Commit 1ba2e9e9 authored by root's avatar root
Browse files

FD hook scripts (initial commit)

parents
#!/bin/sh
set -e
## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script creates the principals for hosts added with FusionDirectory.
HOSTNAME=$1
DOMAIN=informatik.uni-kiel.de
FQDN=$1.$DOMAIN
## lookup user and create home directory and principal:
ldapsearch -xLLL "(&(|(cn=$HOSTNAME)(cn=$FQDN))(|(objectClass=GOHard)(objectClass=ipHost)))" \
cn ipHostNumber macAddress 2>/dev/null | perl -p00e 's/\r?\n //g' | \
while read KEY VALUE ; do
case "$KEY" in
dn:) HOSTNAME= ; IP= ; HOSTDN="dn=$VALUE" ;;
cn:) HOSTNAME="$VALUE" ;;
ipHostNumber:) IP="$VALUE" ;;
macAddress:) MAC="$VALUE" ;;
"")
FQDN=$HOSTNAME.$DOMAIN
kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -p notice Krb5 principal \'host/$FQDN\' created.
kadmin.local -q "add_principal -policy service -randkey -x $HOSTDN nfs/$FQDN" && logger -p notice Krb5 principal \'nfs/$FQDN\' created.
;;
esac
done
exit 0
#!/bin/sh
set -e
## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script creates the home directories and principals for users
## added with gosa. There are some tests that make sure only
## non-existent home directories are created. Malicious execution
## cannot hurt, because either the user is missing in ldap or his home
## directory already exists. In both cases nothing should happen.
PREFIX=/net
HOSTNAME=$(hostname -s)
USERID="$1"
if which nscd 1>/dev/null; then
nscd -i passwd
nscd -i group
fi
## lookup user and create home directory and principal:
ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \
cn homeDirectory gidNumber 2>/dev/null | perl -p00e 's/\r?\n //g' | \
while read KEY VALUE; do
case "$KEY" in
dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
cn:) USERNAME="$VALUE" ;;
homeDirectory:) HOMEDIR="$VALUE" ;;
gidNumber:) GROUPID="$VALUE" ;;
"")
test "$HOMEDIR" || continue
echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" && HOMEDIR=/home/$USERID || continue
test -e "$HOMEDIR" || {
cp -r /etc/skel $HOMEDIR
chown -R $USERID:$GROUPID $HOMEDIR
echo "Home directory '$HOMEDIR' created.<br />"
}
kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID" 1>/dev/null 2>/dev/null && echo "Krb5 principal '$USERID' created.<br />"
x2godbadmin --adduser "$USERID" 1>/dev/null 2>/dev/null && echo "Enabled X2Go for user '$USERID'.<br />"
;;
esac
done
exit 0
#!/bin/sh
set -xe
## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script removes the home directories and principals for users removed with gosa.
## Home directories are not purged immediately, but marked with a time stamp. Next time
## this script is run it looks for all home directories marked for removal and removes
## directories older than the given age $MAXAGE.
##
## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not
## too short, this will be detected by the owner and no data will get lost.
USERID=$1
MOUNTED_HOMEDIR=$2
## minimum age to keep a directory before it is purged
## in days (only integer values):
MAXAGE_DAYS=500
####################################
MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 ))
[ -d $MOUNTED_HOMEDIR ] || exit 1
PREFIX=/net
HOSTNAME=$(hostname -s)
echo "$MOUNTED_HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
HOMEDIR="$MOUNTED_HOMEDIR"
## move mail directory to home directory
if [ -d /var/mail/$USERID ]; then
mkdir -p $HOMEDIR/Maildir/
mv /var/mail/$USERID/* $HOMEDIR/Maildir/
rmdir /var/mail/$USERID
fi
## rename home directory and delete principal:
HOME=`dirname $HOMEDIR`
RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR`
mv $HOMEDIR $RM_HOMEDIR
chown root:root $RM_HOMEDIR
chmod go-rwx $RM_HOMEDIR
kadmin.local -q "delete_principal -force $USERID"
logger -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed.
for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do
RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"`
AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` ))
if [ $AGE -gt $MAXAGE_SEC ] ; then
rm -rf $DIR
echo logger -p notice Home directory \'$DIR\' purged.
fi
done
exit 0
#!/bin/sh
set -ex
## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script synchronizes the kerberos password of principals to the posix password
## whenever the password is changed in ldap by gosa. To make sure only authorized
## changes happen, it is tested if the supplied password corresponds to the supplied
## distinguished name in ldap.
##
## A caller not knowing the correct ldap password cannot change the principal's one.
USERDN="$1"
set +x
NEWPW="$USERPASSWORD"
set -x
USERID=`echo $USERDN | tr A-Z a-z | sed "s/^uid=\([^,]*\),.*$/\1/"`
PATH="/usr/bin:/usr/sbin:/bin:/sbin"
## check if provided password corresponds to hash saved in ldap database:
#set +e
#IAM=`ldapwhoami -x -Z -w "$NEWPW" -D "$USERDN" 2>/dev/null | perl -p00e 's/\r?\n //g' | tr [A-Z] [a-z]`
#if [ "$IAM" = "dn:$USERDN" ] ; then
# set -e
kadmin.local -q "change_password -pw \"$NEWPW\" \"$USERID\"" 1>/dev/null && echo "Updated Kerberos password for user '$USERID'.<br />"
logger -t FusionDirectory-PwHook "Updated Kerberos password for user '$USERID'."
#else
# echo "Warning: Could not verify password for '$USERID'. Nothing done.<br />"
# logger -t FusionDirectory-PwHook "Warning: Could not verify password for '$USERID'. Nothing done."
# exit 1
#fi
exit 0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment