structures and thus read-only."
        echo ""
        $RSBACPATH""attr_get_user -A pm_task_set
      ;;

    'Pseudo:')
        echo "Logging pseudonym for this user. If this value is not 0, it will be used"
        echo "as pseudonym instead of the user id for all request and set_attr logging"
        echo "messages."
        echo ""
        $RSBACPATH""attr_get_user -A pseudo
      ;;

    'RC Default Role:')
        echo "RC model default role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A rc_def_role
      ;;

    'CAP Min Caps:')
        echo "Specify a set of Linux capabilities, which will always be set, when a"
        echo "process changes to this user, or when this user executes a program."
        echo "The Max Caps set for the user is ignored, but the Max Caps set of the"
        echo "executed program will be applied."
        echo "Useful to start privileged (root) programs as normal user."
        echo ""
        $RSBACPATH""attr_get_user -A min_caps
      ;;

    'CAP Max Caps:')
        echo "Specify the maximum set of Linux capabilities, which can be set, when a"
        echo "process changes to this user, or when this user executes a program."
        echo "Useful to limit the privileges of a user running setuid root programs,"
        echo "e.g. the passwd command."
        echo ""
        $RSBACPATH""attr_get_user -A max_caps
      ;;

    'CAP Role:')
        echo "CAP model system role for this user."
        echo ""
        $RSBACPATH""attr_get_user -A cap_role
      ;;

    'Log User Based:')
        echo "Specify the request types, which should always be logged, when"
        echo "this user runs a program."
        echo ""
        $RSBACPATH""attr_get_user -A log_user_based
      ;;

    'ACL Menu:')
        echo "Go to ACL menu."
      ;;

    'Reset Attributes:')
        echo "Call attr_rm_user to get the attribute object for this user object"
        echo "removed. As result, all attribute values will be reset to their"
        echo "default values. Use with care!"
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

get_attributes () {
  if test "$1" != "" 
    then
      if test "$SHOW_MAC" = "yes"
      then
        SECLEVEL=`$RSBACPATH""attr_get_user $1 security_level`
        MACCAT=`$RSBACPATH""attr_get_user $1 mac_categories`
        MACROLE=`$RSBACPATH""attr_get_user $1 mac_role`
      fi
      if test "$SHOW_PM" = "yes"
      then
        PMROLE=`$RSBACPATH""attr_get_user $1 pm_role`
        PMTASKSET=`$RSBACPATH""attr_get_user $1 pm_task_set`
      fi
      if test "$SHOW_FC" = "yes"
      then
        FCROLE=`$RSBACPATH""attr_get_user $1 fc_role`
      fi
      if test "$SHOW_SIM" = "yes"
      then
        SIMROLE=`$RSBACPATH""attr_get_user $1 sim_role`
      fi
      if test "$SHOW_MS" = "yes"
      then
        MSROLE=`$RSBACPATH""attr_get_user $1 ms_role`
      fi
      if test "$SHOW_FF" = "yes"
      then
        FFROLE=`$RSBACPATH""attr_get_user $1 ff_role`
      fi
      if test "$SHOW_AUTH" = "yes"
      then
        AUTHROLE=`$RSBACPATH""attr_get_user $1 auth_role`
      fi
      if test "$SHOW_CAP" = "yes"
      then
        MINCAPS=`$RSBACPATH""attr_get_user $1 min_caps`
        MAXCAPS=`$RSBACPATH""attr_get_user $1 max_caps`
        CAPROLE=`$RSBACPATH""attr_get_user $1 cap_role`
      fi
      if test "$SHOW_GEN" = "yes"
      then
        PSEUDO=`$RSBACPATH""attr_get_user $1 pseudo`
        RCDEFROLE=`$RSBACPATH""attr_get_user $1 rc_def_role`
        LOGUSER=`$RSBACPATH""attr_get_user $1 log_user_based`
      fi
  fi
}

onoff () {
   if test "$1" = "$2"
     then echo on
   else echo off
   fi
}

onoffb () {
   if test "$1" = "1"
     then echo on
   else echo off
   fi
}

get_value_name () {
  case $1 in
    seclevel)
      case $2 in
        0) echo unclassified
          ;;
        1) echo confidential
          ;;
        2) echo secret
          ;;
        3) echo top secret
          ;;
        252) echo max. level
          ;;
      esac 
      ;;
    sysrole)
      case $2 in
        0) echo General User
          ;;
        1) echo Security Officer
          ;;
        2) echo Administrator
          ;;
      esac 
      ;;
    pmrole)
      case $2 in
        0) echo General User
          ;;
        1) echo Security Officer
          ;;
        2) echo Data Protection Officer
          ;;
        3) echo TP-Manager
          ;;
        4) echo System-Administrator
          ;;
      esac 
      ;;
  esac
}

