path: root/user-init

#!/bin/sh

set -e

# reset flags
apache_reload_needed=""
runmode="normal"
mac=".mac"
pc=".pc"
xchange=".xchange"

if [ -e /etc/adduser.conf ]; then
    . /etc/adduser.conf
else
    echo "/etc/adduser.conf missing. Exiting..."
    exit 1
fi

[ -f /etc/local/users.conf ] && . /etc/local/users.conf

if [ -e /etc/local/volumes ]; then
    . /etc/local/volumes
else
    # exit silently if this system lacks required hints
    exit 0
fi

XDIRREAL="$XDIR/users/root"

if [ $XCHANGE ]; then
    if [ ! -d "$XDIR" ]; then
        echo "XDIR doesn't exist. Ignoring XCHANGE!"
        XCHANGE=""
    fi
fi

if [ $# -gt 0 ]; then
    USERS=$*
else
#   USERS=`getent passwd | awk -F: '{print $1}'`
    echo "uid required!"
    exit 1
fi

[ $NETATALK_HOME ] && mac=$NETATALK_HOME
[ $SAMBA_HOME ] && pc=$SAMBA_HOME
[ $XCHANGE_HOME ] && xchange=$XCHANGE_HOME

echo "Setting up additional folders and permissions..."
for user in $USERS; do
    uid="`getent passwd \"$user\" | awk -F: '{print $3}' | head -1`"
    HOME="`getent passwd \"$user\" | awk -F: '{print $6}' | head -1`"
    if [ -z "$HOME" ]; then
        echo "User $user doesn't exist. Ignoring..."
        continue
    fi

    # Ignore non-human accounts silently
    [ "$uid" -ge "$FIRST_UID" -a "$uid" -le "$LAST_UID" ] || continue

    [ -d $HOME ] || continue
#   [ -L $HOME ] && continue

    echo -n $user

#   if [ -x /etc/local/quota.sh ]; then
#       /etc/local/quota.sh $user
#       fi
    [ $QUOTASOFT ] || QUOTASOFT="0"
    [ $QUOTAHARD ] || QUOTAHARD="0"
    for QUOTAHOME in $QUOTAHOMES; do
        if [ $NEW_QUOTA ]; then
            setquota $user $QUOTASOFT $QUOTAHARD 0 0 $QUOTAHOME
        else
            setquota $user $QUOTAHOME $QUOTASOFT $QUOTAHARD 0 0
        fi
    done

    mkdir -p $HOME/mail
    if [ "$USE_MBOX" ]; then
        touch $HOME/mail/mbox
    elif [ -f $HOME/mail/mbox -a ! -s $HOME/mail/mbox ]; then
        rm -f $HOME/mail/mbox
    fi

    if [ $NETATALK ]; then
        mkdir -p $HOME/$mac
    fi
    if [ $SAMBA ]; then
        mkdir -p $HOME/$pc
    fi

    if [ $XCHANGE ]; then
        mkdir -p $XDIRREAL/$user
    fi

    if [ $PUBLIC ]; then
        mkdir -p $HOME/public_html
    fi

    chown $user: $HOME
    chmod u=rwX,go=rX $HOME

    # Mail handling
    chown -R $user: $HOME/mail
    chmod -R u=rw,go=,u+X $HOME/mail
    if [ -f $HOME/.mailboxlist ]; then
        chown $user: $HOME/.mailboxlist
        chmod 0640 $HOME/.mailboxlist
    fi
    if [ -f $HOME/.forward ]; then
        chown $user: $HOME/.forward
        chmod 0640 $HOME/.forward
    fi
    if [ -f /var/mail/$user ]; then
        chown $user:mail /var/mail/$user
        chmod ug=rw,o= /var/mail/$user
    elif [ -f /var/spool/mail/$user ]; then
        chown $user:mail /var/spool/mail/$user
        chmod ug=rw,o= /var/spool/mail/$user
    fi

    # Mac dir permissions
    if [ -d $HOME/$mac ]; then
        chown -R $user: $HOME/$mac
        chmod -R u=rw,g=r,o=,ug+X $HOME/$mac
        rm -rf $HOME/$mac/Network\ Trash\ Folder
        mkdir $HOME/$mac/Network\ Trash\ Folder
        chown nobody: $HOME/$mac/Network\ Trash\ Folder
        chmod a= $HOME/$mac/Network\ Trash\ Folder
    fi

    # PC dir permissions
    if [ -d $HOME/$pc ]; then
        chown -R $user: $HOME/$pc
        chmod -R u=rw,g=r,o=,ug+X $HOME/$pc
    fi
    
    # Exchange dir permissions
    if [ -d $XDIRREAL/$user ]; then
        chown -R $user:users $XDIRREAL/$user
        chmod -R g=r,g+X $XDIRREAL/$user
        if [ -e "x$HOME/$xchange" ]; then
            if [ -L "x$HOME/$xchange" ]; then
                ln -sf $XDIRREAL/$user $HOME/$xchange
            else
                echo "ERROR: $HOME/$xchange exists already. Leaving it as is..."
            fi
        else
            ln -s $XDIRREAL/$user $HOME/$xchange
        fi
    fi

    # Public dir permissions
    if [ -d $HOME/public_html ]; then
        chown -R $user: $HOME/public_html
        chmod -R u+rX,go=r,go+X $HOME/public_html
        if [ $NETATALK ]; then
            rm -rf $HOME/public_html/Network\ Trash\ Folder
            mkdir $HOME/public_html/Network\ Trash\ Folder
            chown nobody: $HOME/public_html/Network\ Trash\ Folder
            chmod a= $HOME/public_html/Network\ Trash\ Folder
        fi
    fi

    # Fileshares: <home>/shares.<sharetype>/<rogroup>/<rwgroup>/<sharename>
    #   <sharetype>: Either mac or win depending on which of netatalk and samba provides r/w access to the shares
    #   <rwgroup>:   Group with write access to the share (usually the default group of the owner)
    #   <rogroup>:   Either rwgroup or secondary group with read-only access to the share
    #   owner must be member of both groups, and rwgroup members must also be members of rogroup
    find "$HOME" -mindepth 1 -maxdepth 1 -type d -print | egrep "^$HOME/shares\." | (while read thisdir; do
        sharetype="`basename \"$thisdir\" | awk -F. '{print $2}'`"
        # Define dir and file exceptions
        exceptions="$dirs_group_rw_create/$dirs_group_ro_create/$files_group_ro_update/$dirs_no_access_purge"
        case "$sharetype" in
            mac)
            dirs_group_rw_create='.AppleDB/.AppleDesktop/Temporary Items/TheFindByContentFolder'
            dirs_group_ro_create='TheVolumeSettingsFolder'
            files_group_ro_update=':2eDS_Store'
            dirs_no_access_purge='Network Trash Folder'
            ;;
            win)
            ;;
            *)
            continue
            ;;
        esac
        chown "$user": "$thisdir"
        chmod a=rX "$thisdir"
        find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
            rogroup="`basename \"$thisdir\"`"
            chown "$user":"$rogroup" "$thisdir"
            chmod ug=rX,o= "$thisdir"
            find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
                rwgroup="`basename \"$thisdir\"`"
                chown "$user":"$rwgroup" "$thisdir"
                chmod a=rX,g+s "$thisdir"
                find "$thisdir" -mindepth 1 -maxdepth 1 -type d -print | (while read thisdir; do
                    sharename="`basename \"$thisdir\"`"
                    chown "$user":"$rwgroup" "$thisdir"
                    chmod u=rw,go=r,a+X,g+s "$thisdir"
                    ifs="$IFS"
                    # Set default permissions
                    find "$thisdir" -mindepth 1 -maxdepth 1 -print | (while read thisdir; do
                        IFS="/"; for dir in $exceptions; do IFS="$ifs";
                            continue 2
                        done
                        chgrp -R "$rwgroup" "$thisdir"
                        chmod -R ug=rw,o=r,a+X,g+s "$thisdir"
                    done)
                    # Handle exception dirs to be created if not existing
                    IFS="/"; for dir in $dirs_group_rw_create/$dirs_group_ro_create; do IFS="$ifs";
                        if [ ! -d "$thisdir/$dir" ]; then
                            rm -f "$thisdir/$dir"
                        fi
                        if [ ! -e "$thisdir/$dir" ]; then
                            mkdir "$thisdir/$dir"
                        fi
                        chown "$user":"$rwgroup" "$thisdir/$dir"
                    done
                    IFS="/"; for dir in $dirs_group_rw_create; do IFS="$ifs";
                        chmod -R ug=rw,o=r,a+X,g+s "$thisdir/$dir"
                    done
                    IFS="/"; for dir in $dirs_group_ro_create; do IFS="$ifs";
                        chmod -R u=rw,go=r,a+X,g+s "$thisdir/$dir"
                    done
                    # Handle exception files to be updated if already there
                    IFS="/"; for file in $files_group_ro_update; do IFS="$ifs";
                        if [ -f "$thisdir/$file" ]; then
                            chmod u=rw,go=r,g+s "$thisdir/$file"
                        fi
                    done
                    # Handle exception dirs to be purged and recreated
                    IFS="/"; for dir in $dirs_no_access_purge; do IFS="$ifs";
                        rm -rf "$thisdir/$dir"
                        mkdir -m a= "$thisdir/$dir"
                        chown nobody: "$thisdir/$dir"
                    done
                    IFS="$ifs"
                done)
            done)
        done)
    done)

