FD hook scripts (initial commit)

1ba2e9e9 · root · 1ba2e9e9 · 1ba2e9e9 · 1ba2e9e9 · 1ba2e9e9
Commit 1ba2e9e9 authored Mar 27, 2019 by root
--- a/host-create.sh
+++ b/host-create.sh
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the principals for hosts added with FusionDirectory.
+
+HOSTNAME=$1
+DOMAIN=informatik.uni-kiel.de
+FQDN=$1.$DOMAIN
+
+## lookup user and create home directory and principal:
+ldapsearch -xLLL "(&(|(cn=$HOSTNAME)(cn=$FQDN))(|(objectClass=GOHard)(objectClass=ipHost)))" \
+           cn ipHostNumber macAddress 2>/dev/null  | perl -p00e 's/\r?\n //g' | \
+while read KEY VALUE ; do 
+       case "$KEY" in 
+               dn:) HOSTNAME= ; IP= ; HOSTDN="dn=$VALUE" ;;
+               cn:) HOSTNAME="$VALUE" ;;
+               ipHostNumber:) IP="$VALUE" ;;
+               macAddress:) MAC="$VALUE"  ;;
+               "")
+                       FQDN=$HOSTNAME.$DOMAIN
+                       kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -p notice Krb5 principal \'host/$FQDN\' created.
+                       kadmin.local -q "add_principal -policy service -randkey -x $HOSTDN nfs/$FQDN" && logger -p notice Krb5 principal \'nfs/$FQDN\' created.
+                       ;;
+               esac 
+done
+
+exit 0
+
--- a/user-create.sh
+++ b/user-create.sh
+#!/bin/sh
+
+set -e
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script creates the home directories and principals for users
+## added with gosa.  There are some tests that make sure only
+## non-existent home directories are created.  Malicious execution
+## cannot hurt, because either the user is missing in ldap or his home
+## directory already exists. In both cases nothing should happen.
+
+PREFIX=/net
+HOSTNAME=$(hostname -s)
+USERID="$1"
+
+if which nscd 1>/dev/null; then
+       nscd -i passwd
+       nscd -i group
+fi
+
+## lookup user and create home directory and principal:
+ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
+           cn homeDirectory gidNumber 2>/dev/null | perl -p00e 's/\r?\n //g' | \
+while read KEY VALUE; do
+       case "$KEY" in
+               dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
+               cn:) USERNAME="$VALUE" ;;
+               homeDirectory:) HOMEDIR="$VALUE" ;;
+               gidNumber:) GROUPID="$VALUE"  ;;
+               "")
+                       test "$HOMEDIR" || continue
+                       echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" && HOMEDIR=/home/$USERID || continue
+                       test -e "$HOMEDIR" || {
+                               cp -r /etc/skel $HOMEDIR
+                               chown -R $USERID:$GROUPID $HOMEDIR
+                               echo "Home directory '$HOMEDIR' created.<br />"
+                       }
+                       kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID" 1>/dev/null 2>/dev/null && echo "Krb5 principal '$USERID' created.<br />"
+                       x2godbadmin --adduser "$USERID" 1>/dev/null 2>/dev/null && echo "Enabled X2Go for user '$USERID'.<br />"
+               ;;
+       esac
+done
+
+exit 0
--- a/user-remove.sh
+++ b/user-remove.sh
+#!/bin/sh
+
+set -xe
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script removes the home directories and principals for users removed with gosa.
+## Home directories are not purged immediately, but marked with a time stamp. Next time
+## this script is run it looks for all home directories marked for removal and removes 
+## directories older than the given age $MAXAGE. 
+##
+## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not 
+## too short, this will be detected by the owner and no data will get lost. 
+
+USERID=$1
+MOUNTED_HOMEDIR=$2
+
+## minimum age to keep a directory before it is purged 
+## in days (only integer values):
+
+MAXAGE_DAYS=500
+
+####################################
+
+MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 ))
+
+[ -d $MOUNTED_HOMEDIR ] || exit 1
+
+PREFIX=/net
+HOSTNAME=$(hostname -s)
+echo "$MOUNTED_HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
+
+HOMEDIR="$MOUNTED_HOMEDIR"
+
+## move mail directory to home directory
+if [ -d /var/mail/$USERID ]; then
+       mkdir -p $HOMEDIR/Maildir/
+       mv /var/mail/$USERID/* $HOMEDIR/Maildir/
+       rmdir /var/mail/$USERID 
+fi
+
+## rename home directory and delete principal:
+HOME=`dirname $HOMEDIR`
+RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
+mv $HOMEDIR $RM_HOMEDIR
+
+chown root:root $RM_HOMEDIR
+chmod go-rwx $RM_HOMEDIR
+
+kadmin.local -q "delete_principal -force $USERID"
+logger -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed. 
+for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
+       RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`
+       AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` )) 
+       if [ $AGE -gt $MAXAGE_SEC ] ; then
+               rm -rf $DIR
+               echo logger -p notice Home directory \'$DIR\' purged.
+       fi
+done 
+
+exit 0
--- a/user-sync.sh
+++ b/user-sync.sh
+#!/bin/sh
+
+set -ex
+
+## This script is run by www-data using sudo. Keep that in mind!
+## Make sure that malicious execution cannot hurt.
+##
+## This script synchronizes the kerberos password of principals to the posix password 
+## whenever the password is changed in ldap by gosa. To make sure only authorized 
+## changes happen, it is tested if the supplied password corresponds to the supplied 
+## distinguished name in ldap.
+##
+## A caller not knowing the correct ldap password cannot change the principal's one.
+
+USERDN="$1"
+set +x
+NEWPW="$USERPASSWORD"
+set -x
+USERID=`echo $USERDN | tr A-Z a-z | sed "s/^uid=\([^,]*\),.*$/\1/"`
+PATH="/usr/bin:/usr/sbin:/bin:/sbin"
+
+## check if provided password corresponds to hash saved in ldap database:
+#set +e
+#IAM=`ldapwhoami -x -Z -w "$NEWPW" -D "$USERDN" 2>/dev/null | perl -p00e 's/\r?\n //g' | tr [A-Z] [a-z]`
+#if [ "$IAM" = "dn:$USERDN" ] ; then
+#      set -e
+       kadmin.local -q "change_password -pw \"$NEWPW\" \"$USERID\"" 1>/dev/null && echo "Updated Kerberos password for user '$USERID'.<br />"
+       logger -t FusionDirectory-PwHook "Updated Kerberos password for user '$USERID'."
+#else
+#      echo "Warning: Could not verify password for '$USERID'. Nothing done.<br />"
+#      logger -t FusionDirectory-PwHook "Warning: Could not verify password for '$USERID'. Nothing done."
+#      exit 1
+#fi
+
+exit 0