localuserconfig



#!/bin/sh
#
# /usr/local/bin/localuserconfig
# Copyright 2004-2006 Jonas Smedegaard <dr@jones.dk>
#
# $Id: localuserconfig,v 1.8 2006-07-16 12:29:16 jonas Exp $
#
# Set/change local account settings
#
# TODO: Use the following syntax to add info to .smbpasswd
#   grep -q SomeOption ~/file || echo "line with SomeOption and such" >> ~/file
#
# TODO: Move relevant stuff from user-init and make it use this instead
# TODO: Use getopt, and implement --help
# TODO: Implement runmodes noninteractive and force (in addition to the default: interactive)
# TODO: Runmode noninteractive by default if no tty attached
# TODO: Implement verbosity levels (0=quiet 1=oneliner 2=default 3=chatty 4=debug)

set -e

# config (edit /etc/local/users.conf to override)

# which are user accounts (adduser values are used if empty)
first_uid=""
last_uid=""

do_quota="no"    # Manage disk quota
do_distrib="no"  # Distributed shares (software archive)
do_personal="no" # Personal shares (mac, pc, public_html)
do_xchange="no"  # Group-readable shares
do_public="no"   # Public share (web homepage)
do_mac="no"      # AppleShare-optimized share (netatalk)
do_pc="no"       # SMB-ptimized share (Samba)
do_server="no"   # Personal share on remote SMB server

quota_roots="" # space-delimited list of disk devices
quota_soft="100000"
quota_hard="1000000"
quota_newstyle="yes" # Woody used a different syntax...

xchange_root="xchange"
xchange_sharedroot="/home/XCHANGE"

mac_root="mac"

pc_root="pc"

server_name="SERVER" # SMB name of remote server 
server_desc="remote server" 
server_root="server"
server_conf="/etc/security/pam_mount.conf"
server_userconf=".winpassword"

### No servicable parts below this line! ###

if [ -e /etc/adduser.conf ]; then
    . /etc/adduser.conf
else
    echo "/etc/adduser.conf missing. Exiting..."
    exit 1
fi

[ -r /etc/local/users.conf ] && . /etc/local/users.conf

# Flags used internally
root_required="no"
runmode="interactive"

user="`id -u -n`"
uid="`id -u`"
HOME="`getent passwd \"$user\" | awk -F: '{print $6}' | head -n 1`"
#TODO: Allow root to pass the above as options

# Safety checks (disable silently - the user can't correct it anyway)

[ "$do_mac" = "yes" -a -n "$mac_root" ] || do_mac="no"
[ "$do_pc" = "yes" -a -n "$pc_root" ] || do_pc="no"
[ "$do_xchange" = "yes" -a -n "$xchange_root" ] || do_xchange="no"
[ "$do_server" = "yes" -a -n "$server_root" ] || do_server="no"
#TODO: do a loop instead for the above

# only do user accounts (checked against /etc/adduser.conf values)
[ -n "$first_uid" ] || first_uid="$FIRST_UID"
[ -n "$last_uid" ] || last_uid="$LAST_UID"
[ "$uid" -ge "$FIRST_UID" -a "$uid" -le "$LAST_UID" ] || exit 0
#TODO: check if above is numeric
#TODO: Always use adduser values as strict outer limits

if [ -z "$HOME" ]; then
    echo "Error: Unable to resolve home of user $user!"
    exit 1
fi
if [ ! -d "$HOME" ]; then
    echo "Error: Home of user $user doesn't exist: \"$HOME\"!"
    exit 1
fi

if [ "$do_server" = "yes" ]; then
    server_edit="1"
    if [ -r "$HOME/$server_userconf" ]; then
        server_username="$(grep '^username' $HOME/$server_userconf | awk -F= '{print $2}' | head -n 1 | awk '{print $1}')"
        server_password="$(grep '^password' $HOME/$server_userconf | awk -F= '{print $2}' | head -n 1 | awk '{print $1}')"
    fi
    if [ -n "$server_username" ]; then
        server_edit=""
        echo -n "Account info for $server_desc already exists. Edit (y/N)? "
        read server_overwrite
        case $server_overwrite in
            y|Y)
            server_edit="1"
            ;;
        esac
    else
        server_username=$user
    fi
    if [ "$server_edit" = "1" ]; then
        if [ -n "$server_username" ]; then
            echo -n "Username on $server_desc ($server_username): "
        else
            echo -n "Username on $server_desc: "
        fi
        read server_username_new
        if [ -n "$server_username_new" ]; then
            server_username="$server_username_new"
        fi
        echo -n "Password on $server_desc: "
        read -s server_password
        echo
        echo -n "Password once more: "
        read -s server_password_again
        echo
        if [ -n "$server_username" -a "$server_password" = "$server_password_again" ]; then
            echo "username = $server_username" > $HOME/$server_userconf
            echo "password = $server_password" >> $HOME/$server_userconf
            chmod 0600 $HOME/$server_userconf
        else
            echo "Setting server login info failed: problem getting either username or password"
        fi
    fi
    if grep -v -q "^volume $user " "$server_conf"; then
        root_required="yes"
    fi
fi

