#!/bin/sh

set -eu

# This should normally be run on bootservers only.

if [ "$(puavo-conf puavo.admin.set_root_password)" != 'true' ]; then
  exit 0
fi

# errors do not matter, we will disable the password in case the variable
# gets an empty value
hashed_root_password=$(cat /state/.root_password 2>/dev/null || true)

if [ -n "$hashed_root_password" ]; then
  # arguments are seen on process lists, BUT this should only be run
  # on boot (when user logins are not possible), and it should be in hashed
  # form anyway
  usermod -p "$hashed_root_password" root
else
  # lock the root password in case we could not read any
  usermod -L root
fi