full_name () {
  if test "$USERID" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 full_name`
  fi
}

get_uid () {
  if test "$USERID" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 user_nr`
  fi
}

role_name () {
  if test -z "$USERID" -o -z "$1"
  then echo " "
  else if ! $RSBACPATH""rc_get_item ROLE $1 name
       then echo "(unknown)"
       fi
  fi
}

declare -i MAXCATLEN=$BC-38
cat_print () {
  if test $MAXCATLEN -ge 64
  then echo $1
  else echo "(too long)"
  fi
}

gen_cat_list () {
    for i in $*
    do
      TMP=`$RSBACPATH""attr_get_user $USERID mac_categories $i`
      echo $i `onoffb $TMP` `onoffb $TMP`
    done
}

gen_request_list () {
    if test -z "$REQUESTS"
      then REQUESTS=`$RSBACPATH""attr_get_file_dir -n`
    fi
    SETREQUESTS=`$RSBACPATH""attr_get_user -p $USERID log_user_based`
    for i in $REQUESTS
    do
      if echo $SETREQUESTS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_min_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_user -p $USERID min_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_max_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_user -p $USERID max_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

if test -n "$RSBACLOGFILE"
then
  {
    echo ""
    echo "# $0 start `date`"
  } >>"$RSBACLOGFILE"
fi

if test "$1" != ""
then USERID=$1
     get_attributes $USERID
fi

  {
    echo 'user_menu ()'
    echo '  {'    
    echo "    $DIALOG --title \"$TITLE\" \\"
    echo '       --backtitle "$BACKTITLE" \'
    echo '       --help-button --default-item "$CHOICE" \'
    echo '       --menu "Main User Menu" $BL $BC `gl 24` \'
    echo '              "Userlist:" "Choose user from list" \'
    echo '               "-------------------" " " \'
    echo '              "User:" "$USERID / `get_uid $USERID` / `full_name $USERID`" \'
    if test "$SHOW_MAC" = "yes"
    then
      echo '              "MAC Security Level:" "$SECLEVEL / `get_value_name seclevel $SECLEVEL`" \'
      echo '              "MAC Categories:" "`cat_print $MACCAT`" \'
      echo '              "MAC Role:" "$MACROLE / `get_value_name sysrole $MACROLE`" \'
    fi
    if test "$SHOW_FC" = "yes"
    then
      echo '              "FC Role:" "$FCROLE / `get_value_name sysrole $FCROLE`" \'
    fi
    if test "$SHOW_SIM" = "yes"
    then
      echo '              "SIM Role:" "$SIMROLE / `get_value_name sysrole $SIMROLE`" \'
    fi
    if test "$SHOW_PM" = "yes"
    then
      echo '              "PM Role:" "$PMROLE / `get_value_name pmrole $PMROLE`" \'
      echo '              "PM Task Set:" "$PMTASKSET (read-only)" \'
    fi
    if test "$SHOW_MS" = "yes"
    then
      echo '              "MS Role:" "$MSROLE / `get_value_name sysrole $MSROLE`" \'
    fi
    if test "$SHOW_FF" = "yes"
    then
      echo '              "FF Role:" "$FFROLE / `get_value_name sysrole $FFROLE`" \'
    fi
    if test "$SHOW_RC" = "yes"
    then
      echo '              "RC Default Role:" "$RCDEFROLE / `role_name $RCDEFROLE`" \'
    fi
    if test "$SHOW_AUTH" = "yes"
    then
      echo '              "AUTH Role:" "$AUTHROLE / `get_value_name sysrole $AUTHROLE`" \'
    fi
    if test "$SHOW_CAP" = "yes"
    then
      echo '              "CAP Min Caps:" "$MINCAPS" \'
      echo '              "CAP Max Caps:" "$MAXCAPS" \'
      echo '              "CAP Role:" "$CAPROLE / `get_value_name sysrole $CAPROLE`" \'
    fi
    if test "$SHOW_GEN" = "yes"
    then
      echo '              "Pseudo:" "$PSEUDO" \'
      echo '              "Log User Based:" "$LOGUSER" \'
    fi
    echo '              "----------------" " " \'
    echo '              "ACL Menu:" "Go to ACL menu" \'
    echo '              "----------------" " " \'
    echo '              "Reset Attributes:" "Reset all values to default values" \'
    echo '              "Quit" ""'
    echo '  }'
  } > $TMPFILE

. $TMPFILE

#cp $TMPFILE /tmp/menu

while true
  do
    if ! user_menu 2>$TMPFILE
     then rm $TMPFILE ; exit
    fi