#if [ "$root_required" = "yes" ]; then
#   echo "Note: Some of the current setup requires action by systems administrator"
#TODO: Re-enable this, but only when able to suppress by root
#TODO: send email to root, unless invoked by root
#TODO: Collect actual items needing attention, to print and include in email
#fi

exit 0
#FIXME: The remaining is to be implemented (lifted from user-init)

#if [ -x /etc/local/quota.sh ]; then
#   /etc/local/quota.sh $user
#   fi
[ $quota_soft ] || quota_soft="0"
[ $quota_hard ] || quota_hard="0"
for quota_root in $quota_roots; do
    if [ $quota_newstyle ]; then
        setquota $user $quota_soft $quota_hard 0 0 $quota_root
    else
        setquota $user $quota_root $quota_soft $quota_hard 0 0
    fi
done

mkdir -p $HOME/mail
if [ "$USE_MBOX" ]; then
    touch $HOME/mail/mbox
elif [ -f $HOME/mail/mbox -a ! -s $HOME/mail/mbox ]; then
    rm -f $HOME/mail/mbox
fi

if [ $NETATALK ]; then
    mkdir -p $HOME/$mac_root
fi
if [ $SAMBA ]; then
    mkdir -p $HOME/$pc_root
fi

if [ $XCHANGE ]; then
    mkdir -p $xchange_sharedroot/users/root/$user
fi

if [ $PUBLIC ]; then
    mkdir -p $HOME/public_html
fi

chown $user: $HOME
chmod u=rwX,go=rX $HOME

# Mail handling
chown -R $user: $HOME/mail
chmod -R u=rw,go=,u+X $HOME/mail
if [ -f $HOME/.mailboxlist ]; then
    chown $user: $HOME/.mailboxlist
    chmod 0640 $HOME/.mailboxlist
fi
if [ -f $HOME/.forward ]; then
    chown $user: $HOME/.forward
    chmod 0640 $HOME/.forward
fi
if [ -f /var/mail/$user ]; then
    chown $user:mail /var/mail/$user
    chmod ug=rw,o= /var/mail/$user
elif [ -f /var/spool/mail/$user ]; then
    chown $user:mail /var/spool/mail/$user
    chmod ug=rw,o= /var/spool/mail/$user
fi

# MySQL handling
if [ -f $HOME/.my.cnf ]; then
    chown $user: $HOME/.my.cnf
    chmod 0600 $HOME/.my.cnf
fi

# Mac dir permissions
if [ -d $HOME/$mac_root ]; then
    chown -R $user: $HOME/$mac_root
    chmod -R u=rw,g=r,o=,ug+X $HOME/$mac_root
    rm -rf $HOME/$mac_root/Network\ Trash\ Folder
    mkdir $HOME/$mac_root/Network\ Trash\ Folder
    chown nobody: $HOME/$mac_root/Network\ Trash\ Folder
    chmod a= $HOME/$mac_root/Network\ Trash\ Folder
fi

# PC dir permissions
if [ -d $HOME/$pc_root ]; then
    chown -R $user: $HOME/$pc_root
    chmod -R u=rw,g=r,o=,ug+X $HOME/$pc_root
fi
    
# Exchange dir permissions
if [ -d $xchange_sharedroot/users/root/$user ]; then
    chown -R $user:users $xchange_sharedroot/users/root/$user
    chmod -R g=r,g+X $xchange_sharedroot/users/root/$user
    if [ -e "x$HOME/$xchange_root" ]; then
        if [ -L "x$HOME/$xchange_root" ]; then
            ln -sf $xchange_sharedroot/users/root/$user $HOME/$xchange_root
        else
            echo "ERROR: $HOME/$xchange_root exists already. Leaving it as is..."
        fi
    else
        ln -s $xchange_sharedroot/users/root/$user $HOME/$xchange_root
    fi
fi

# Public dir permissions
if [ -d $HOME/public_html ]; then
    chown -R $user: $HOME/public_html
    chmod -R u+rX,go=r,go+X $HOME/public_html
    if [ $NETATALK ]; then
        rm -rf $HOME/public_html/Network\ Trash\ Folder
        mkdir $HOME/public_html/Network\ Trash\ Folder
        chown nobody: $HOME/public_html/Network\ Trash\ Folder
        chmod a= $HOME/public_html/Network\ Trash\ Folder
    fi
fi