    # Deprecated share permissions
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/shares_win"`; do
        chgrp -R $user $dir
        chmod -R u=rw,g=rw,o=,ug+X,g+s $dir
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/shares_mac"`; do
        chgrp -R $user $dir
        chmod -R u=rw,g=rw,o=,ug+X,g+s $dir
        rm -rf $dir/Network\ Trash\ Folder
        mkdir $dir/Network\ Trash\ Folder
        chown nobody: $dir/Network\ Trash\ Folder
        chmod a= $dir/Network\ Trash\ Folder
    done

    # Ftp shares permissions
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/ftp_$USER$"`; do
        chgrp -R $user $dir
        chmod -R ug=rw,o=r,a+X,g+s $dir
        rm -rf $dir/Network\ Trash\ Folder
        mkdir $dir/Network\ Trash\ Folder
        chown nobody: $dir/Network\ Trash\ Folder
        chmod a= $dir/Network\ Trash\ Folder
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/ftp_${USER}_ro$"`; do
        chown -R $user: $dir
        chmod -R u=rw,go=r,a+X $dir
        rm -rf $dir/Network\ Trash\ Folder
        mkdir $dir/Network\ Trash\ Folder
        chown nobody: $dir/Network\ Trash\ Folder
        chmod a= $dir/Network\ Trash\ Folder
    done

    # Web shares permissions
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/web_"`; do
        chown -R $user: $dir
#       chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
        chmod -R u+rw,go+r,a+X $dir
        # leftover from ancient times with another policy
        if [ $NETATALK ]; then
            rm -rf $dir/Network\ Trash\ Folder
        fi
    done
    
