164 lines
3.7 KiB
Bash
Executable File
164 lines
3.7 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# manage FreeBSD jail users
|
|
|
|
# vars defaults
|
|
rootdir=""
|
|
user=""
|
|
groups=""
|
|
home=""
|
|
shell="/usr/local/bin/bash"
|
|
comment=""
|
|
action=""
|
|
|
|
usage() {
|
|
echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
|
|
echo "Valid actions: present, absent, locked"
|
|
exit 1
|
|
}
|
|
|
|
getuid() {
|
|
# resolve jail uid
|
|
|
|
root="$1"
|
|
user="$2"
|
|
pw $root show user "$user" -7 | cut -d: -f 3
|
|
}
|
|
|
|
run() {
|
|
# verbose exec
|
|
|
|
echo "$@"
|
|
"$@"
|
|
}
|
|
|
|
# parse commandline flags
|
|
OPTIND=1
|
|
while getopts d:u:h:g:s:c:a: opt ; do
|
|
case $opt in
|
|
d)
|
|
rootdir="$OPTARG"
|
|
;;
|
|
u)
|
|
user="$OPTARG"
|
|
;;
|
|
h)
|
|
home="$OPTARG"
|
|
;;
|
|
g)
|
|
groups="$OPTARG"
|
|
;;
|
|
s)
|
|
shell="$OPTARG"
|
|
;;
|
|
c)
|
|
comment="$OPTARG"
|
|
;;
|
|
a)
|
|
action="$OPTARG"
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|
|
done
|
|
|
|
shift $(($OPTIND - 1))
|
|
|
|
if test -z "$user" -o -z "$action"; then
|
|
usage
|
|
fi
|
|
|
|
# setup pw flags
|
|
args=""
|
|
root=""
|
|
|
|
if test -n "$rootdir"; then
|
|
root="-R $rootdir"
|
|
fi
|
|
|
|
if test -n "$groups"; then
|
|
args="-G $groups"
|
|
fi
|
|
|
|
if test -n "$home"; then
|
|
args="$args -d $home -k /etc/skel -m -M 700"
|
|
else
|
|
args="$args -d /home/$user -k /etc/skel -m -M 700"
|
|
fi
|
|
|
|
if test -n "$shell"; then
|
|
args="$args -s $shell"
|
|
else
|
|
args="$args -s /usr/local/bin/bash"
|
|
fi
|
|
|
|
if test -n "$comment"; then
|
|
args="$args -c $comment"
|
|
fi
|
|
|
|
# the horse shall work
|
|
case "$action" in
|
|
present)
|
|
if pw $root user show "$user" > /dev/null 2>&1; then
|
|
if pw $root user show "$user" | grep -q LOCKED; then
|
|
# user is present but locked
|
|
run pw unlock "$user"
|
|
else
|
|
echo "$user exists."
|
|
fi
|
|
else
|
|
# create user
|
|
run pw $root user add "$user" $args
|
|
fi
|
|
|
|
if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
|
|
# install ssh key
|
|
uid=$(getuid "$root" "$user")
|
|
run install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
|
|
run install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
|
|
|
|
# generate chat key, which is required so login to
|
|
# kobayashi, so that ssh-chat works even if the user does
|
|
# not have their own key yet.
|
|
run ssh-keygen -t ed25519 -f /home/$user/.ssh/id_chat_kobayashi -P ""
|
|
|
|
(
|
|
echo "The key id_chat_kobayashi exists so that you're able to reach"
|
|
echo "the kobayashi chat service. Once you have generated your own"
|
|
echo "key, you can just delete it."
|
|
) > "/home/$user/.ssh/README"
|
|
|
|
if test ! -e "/home/$user/.ssh/config"; then
|
|
(
|
|
echo "Host kobayashi"
|
|
echo " Port 2222"
|
|
echo " IdentityFile ~/.ssh/id_chat_kobayashi"
|
|
echo " StrictHostKeyChecking no"
|
|
) > "/home/$user/.ssh/config"
|
|
fi
|
|
|
|
run chown "$uid:$uid" /home/$user/.ssh/*
|
|
fi
|
|
;;
|
|
absent)
|
|
if pw $root user show "$user" > /dev/null 2>&1; then
|
|
# get rid
|
|
run pw $root user del "$user"
|
|
fi
|
|
;;
|
|
locked)
|
|
if pw $root user show "$user" > /dev/null 2>&1; then
|
|
if pw $root user show "$user" | grep -q LOCKED; then
|
|
echo "$user is already locked."
|
|
else
|
|
# lock'em out
|
|
run pw lock "$user"
|
|
fi
|
|
fi
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|