  CHOICE="`cat $TMPFILE`"
  case "$CHOICE" in
    HELP*)
        show_help "${CHOICE:5}"
        CHOICE="${CHOICE:5}"
      ;;
    User:)
        if $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --inputbox "Username/ID" $BL $BC $USERID \
           2>$TMPFILE
        then TMP=`cat $TMPFILE`
             if $RSBACPATH""attr_get_user $TMP user_name >$TMPFILE
             then USERID=`cat $TMPFILE`
                  get_attributes $USERID
             else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "User: Unknown user $TMP!" 5 $BC
             fi
        fi
      ;;

    Userlist:)
        if $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --default-item "$USERID" \
                  --menu "Username/ID" $BL $BC $MAXLINES \
                         `${RSBACPATH}attr_get_user -bl` \
           2>$TMPFILE
        then TMP=`cat $TMPFILE`
             if $RSBACPATH""attr_get_user $TMP user_name >$TMPFILE
             then USERID=`cat $TMPFILE`
                  get_attributes $USERID
             else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "User: Unknown user $TMP!" 5 $BC
             fi
        fi
      ;;
    'MAC Security Level:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Security Level for $USERID" $BL $BC 5 \
                                0 unclassified `onoff 0 $SECLEVEL` \
                                1 confidential `onoff 1 $SECLEVEL` \
                                2 secret `onoff 2 $SECLEVEL` \
                                3 "top secret" `onoff 3 $SECLEVEL` \
                                252 "max. level" `onoff 252 $SECLEVEL` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID security_level $TMP &>$TMPFILE
               then
                 SECLEVEL=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID security_level $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Security Level: No user specified!" 5 $BC
        fi
      ;;

    'MAC Categories:')
        if test "$USERID" != ""
        then \
          ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr`
          if $DIALOG --title "MAC Categories for user $USERID" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \
                    `gen_cat_list $ALLCATNR` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
               for i in $ALLCATNR
               do
                 if $RSBACPATH""attr_set_user $USERID mac_categories $i 0 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_user $USERID mac_categories $i 0 >>"$RSBACLOGFILE"
                   fi
                 else 
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               for i in $TMP
               do
                 if $RSBACPATH""attr_set_user $USERID mac_categories $i 1 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_user $USERID mac_categories $i 1 >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               MACCAT=`$RSBACPATH""attr_get_user $USERID mac_categories`
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Categories: No user specified!" 5 $BC
        fi
      ;;

    'MAC Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MAC Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $MACROLE` \
                                1 "Security Officer" `onoff 1 $MACROLE` \
                                2 "Administrator" `onoff 2 $MACROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID mac_role $TMP &>$TMPFILE
               then
                 MACROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID mac_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Role: No user specified!" 5 $BC
        fi
      ;;

    'FC Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose FC Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $FCROLE` \
                                1 "Security Officer" `onoff 1 $FCROLE` \
                                2 "Administrator" `onoff 2 $FCROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID fc_role $TMP &>$TMPFILE
               then
                 FCROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID fc_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "FC Role: No user specified!" 5 $BC
        fi
      ;;

    'SIM Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose SIM Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $SIMROLE` \
                                1 "Security Officer" `onoff 1 $SIMROLE` \
                                2 "Administrator" `onoff 2 $SIMROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID sim_role $TMP &>$TMPFILE
               then
                 SIMROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID sim_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "SIM Role: No user specified!" 5 $BC
        fi
      ;;

    'MS Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $MSROLE` \
                                1 "Security Officer" `onoff 1 $MSROLE` \
                                2 "Administrator" `onoff 2 $MSROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID ms_role $TMP &>$TMPFILE
               then
                 MSROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID ms_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Role: No user specified!" 5 $BC
        fi
      ;;

    'FF Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose FF Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $FFROLE` \
                                1 "Security Officer" `onoff 1 $FFROLE` \
                                2 "Administrator" `onoff 2 $FFROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID ff_role $TMP &>$TMPFILE
               then
                 FFROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID ff_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "FF Role: No user specified!" 5 $BC
        fi
      ;;

    'AUTH Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose AUTH Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $AUTHROLE` \
                                1 "Security Officer" `onoff 1 $AUTHROLE` \
                                2 "Administrator" `onoff 2 $AUTHROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID auth_role $TMP &>$TMPFILE
               then
                 AUTHROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID auth_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "AUTH Role: No user specified!" 5 $BC
        fi
      ;;

