free
/
freedombone
Suivre 1
Favoriser 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
8008 Révisions
5 Branches
Aborescence: abfd8de1e4
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'abfd8de1e4'
${ noResults }
freedombone/src/freedombone-adduser

freedombone-adduser 10KB
Historique Brut

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. 

  12. # Adds an user to the system

  13. 

  14. # License

  15. # =======

  16. #

  17. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>

  18. #

  19. # This program is free software: you can redistribute it and/or modify

  20. # it under the terms of the GNU Affero General Public License as published by

  21. # the Free Software Foundation, either version 3 of the License, or

  22. # (at your option) any later version.

  23. #

  24. # This program is distributed in the hope that it will be useful,

  25. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  26. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  27. # GNU Affero General Public License for more details.

  28. #

  29. # You should have received a copy of the GNU Affero General Public License

  30. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  31. 

  32. PROJECT_NAME='freedombone'

  33. 

  34. export TEXTDOMAIN=${PROJECT_NAME}-adduser

  35. export TEXTDOMAINDIR="/usr/share/locale"

  36. 

  37. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

  38. 

  39. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*

  40. for f in $UTILS_FILES

  41. do

  42.     source $f

  43. done

  44. 

  45. APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*

  46. for f in $APP_FILES

  47. do

  48.     source $f

  49. done

  50. 

  51. ADD_USERNAME=$1

  52. SSH_PUBLIC_KEY="$2"

  53. GPG_KEYSERVER='hkp://keys.gnupg.net'

  54. SSH_PORT=2222

  55. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt

  56. DEFAULT_DOMAIN_NAME=

  57. 

  58. if [ ! $ADD_USERNAME ]; then

  59.     echo $'No username was given'

  60.     exit 1

  61. fi

  62. 

  63. if [ -d /home/$ADD_USERNAME ]; then

  64.     echo $"The user $ADD_USERNAME already exists"

  65.     exit 2

  66. fi

  67. 

  68. if [ ! -f $COMPLETION_FILE ]; then

  69.     echo $"$COMPLETION_FILE not found"

  70.     userdel -r $ADD_USERNAME

  71.     exit 3

  72. fi

  73. 

  74. # Minimum number of characters in a password

  75. MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}')

  76. 

  77. NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"

  78. chmod 600 /etc/shadow

  79. chmod 600 /etc/gshadow

  80. useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $ADD_USERNAME

  81. adduser $ADD_USERNAME sasl

  82. groupadd $ADD_USERNAME

  83. chmod 0000 /etc/shadow

  84. chmod 0000 /etc/gshadow

  85. 

  86. if [ ! -d /home/$ADD_USERNAME ]; then

  87.     echo $'Home directory was not created'

  88.     exit 4

  89. fi

  90. 

  91. if [ "$SSH_PUBLIC_KEY" ]; then

  92.     if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then

  93.         if [ -f "$SSH_PUBLIC_KEY" ]; then

  94.             mkdir /home/$ADD_USERNAME/.ssh

  95.             cp $SSH_PUBLIC_KEY /home/$ADD_USERNAME/.ssh/authorized_keys

  96.             chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.ssh

  97.             echo $'ssh public key installed'

  98.         else

  99.             if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then

  100.                 mkdir /home/$ADD_USERNAME/.ssh

  101.                 echo "$SSH_PUBLIC_KEY" > /home/$ADD_USERNAME/.ssh/authorized_keys

  102.                 chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.ssh

  103.                 echo $'ssh public key installed'

  104.             else

  105.                 echo $'The second parameter does not look like an ssh key'

  106.                 exit 5

  107.             fi

  108.         fi

  109.     fi

  110. fi

  111. 

  112. if [ -d /home/$ADD_USERNAME/Maildir ]; then

  113.     if grep -q "set from=" /home/$ADD_USERNAME/.muttrc; then

  114.         sed -i "s|set from=.*|set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'|g" /home/$ADD_USERNAME/.muttrc

  115.     else

  116.         echo "set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'" >> /home/$ADD_USERNAME/.muttrc

  117.     fi

  118. 

  119.     USERN='$USER@'

  120.     sed -i "s|$USERN|$ADD_USERNAME@|g" /home/$ADD_USERNAME/.procmailrc

  121. fi

  122. 

  123. # generate a gpg key

  124. echo "Making a GPG key for $ADD_USERNAME@$HOSTNAME"

  125. mkdir /home/$ADD_USERNAME/.gnupg

  126. echo "keyserver $GPG_KEYSERVER" >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  127. echo 'keyserver-options auto-key-retrieve' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  128. echo '' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  129. echo '# default preferences' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  130. echo 'personal-digest-preferences SHA256' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  131. echo 'cert-digest-algo SHA256' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  132. echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$ADD_USERNAME/.gnupg/gpg.conf

  133. 

  134. chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg

  135. chmod 700 /home/$ADD_USERNAME/.gnupg

  136. chmod 600 /home/$ADD_USERNAME/.gnupg/*

  137. 

  138. # Generate a GPG key

  139. echo 'Key-Type: eddsa' > /home/$ADD_USERNAME/gpg-genkey.conf

  140. echo 'Key-Curve: Ed25519' >> /home/$ADD_USERNAME/gpg-genkey.conf

  141. echo 'Subkey-Type: eddsa' >> /home/$ADD_USERNAME/gpg-genkey.conf

  142. echo "Name-Real:  $ADD_USERNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf

  143. echo "Name-Email: $ADD_USERNAME@$HOSTNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf

  144. echo 'Expire-Date: 0' >> /home/$ADD_USERNAME/gpg-genkey.conf

  145. echo "Passphrase: $NEW_USER_PASSWORD" >> /home/$ADD_USERNAME/gpg-genkey.conf

  146. chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/gpg-genkey.conf

  147. su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - $ADD_USERNAME

  148. chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg

  149. shred -zu /home/$ADD_USERNAME/gpg-genkey.conf

  150. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$ADD_USERNAME" "$ADD_USERNAME@$HOSTNAME")

  151. MY_GPG_PUBLIC_KEY=/home/$ADD_USERNAME/public_key.gpg

  152. su -m root -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $ADD_USERNAME

  153. 

  154. if [ ! -f $MY_GPG_PUBLIC_KEY ]; then

  155.     echo "GPG public key was not generated for $ADD_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"

  156.     userdel -r $ADD_USERNAME

  157.     exit 7

  158. fi

  159. gpg_agent_setup $ADD_USERNAME

  160. 

  161. # add a monkeysphere subkey

  162. #echo $'Adding monkeysphere subkey'

  163. #su -c "monkeysphere gen-subkey" - $ADD_USERNAME

  164. #echo $'Adding monkeysphere subkey to ssh-agent'

  165. #su -c "monkeysphere s" - $ADD_USERNAME

  166. # add authorized GPG email address

  167. #mkdir /home/$ADD_USERNAME/.monkeysphere

  168. #chmod 755 /home/$ADD_USERNAME/.monkeysphere

  169. #echo "$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>" > /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids

  170. #chmod 644 /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids

  171. #chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.monkeysphere

  172. #echo $'Updating monkeysphere users'

  173. #monkeysphere-authentication update-users

  174. 

  175. if [ -f /home/$ADD_USERNAME/.muttrc ]; then

  176.     # encrypt outgoing mail to the "sent" folder

  177.     if ! grep -q "pgp_encrypt_only_command" /home/$ADD_USERNAME/.muttrc; then

  178.         echo '' >> /home/$ADD_USERNAME/.muttrc

  179.         echo $'# Encrypt items in the Sent folder' >> /home/$ADD_USERNAME/.muttrc

  180.         echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$ADD_USERNAME/.muttrc

  181.     else

  182.         sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$ADD_USERNAME/.muttrc

  183.     fi

  184. 

