src/subcommands/ma/update-users

   1 #!/usr/bin/env bash
   2
   3 # Monkeysphere authentication update-users subcommand
   4 #
   5 # The monkeysphere scripts are written by:
   6 # Jameson Rollins <jrollins@fifthhorseman.net>
   7 # Jamie McClelland <jm@mayfirst.org>
   8 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
   9 #
  10 # They are Copyright 2008, and are all released under the GPL, version 3
  11 # or later.
  12
  13 if [ "$1" ] ; then
  14     # get users from command line
  15     unames="$@"
  16 else
  17     # or just look at all users if none specified
  18     unames=$(getent passwd | cut -d: -f1)
  19 fi
  20
  21 RETCODE=0
  22
  23 # set mode
  24 MODE="authorized_keys"
  25
  26 # set gnupg home
  27 GNUPGHOME="$GNUPGHOME_AUTHENTICATION"
  28
  29 # check to see if the gpg trust database has been initialized
  30 if [ ! -s "${GNUPGHOME}/trustdb.gpg" ] ; then
  31     failure "GNUPG trust database uninitialized.  Please see MONKEYSPHERE-SERVER(8)."
  32 fi
  33
  34 # make sure the authorized_keys directory exists
  35 mkdir -p "${SYSDATADIR}/authorized_keys"
  36
  37 # loop over users
  38 for uname in $unames ; do
  39     # check all specified users exist
  40     if ! id "$uname" >/dev/null ; then
  41         log error "----- unknown user '$uname' -----"
  42         continue
  43     fi
  44
  45     log verbose "----- user: $uname -----"
  46
  47     # make temporary directory
  48     TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
  49
  50     # trap to delete temporary directory on exit
  51     trap "rm -rf $TMPLOC" EXIT
  52
  53     # create temporary authorized_user_ids file
  54     TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids"
  55     touch "$TMP_AUTHORIZED_USER_IDS"
  56
  57      # create temporary authorized_keys file
  58     AUTHORIZED_KEYS="${TMPLOC}/authorized_keys"
  59     touch "$AUTHORIZED_KEYS"
  60
  61     # set restrictive permissions on the temporary files
  62     # FIXME: is there a better way to do this?
  63     chmod 0700 "$TMPLOC"
  64     chmod 0600 "$AUTHORIZED_KEYS"
  65     chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
  66     chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
  67
  68     # process authorized_user_ids file
  69     log debug "checking for authorized_user_ids..."
  70     # translating ssh-style path variables
  71     authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
  72     if [ -s "$authorizedUserIDs" ] ; then
  73         # check permissions on the authorized_user_ids file path
  74         if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then
  75             # copy user authorized_user_ids file to temporary
  76             # location
  77             cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
  78
  79             # export needed variables
  80             export AUTHORIZED_KEYS
  81             export TMP_AUTHORIZED_USER_IDS
  82
  83             # process authorized_user_ids file, as monkeysphere user
  84             su_monkeysphere_user \
  85                 ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
  86             RETURN="$?"
  87         else
  88             log debug "not processing authorized_user_ids."
  89         fi
  90     else
  91         log debug "empty or absent authorized_user_ids file."
  92     fi
  93
  94     # add user-controlled authorized_keys file if specified translate
  95     # ssh-style path variables
  96     rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
  97     if [ "$rawAuthorizedKeys" != 'none' ] ; then
  98         log debug "checking for raw authorized_keys..."
  99         if [ -s "$rawAuthorizedKeys" ] ; then
 100             # check permissions on the authorized_keys file path
 101             if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
 102                 log verbose "adding raw authorized_keys file... "
 103                 cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
 104             else
 105                 log debug "not adding raw authorized_keys file."
 106             fi
 107         else
 108             log debug "empty or absent authorized_keys file."
 109         fi
 110     fi
 111
 112     # move the new authorized_keys file into place
 113     if [ -s "$AUTHORIZED_KEYS" ] ; then
 114         # openssh appears to check the contents of the authorized_keys
 115         # file as the user in question, so the file must be readable
 116         # by that user at least.
 117
 118         # but in general, we don't want the user tampering with this
 119         # file directly, so we'll adopt this approach: Own the file by
 120         # the monkeysphere-server invoker (usually root, but should be
 121         # the same uid that sshd is launched as); change the group of
 122         # the file so that members of the user's group can read it.
 123
 124         # FIXME: is there a better way to do this?
 125         chown $(whoami) "$AUTHORIZED_KEYS" && \
 126             chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
 127             chmod g+r "$AUTHORIZED_KEYS" && \
 128             mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \
 129             {
 130             log error "Failed to install authorized_keys for '$uname'!"
 131             rm -f "${SYSDATADIR}/authorized_keys/${uname}"
 132             # indicate that there has been a failure:
 133             RETURN=1
 134         }
 135     else
 136         rm -f "${SYSDATADIR}/authorized_keys/${uname}"
 137     fi
 138
 139     # unset the trap
 140     trap - EXIT
 141
 142     # destroy temporary directory
 143     rm -rf "$TMPLOC"
 144  done