    'PM Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose PM-Role for $USERID" $BL $BC 5 \
                                0 "General User" `onoff 0 $PMROLE` \
                                1 "Security Officer" `onoff 1 $PMROLE` \
                                2 "Data Protection Officer" `onoff 2 $PMROLE` \
                                3 "TP-Manager" `onoff 3 $PMROLE` \
                                4 "System Administrator" `onoff 4 $PMROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID pm_role $TMP &>$TMPFILE
               then
                 PMROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID pm_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM-Role: No user specified!" 5 $BC
        fi
      ;;
    'Pseudo:')
        if test "$USERID" != ""
        then \
           if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --inputbox "Pseudonym (long integer) for $USERID" $BL $BC "$PSEUDO" \
              2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID pseudo $TMP &>$TMPFILE
               then
                 PSEUDO=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID pseudo $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Pseudo: No user specified!" 5 $BC
        fi
      ;;

    'RC Default Role:')
        if test "$USERID" != ""
        then \
          if $RSBACPATH""rc_get_item list_roles >$TMPFILETWO
          then \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --default-item "$RCDEFROLE" \
                      --menu "Choose RC Default Role for $USERID" $BL $BC $MAXLINES \
                      `cat $TMPFILETWO` \
               2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_user $USERID rc_def_role $TMP &>$TMPFILE
                 then
                   RCDEFROLE=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_user $USERID rc_def_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
            rm $TMPFILETWO
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Default Role for $USERID" $BL $BC "$RCDEFROLE" \
               2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_user $USERID rc_def_role $TMP &>$TMPFILE
                 then
                   RCDEFROLE=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_user $USERID rc_def_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
            $DIALOG --title "$ERRTITLE" \
                   --backtitle "$BACKTITLE" \
                   --msgbox "RC Default Role: No user specified!" 5 $BC
        fi
      ;;

    'CAP Min Caps:')
        if test -n "$USER"
        then \
          if $DIALOG --title "CAP min_caps for $USERID" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MINCAPS" $BL $BC $MAXLINES \
              `gen_min_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set Filesystem Caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_user $USERID min_caps $TMP &>$TMPFILE
            then
              MINCAPS=`$RSBACPATH""attr_get_user $USERID min_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_user $USERID min_caps $TMP >>"$RSBACLOGFILE"
              fi
            else
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Min Caps: No user specified!" 5 $BC
        fi
      ;;

    'CAP Max Caps:')
        if test -n "$USER"
        then \
          if $DIALOG --title "CAP max_caps for $USERID" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MAXCAPS" $BL $BC $MAXLINES \
              `gen_max_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set Filesystem Caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_user $USERID max_caps $TMP &>$TMPFILE
            then
              MAXCAPS=`$RSBACPATH""attr_get_user $USERID max_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_user $USERID max_caps $TMP >>"$RSBACLOGFILE"
              fi
            else
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Max Caps: No user specified!" 5 $BC
        fi
      ;;

    'CAP Role:')
        if test "$USERID" != ""
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose CAP Role for $USERID" $BL $BC 3 \
                                0 "General User" `onoff 0 $CAPROLE` \
                                1 "Security Officer" `onoff 1 $CAPROLE` \
                                2 "Administrator" `onoff 2 $CAPROLE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_user $USERID cap_role $TMP &>$TMPFILE
               then
                 CAPROLE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_user $USERID cap_role $TMP >>"$RSBACLOGFILE"
                 fi
               else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Role: No user specified!" 5 $BC
        fi
      ;;

    'Log User Based:')
        if test -n "$USER"
        then \
          if $DIALOG --title "log_user_based for $USERID" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $LOGUSER" $BL $BC $MAXLINES \
              `gen_request_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              R  'Set Read Requests' off \
              RW 'Set Read-Write R.' off \
              W  'Set Write Requests' off \
              SY 'Set System R.' off \
              SE 'Set Security R.' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_user $USERID log_user_based $TMP &>$TMPFILE
            then
              LOGUSER=`$RSBACPATH""attr_get_user $USERID log_user_based`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_user $USERID log_user_based $TMP >>"$RSBACLOGFILE"
              fi
            else
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log User Based: No user specified!" 5 $BC
        fi
      ;;

    'ACL Menu:')
        $RSBACPATH""rsbac_acl_menu USER
      ;;

    'Reset Attributes:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --yesno "Reset all attributes to default values?" 5 $BC \
             2>/dev/null
          then
            if $RSBACPATH""attr_rm_user $USERID &>$TMPFILE
            then get_attributes
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Reset Attributes: No file/dir specified!" 5 $BC
        fi
      ;;

    Quit)
        rm $TMPFILE ; rm $TMPFILETWO ; exit
      ;;

    *)
        $DIALOG --title "$ERRTITLE" \
               --backtitle "$BACKTITLE" \
               --msgbox "Main Menu: Selection Error!" 5 $BC

  esac
# sleep 2
done
