summaryrefslogtreecommitdiff
path: root/src/subcommands/ma/update-users
blob: d3a72dc183d811bd1641349bb2c16cecdd4fcd5e (plain) 
    

  1. #!/usr/bin/env bash
    2. 

  2. 

  3. # Monkeysphere authentication update-users subcommand
    4. 

  4. #
    5. 

  5. # The monkeysphere scripts are written by:
    6. 

  6. # Jameson Rollins <jrollins@fifthhorseman.net>
    7. 

  7. # Jamie McClelland <jm@mayfirst.org>
    8. 

  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    9. 

  9. #
    10. 

  10. # They are Copyright 2008, and are all released under the GPL, version 3
    11. 

  11. # or later.
    12. 

  12. 

  13. update_users() {
    14. 

  14. 

  15. local unames
    16. 

  16. local uname
    17. 

  17. local authorizedKeysDir
    18. 

  18. local authorizedUserIDs
    19. 

  19. 

  20. if [ "$1" ] ; then
    21. 

  21.     # get users from command line
    22. 

  22.     unames="$@"
    23. 

  23. else         
    24. 

  24.     # or just look at all users if none specified
    25. 

  25.     unames=$(getent passwd | cut -d: -f1)
    26. 

  26. fi
    27. 

  27. 

  28. RETURN=0
    29. 

  29. 

  30. # set mode
    31. 

  31. MODE="authorized_keys"
    32. 

  32. 

  33. # set gnupg home
    34. 

  34. GNUPGHOME="$GNUPGHOME_SPHERE"
    35. 

  35. 

  36. # the authorized_keys directory
    37. 

  37. authorizedKeysDir="${SYSDATADIR}/authentication/authorized_keys"
    38. 

  38. 

  39. # check to see if the gpg trust database has been initialized
    40. 

  40. if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
    41. 

  41.     failure "GNUPG trust database uninitialized.  Please see MONKEYSPHERE-SERVER(8)."
    42. 

  42. fi
    43. 

  43. 

  44. # make sure the authorized_keys directory exists
    45. 

  45. mkdir -p "${authorizedKeysDir}"
    46. 

  46. 

  47. # loop over users
    48. 

  48. for uname in $unames ; do
    49. 

  49.     # check all specified users exist
    50. 

  50.     if ! id "$uname" >/dev/null ; then
    51. 

  51.     log error "----- unknown user '$uname' -----"
    52. 

  52.     continue
    53. 

  53.     fi
    54. 

  54. 

  55.     log verbose "----- user: $uname -----"
    56. 

  56. 

  57.     # make temporary directory
    58. 

  58.     TMPLOC=$(mktemp -d ${MATMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
    59. 

  59. 

  60.     # trap to delete temporary directory on exit
    61. 

  61.     trap "rm -rf $TMPLOC" EXIT
    62. 

  62. 

  63.     # create temporary authorized_user_ids file
    64. 

  64.     TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids"
    65. 

  65.     touch "$TMP_AUTHORIZED_USER_IDS"
    66. 

  66. 

  67.      # create temporary authorized_keys file
    68. 

  68.     AUTHORIZED_KEYS="${TMPLOC}/authorized_keys"
    69. 

  69.     touch "$AUTHORIZED_KEYS"
    70. 

  70. 

  71.     # set restrictive permissions on the temporary files
    72. 

  72.     # FIXME: is there a better way to do this?
    73. 

  73.     chmod 0700 "$TMPLOC"
    74. 

  74.     chmod 0600 "$AUTHORIZED_KEYS"
    75. 

  75.     chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
    76. 

  76.     chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
    77. 

  77. 

  78.     # process authorized_user_ids file
    79. 

  79.     log debug "checking for authorized_user_ids..."
    80. 

  80.     # translating ssh-style path variables
    81. 

  81.     authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
    82. 

  82.     if [ -s "$authorizedUserIDs" ] ; then
    83. 

  83.     # check permissions on the authorized_user_ids file path
    84. 

  84.     if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then
    85. 

  85.             # copy user authorized_user_ids file to temporary
    86. 

  86.             # location
    87. 

  87.         cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
    88. 

  88. 

  89.         # export needed variables
    90. 

  90.         export AUTHORIZED_KEYS
    91. 

  91.         export TMP_AUTHORIZED_USER_IDS
    92. 

  92. 

  93.         # process authorized_user_ids file, as monkeysphere user
    94. 

  94.         su_monkeysphere_user \
    95. 

  95.         ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
    96. 

  96.         RETURN="$?"
    97. 

  97.     else
    98. 

  98.         log debug "not processing authorized_user_ids."
    99. 

  99.     fi
    100. 

  100.     else
    101. 

  101.     log debug "empty or absent authorized_user_ids file."
    102. 

  102.     fi
    103. 

  103. 

  104.     # add user-controlled authorized_keys file if specified translate
    105. 

  105.     # ssh-style path variables
    106. 

  106.     rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
    107. 

  107.     if [ "$rawAuthorizedKeys" != 'none' ] ; then
    108. 

  108.     log debug "checking for raw authorized_keys..."
    109. 

  109.     if [ -s "$rawAuthorizedKeys" ] ; then
    110. 

  110.         # check permissions on the authorized_keys file path
    111. 

  111.         if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
    112. 

  112.         log verbose "adding raw authorized_keys file... "
    113. 

  113.         cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
    114. 

  114.         else
    115. 

  115.         log debug "not adding raw authorized_keys file."        
    116. 

  116.         fi
    117. 

  117.     else
    118. 

  118.         log debug "empty or absent authorized_keys file."
    119. 

  119.     fi
    120. 

  120.     fi
    121. 

  121. 

  122.     # move the new authorized_keys file into place
    123. 

  123.     if [ -s "$AUTHORIZED_KEYS" ] ; then
    124. 

  124.     # openssh appears to check the contents of the authorized_keys
    125. 

  125.     # file as the user in question, so the file must be readable
    126. 

  126.     # by that user at least.
    127. 

  127. 

  128.     # but in general, we don't want the user tampering with this
    129. 

  129.     # file directly, so we'll adopt this approach: Own the file by
    130. 

  130.     # the monkeysphere-server invoker (usually root, but should be
    131. 

  131.     # the same uid that sshd is launched as); change the group of
    132. 

  132.     # the file so that members of the user's group can read it.
    133. 

  133. 

  134.     # FIXME: is there a better way to do this?
    135. 

  135.     chown $(whoami) "$AUTHORIZED_KEYS" && \
    136. 

  136.         chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
    137. 

  137.         chmod g+r "$AUTHORIZED_KEYS" && \
    138. 

  138.         mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \
    139. 

  139.         { 
    140. 

  140.         log error "Failed to install authorized_keys for '$uname'!"
    141. 

  141.         rm -f "${authorizedKeysDir}/${uname}"
    142. 

  142.         # indicate that there has been a failure:
    143. 

  143.         RETURN=1
    144. 

  144.     }
    145. 

  145.     else
    146. 

  146.     rm -f "${authorizedKeysDir}/${uname}"
    147. 

  147.     fi
    148. 

  148. 

  149.     # unset the trap
    150. 

  150.     trap - EXIT
    151. 

  151. 

  152.     # destroy temporary directory
    153. 

  153.     rm -rf "$TMPLOC"
    154. 

  154. done
    155. 

  155. 

  156. }
    157.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-20 10:10:22 +0000