# Fileshares: <home>/shares.<sharetype>/<rogroup>/<rwgroup>/<sharename>
#   <sharetype>: Either mac or win depending on which of netatalk and samba provides r/w access to the shares
#   <rwgroup>:   Group with write access to the share (usually the default group of the owner)
#   <rogroup>:   Either rwgroup or secondary group with read-only access to the share
#   owner must be member of both groups, and rwgroup members must also be members of rogroup
find "$HOME" -mindepth 1 -maxdepth 1 -type d -print | egrep "^$HOME/shares\." | (while read thisdir; do
    sharetype="`basename \"$thisdir\" | awk -F. '{print $2}'`"
    # Define dir and file exceptions
    case "$sharetype" in
        mac)
        dirs_world_rw_create='.AppleDB'
        dirs_group_rw_create='.AppleDesktop/Temporary Items/TheFindByContentFolder'
        dirs_group_ro_create='TheVolumeSettingsFolder'
        dirs_group_ro_update='.AppleDouble'
        files_group_ro_update=':2eDS_Store'
        dirs_no_access_purge='Network Trash Folder'
        ;;
        win)
        ;;
        *)
        continue
        ;;
    esac
    exceptions="$dirs_world_rw_create/$dirs_group_rw_create/$dirs_group_ro_create/$dirs_group_ro_update/$files_group_ro_update/$dirs_no_access_purge"
    exception_dirs_create="$dirs_world_rw_create/$dirs_group_rw_create/$dirs_group_ro_create"
    chown "$user": "$thisdir"
    chmod a=rX "$thisdir"
    find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
        rogroup="`basename \"$thisdir\"`"
        chown "$user":"$rogroup" "$thisdir"
        chmod ug=rX,o= "$thisdir"
        find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
            rwgroup="`basename \"$thisdir\"`"
            chown "$user":"$rwgroup" "$thisdir"
            chmod a=rX,g+s "$thisdir"
            find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
                sharename="`basename \"$thisdir\"`"
                chown "$user":"$rwgroup" "$thisdir"
                chmod u=rw,go=r,a+X,g+s "$thisdir"
                ifs="$IFS"
                # Set default permissions
                find "$thisdir" -mindepth 1 -maxdepth 1 -print | (while read thisdir; do
                    item="`basename \"$thisdir\"`"
                    IFS="/"; for exception in $exceptions; do IFS="$ifs";
                        if [ "$item" = "$exception" ]; then
                            continue 2
                        fi
                    done
                    chgrp -R "$rwgroup" "$thisdir"
                    chmod -R ug=rw,o=r,a+X,g+s "$thisdir"
                done)
                # Handle exception dirs to be created if not existing
                IFS="/"; for dir in $exception_dirs_create; do IFS="$ifs";
                    if [ ! -d "$thisdir/$dir" ]; then
                        rm -f "$thisdir/$dir"
                    fi
                    if [ ! -e "$thisdir/$dir" ]; then
                        mkdir "$thisdir/$dir"
                    fi
                    chown "$user":"$rwgroup" "$thisdir/$dir"
                done
                IFS="/"; for dir in $dirs_world_rw_create; do IFS="$ifs";
                    if [ "$rogroup" = "$rwgroup" ]; then
                        chmod -R ug=rw,o=r,a+X,g+s "$thisdir/$dir"
                    else
                        chmod -R a=rw,a+X,g+s "$thisdir/$dir"
                    fi
                done
                IFS="/"; for dir in $dirs_group_rw_create; do IFS="$ifs";
                    chmod -R ug=rw,o=r,a+X,g+s "$thisdir/$dir"
                done
                IFS="/"; for dir in $dirs_group_ro_create; do IFS="$ifs";
                    chmod -R u=rw,go=r,a+X,g+s "$thisdir/$dir"
                done
                # Handle exception dirs to be updated if already there
                IFS="/"; for dir in $dirs_group_ro_update; do IFS="$ifs";
                    if [ -e "$thisdir/$dir" ]; then
                        chmod u=rw,go=r,a+X,g+s "$thisdir/$dir"
                    fi
                done
                # Handle exception files to be updated if already there
                IFS="/"; for file in $files_group_ro_update; do IFS="$ifs";
                    if [ -e "$thisdir/$file" ]; then
                        chmod u=rw,go=r,g+s "$thisdir/$file"
                    fi
                done
                # Handle exception dirs to be purged and recreated
                IFS="/"; for dir in $dirs_no_access_purge; do IFS="$ifs";
                    rm -rf "$thisdir/$dir"
                    mkdir -m a= "$thisdir/$dir"
                    chown nobody: "$thisdir/$dir"
                done
                IFS="$ifs"
            done)
        done)
    done)
done)