    # Web shares permissions
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/websites"`; do
        chown root: $dir
        chmod a=r,u+w,a+X $dir
    done
    for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/websites/"`; do
        chown -R $user: $dir
#       chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
        chmod -R u+rw,go+r,a+X $dir
        # leftover from ancient times with another policy
        if [ $NETATALK ]; then
            rm -rf $dir/Network\ Trash\ Folder
        fi
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webscripts"`; do
        chown root: $dir
        chmod a=r,u+w,a+X $dir
    done
    for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webscripts/"`; do
        chown -R $user: $dir
#       chmod -R u=rw,go=r,a+X $webdir
#TODO: Only cgi scripts (.cgi and .pl) should be executable
        chmod -R u+rw,go+r,a+X $dir
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webdata"`; do
        chown $user: $dir
        chmod a=r,u+w,a+X $dir
    done
    for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webdata/"`; do
        chown -R $user: $dir
        chmod -R u=rw,go=,u+X $dir
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webphpsites"`; do
        chown root: $dir
        chmod u=rw,go=r,a+X $dir
    done
    for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webphpsites/"`; do
        chown -R $user:www-data $dir
#       chmod -R ug=rw,o=r,a+X $dir
        chmod -R ug=rw,o=,ug+X $dir
    done
    for dir in `find $HOME -mindepth 1 -maxdepth 1 -type d | egrep "^$HOME/webphpdata"`; do
        chown root: $dir
        chmod a=r,u+w,a+X $dir
    done
    for dir in `find $HOME -mindepth 2 -maxdepth 2 -type d | egrep "^$HOME/webphpdata/"`; do
        chown -R $user:www-data $dir
        chmod -R ug=rw,o=,ug+X $dir
    done
    
    # Dummy user restrictions
    if [ -n "$REALUSERS_GROUPNAME" -a -n "$DUMMYSHAREDIR" -a -n "$DUMMYSHAREOWNER" -a -n "$DUMMYSHARENAME" ]; then
        [ -e $DUMMYSHAREDIR/$user ] \
            || mkdir $DUMMYSHAREDIR/$user
        chown $DUMMYSHAREOWNER: $DUMMYSHAREDIR/$user
        chmod u=rw,go=r,a+X $DUMMYSHAREDIR/$user
        if [ -e $HOME/$DUMMYSHARENAME ]; then
            if [ -L $HOME/$DUMMYSHARENAME ]; then
                ln -sf $DUMMYSHAREDIR/$user $HOME/$DUMMYSHARENAME
                chown $user: $HOME/$DUMMYSHARENAME
            else
                echo "WARNING: $HOME/$DUMMYSHAREDIR exists already. Leaving it as is..."
            fi
        else
            ln -s $DUMMYSHAREDIR/$user $HOME/$DUMMYSHARENAME
            chown $user: $HOME/$DUMMYSHARENAME
        fi
        if [ -n "$DUMMYAPACHECFG" -a -n "$DUMMYAPACHESHAREDIR" ]; then
            if [ -f /etc/apache/include.d/$DUMMYAPACHECFG -a -x /etc/init.d/apache ]; then
                if [ -e /etc/apache/include.d/$DUMMYAPACHECFG-$user ]; then
                    echo "/etc/apache/include.d/$DUMMYAPACHECFG-$user exists already. Ignoring..."
                else
                    echo "# Created automatically by adduser.local
<Location /$DUMMYAPACHESHAREDIR/$user>
    <Limit GET POST>
        require user $user
    </Limit>
</Location>" \
                        > /etc/apache/include.d/$DUMMYAPACHECFG-$user
                    apache_reload_needed="1"
                fi
            fi
        fi
    fi

    echo "."
done

if [ $XCHANGE ]; then
    for USER in $(ls $XDIRREAL); do
        id $user >/dev/null 2>&1 || rm -rf $XDIRREAL/$user
    done
fi

if [ "$apache_reload_needed" ]; then
    apache_do_reload=""
    case runmode in
        interactive)
        echo -n "Apache config changed. Reload Apache now (Y/n)? "
        read apache_reload
        case $apache_reload in
            y|Y|"")
            apache_do_reload="1"
            ;;
        esac
        ;;
        force)
        apache_do_reload="1"
        ;;
        *)
        echo "Apache config has changed. Remember to reload Apache...!"
        ;;
    esac
    if "$apache_do_reload" ]; then
        /etc/init.d/apache force-reload
    fi
fi