  185.     if ! grep -q "pgp_encrypt_sign_command" /home/$ADD_USERNAME/.muttrc; then

  186.         echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$ADD_USERNAME/.muttrc

  187.     else

  188.         sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$ADD_USERNAME/.muttrc

  189.     fi

  190. fi

  191. 

  192. if ! grep -q "Change your GPG password" /home/$ADD_USERNAME/README; then

  193.     echo '' >> /home/$ADD_USERNAME/README

  194.     echo '' >> /home/$ADD_USERNAME/README

  195.     echo $'# Change your GPG password' >> /home/$ADD_USERNAME/README

  196.     echo $"It's very important to add a password to your GPG key so that" >> /home/$ADD_USERNAME/README

  197.     echo $"if anyone does get access to your email they still won't be able" >> /home/$ADD_USERNAME/README

  198.     echo $'to read them without knowning the GPG password.' >> /home/$ADD_USERNAME/README

  199.     echo $'You can change the it with:' >> /home/$ADD_USERNAME/README

  200.     echo '' >> /home/$ADD_USERNAME/README

  201.     echo "  gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$ADD_USERNAME/README

  202.     echo '  passwd' >> /home/$ADD_USERNAME/README

  203.     echo '  save' >> /home/$ADD_USERNAME/README

  204.     echo '  quit' >> /home/$ADD_USERNAME/README

  205. fi

  206. 

  207. chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/README

  208. chown $ADD_USERNAME:$ADD_USERNAME $MY_GPG_PUBLIC_KEY

  209. chmod 600 /home/$ADD_USERNAME/README

  210. 

  211. echo $'Detecting installed apps...'

  212. detect_apps

  213. get_apps_installed_names

  214. for app_name in "${APPS_INSTALLED_NAMES[@]}"

  215. do

  216.     if [[ $(function_exists add_user_${app_name}) == "1" ]]; then

  217.         echo $"Adding user to ${app_name}"

  218.         app_load_variables ${app_name}

  219.         retval=$(add_user_${app_name} "$ADD_USERNAME" "$NEW_USER_PASSWORD" | tail -n 1)

  220.         if [[ $retval != '0' ]]; then

  221.             echo $"Failed with error code ${retval}"

  222.             ${PROJECT_NAME}-rmuser $ADD_USERNAME --force

  223.             exit 672392

  224.         fi

  225.         if ! grep -q "${app_name}_${ADD_USERNAME}" $APP_USERS_FILE; then

  226.             echo "${app_name}_${ADD_USERNAME}" >> $APP_USERS_FILE

  227.         fi

  228.     fi

  229. done

  230. 

  231. if [ -f /etc/nginx/.htpasswd ]; then

  232.     if ! grep -q "${ADD_USERNAME}:" /etc/nginx/.htpasswd; then

  233.         echo "$NEW_USER_PASSWORD" | htpasswd -i -s /etc/nginx/.htpasswd $ADD_USERNAME

  234.     fi

  235. fi

  236. 

  237. # add user menu on ssh login

  238. if ! grep -q 'controluser' /home/$ADD_USERNAME/.bashrc; then

  239.     echo 'controluser' >> /home/$ADD_USERNAME/.bashrc

  240. fi

  241. 

  242. ${PROJECT_NAME}-pass -u $ADD_USERNAME -a login -p "$NEW_USER_PASSWORD"

  243. clear

  244. echo $"New user $ADD_USERNAME was created"

  245. echo $"Their login password is $NEW_USER_PASSWORD"

  246. echo ''

  247. echo $"They can download their GPG keys with:"

  248. echo ''

  249. echo "    scp -P $SSH_PORT -r $ADD_USERNAME@$HOSTNAME:/home/$ADD_USERNAME/.gnupg ~/"

  250. echo ''

  251. echo $"They should also run ${PROJECT_NAME}-client on their system to ensure"

  252. echo $'the best security.'

  253. 

  254. exit 0