# Deprecated share permissions
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/shares_win"`; do
    chgrp -R $user $dir
    chmod -R u=rw,g=rw,o=,ug+X,g+s $dir
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/shares_mac"`; do
    chgrp -R $user $dir
    chmod -R u=rw,g=rw,o=,ug+X,g+s $dir
    rm -rf $dir/Network\ Trash\ Folder
    mkdir $dir/Network\ Trash\ Folder
    chown nobody: $dir/Network\ Trash\ Folder
    chmod a= $dir/Network\ Trash\ Folder
done

# Ftp shares permissions
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/ftp_$USER$"`; do
    chgrp -R $user $dir
    chmod -R ug=rw,o=r,a+X,g+s $dir
    rm -rf $dir/Network\ Trash\ Folder
    mkdir $dir/Network\ Trash\ Folder
    chown nobody: $dir/Network\ Trash\ Folder
    chmod a= $dir/Network\ Trash\ Folder
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/ftp_${USER}_ro$"`; do
    chown -R $user: $dir
    chmod -R u=rw,go=r,a+X $dir
    rm -rf $dir/Network\ Trash\ Folder
    mkdir $dir/Network\ Trash\ Folder
    chown nobody: $dir/Network\ Trash\ Folder
    chmod a= $dir/Network\ Trash\ Folder
done

# Web shares permissions
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/web_"`; do
    chown -R $user: $dir
#   chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
    chmod -R u+rw,go+r,a+X $dir
    # leftover from ancient times with another policy
    if [ $NETATALK ]; then
        rm -rf $dir/Network\ Trash\ Folder
    fi
done
    
# Web shares permissions
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/websites"`; do
    chown root: $dir
    chmod a=r,u+w,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/websites/"`; do
    chown -R $user: $dir
#   chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
    chmod -R u+rw,go+r,a+X $dir
    # leftover from ancient times with another policy
    if [ $NETATALK ]; then
        rm -rf $dir/Network\ Trash\ Folder
    fi
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webscripts"`; do
    chown root: $dir
    chmod a=r,u+w,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webscripts/"`; do
    chown -R $user: $dir
#   chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
    chmod -R u+rw,go+r,a+X $dir
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webdata"`; do
    chown $user: $dir
    chmod a=r,u+w,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webdata/"`; do
    chown -R $user: $dir
    chmod -R u=rw,go=,u+X $dir
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webshareddata"`; do
    chown $user: $dir
    chmod a=r,u+w,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webshareddata/"`; do
    chown -R $user: $dir
    chmod -R u=rw,go=r,a+X $dir
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webphpsites"`; do
    chown root: $dir
    chmod u=rw,go=r,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webphpsites/"`; do
    chown -R $user:www-data $dir
#   chmod -R ug=rw,o=r,a+X $dir
    chmod -R ug=rw,o=,ug+X $dir
done
for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webphpdata"`; do
    chown root: $dir
    chmod a=r,u+w,a+X $dir
done
for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webphpdata/"`; do
    chown -R $user:www-data $dir
    chmod -R ug=rw,o=,ug+X $dir
done
    
# Dummy user restrictions
if [ -n "$REALUSERS_GROUPNAME" -a -n "$DUMMYSHAREDIR" -a -n "$DUMMYSHAREOWNER" -a -n "$DUMMYSHARENAME" ]; then
    [ -e $DUMMYSHAREDIR/$user ] \
        || mkdir $DUMMYSHAREDIR/$user
    chown $DUMMYSHAREOWNER: $DUMMYSHAREDIR/$user
    chmod u=rw,go=r,a+X $DUMMYSHAREDIR/$user
    if [ -e $HOME/$DUMMYSHARENAME ]; then
        if [ -L $HOME/$DUMMYSHARENAME ]; then
            ln -sf $DUMMYSHAREDIR/$user $HOME/$DUMMYSHARENAME
            chown $user: $HOME/$DUMMYSHARENAME
        else
            echo "WARNING: $HOME/$DUMMYSHAREDIR exists already. Leaving it as is..."
        fi
    else
        ln -s $DUMMYSHAREDIR/$user $HOME/$DUMMYSHARENAME
        chown $user: $HOME/$DUMMYSHARENAME
    fi
    if [ -n "$DUMMYAPACHECFG" -a -n "$DUMMYAPACHESHAREDIR" ]; then
        if [ -f /etc/apache/include.d/$DUMMYAPACHECFG -a -x /etc/init.d/apache ]; then
            if [ -e /etc/apache/include.d/$DUMMYAPACHECFG-$user ]; then
                echo "/etc/apache/include.d/$DUMMYAPACHECFG-$user exists already. Ignoring..."
            else
                echo "# Created automatically by adduser.local
<Location /$DUMMYAPACHESHAREDIR/$user>
    <Limit GET POST>
        require user $user
    </Limit>
</Location>" \
                    > /etc/apache/include.d/$DUMMYAPACHECFG-$user
                root_required="yes"
            fi
        fi
    fi
fi