From d2462e94b7505964ab7d08c84fd1745341fc64a3 Mon Sep 17 00:00:00 2001 From: megacz Date: Sun, 29 Apr 2007 20:36:46 +0000 Subject: [PATCH 1/1] cvs sucks even more --- apache-sync-logs | 27 ++++++ create-user | 216 +++++++++++++++++++++++++++++++++++++++++++++++ destroy-user | 72 ++++++++++++++++ k5start-suexec | 15 ++++ 4 files changed, 330 insertions(+) create mode 100755 apache-sync-logs create mode 100755 create-user create mode 100755 destroy-user create mode 100755 k5start-suexec diff --git a/apache-sync-logs b/apache-sync-logs new file mode 100755 index 0000000..9a1f65d --- /dev/null +++ b/apache-sync-logs @@ -0,0 +1,27 @@ +#!/bin/bash + +# invoke this as root on mire + +exec 2>&1 + +# drop any tokens; use only users' cgi tokens +kdestroy +unlog + +LOCAL_LOG_DIR=/var/log/apache + +for A in $LOCAL_LOG_DIR/user/?/??/*; do \ + USER=`basename $A` + PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER + LOG_DEST=/afs/hcoop.net/user/$PATHBITS/logs/apache/ + + echo + echo "==============================================================================" + echo "syncing logs for $USER from $A to $LOG_DEST ..." + + chown -R $USER:www-data $A + chmod -R ug+rw $A + + k5start -tU -f /etc/keytabs/cgi/$USER \ + -- su $USER -c "rsync -a $A/ $LOG_DEST/" +done diff --git a/create-user b/create-user new file mode 100755 index 0000000..e4fafb7 --- /dev/null +++ b/create-user @@ -0,0 +1,216 @@ +#!/bin/bash -ex + +# MUST be executed: +# - on deleuze +# - as a user with an /etc/sudoers line +# - member of wheel unix group +# - while holding tokens for a user who is: +# - a member of system:administrator +# - listed in 'bos listusers deleuze' + +USER=$1 + +if test -z "$USER"; then + echo "Invoke as create-user " + exit 1 +fi + + +# +# Kerberos principals +# (creat kerberos principals: fred, fred/cgi, fred/mailfilter) +# + +# We use -randkey for user's main principal as well, to make sure that +# the creation process does not continue without having a main +# principal. (But you who want to set password for a user, don't +# worry - we'll invoke cpw later, so that it has the same effect +# as setting password right now - while it is more error tolerant). + +sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET" + + +# +# Create AFS users corresponding to krb5 principals. +# (fred/cgi principal == fred.cgi AFS user) +# + +pts cu $USER || true +ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` +pts cu $USER.mailfilter $ID_MF || true +ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` +pts cu $USER.cgi || true +ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` + + +# +# Construct various paths for later perusal. +# + +# (If it's not clear, for user fred, PATHBITS = f/fr/fred) +PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER +HOMEPATH=/afs/hcoop.net/user/$PATHBITS +MAILPATH=/afs/hcoop.net/common/email/$PATHBITS +DBPATH=/afs/hcoop.net/common/databases/$PATHBITS +PGDIR=$DBPATH/postgres +MYSQLDIR=$DBPATH/mysql + + +# +# Create LDAP entries. (With the whole libnss-ptdb, I kind of +# lost the idea of what I want to do with LDAP, but we'll +# see with time how well it integrates...) +# The ID returned from AFS is important here, we want to make +# sure those IDs match. +# + +# USER entry +echo " +dn: uid=$USER,ou=People,dc=hcoop,dc=net +objectClass: top +objectClass: person +objectClass: posixAccount +cn: $USER +uid: $USER +gidNumber: $ID +homeDirectory: $HOMEPATH +sn: $USER +host: abulafia +host: mire + +dn: cn=$USER,ou=Group,dc=hcoop,dc=net +objectClass: top +objectClass: posixGroup +cn: $USER +gidNumber: $ID +memberUid: $USER +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret + +# USER.mailfilter entry +echo " +dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net +objectClass: top +objectClass: person +objectClass: posixAccount +cn: $USER.mailfilter +uid: $USER.mailfilter +gidNumber: $ID_MF +homeDirectory: $HOMEPATH +sn: $USER.mailfilter + +dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net +objectClass: top +objectClass: posixGroup +cn: $USER.mailfilter +gidNumber: $ID_MF +memberUid: $USER.mailfilter +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret + +# USER.cgi entry +echo " +dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net +objectClass: top +objectClass: person +objectClass: posixAccount +cn: $USER.cgi +uid: $USER.cgi +gidNumber: $ID_CGI +homeDirectory: $HOMEPATH +sn: $USER.cgi + +dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net +objectClass: top +objectClass: posixGroup +cn: $USER.cgi +gidNumber: $ID_CGI +memberUid: $USER.cgi +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret + + +# +# Export .mailfilter and .cgi keys to a keytab file +# + +# create a mailfilter keytab (used by /etc/exim4/get-token) +sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET" +# create a cgi keytab +sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET" + +# Properly chown/mod keytab files (www-data must own the cgi keytab) +sudo chown www-data:wheel /etc/keytabs/cgi/$USER +sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER +sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER + +# FIXME: rsync keytabs to mire? + +# +# Create/mount/set-perms on user's volumes (home, mail, databases, logs) +# + +# HOME VOLUME +vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 +mkdir -p `dirname $HOMEPATH` +fs mkm $HOMEPATH user.$USER +chown $USER $HOMEPATH +fs sa $HOMEPATH $USER all +fs sa $HOMEPATH system:anyuser rl + +# Apache logs +mkdir -p $HOMEPATH/logs/apache +fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk + +# MAIL VOLUME +vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 +mkdir -p `dirname $MAILPATH` +fs mkm $MAILPATH mail.$USER +fs mkm $HOMEPATH/Maildir mail.$USER +fs sa $MAILPATH $USER all +fs sa $MAILPATH $USER.mailfilter all + +# DATABASE VOLUME +if ! vos examine db.$USER >/dev/null 2>/dev/null; then + mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS` + vos create -server afs -partition a -name db.$USER -maxquota 400000 + fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw + vos release common.databases + fs sa -dir $DBPATH -acl system:postgres l + fs sa -dir $DBPATH -acl system:mysql l + fs sa -dir $DBPATH -acl system:backup rl +fi + +# Create postgres user and tablespace placeholder within volume +if ! [ -d $PGDIR ]; then + mkdir -p $PGDIR + chown postgres:postgres $PGDIR + fs sa -dir $PGDIR -acl system:postgres write + + sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1 +fi + +# Create mysql user and databases placeholder within volume +mkdir -p $MYSQLDIR +chown mysql:mysql $MYSQLDIR +fs sa -dir $MYSQLDIR -acl system:mysql write + + +# +# Mount points for backup volumes +# + +mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS` +mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS` +fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup +fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup + +vos syncserv deleuze +vos syncvldb deleuze +fs checkvolumes + +# +# Finally, set password for main user's principal +# Aborting this operation is harmless. Just re-invoke cpw. +# +sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" + diff --git a/destroy-user b/destroy-user new file mode 100755 index 0000000..573987c --- /dev/null +++ b/destroy-user @@ -0,0 +1,72 @@ +#!/bin/bash + +# MUST be executed: +# - on deleuze +# - as a user with an /etc/sudoers line +# - while holding system:administrator tokens + +USER=$1 + +PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER +HOMEPATH=/afs/hcoop.net/user/$PATHBITS +MAILPATH=/afs/hcoop.net/common/email/$PATHBITS +DBPATH=/afs/.hcoop.net/common/.databases/$PATHBITS +# We don't use separate partitions for logs +#LOGSPATH=/afs/.hcoop.net/common/.logs/$USER + +sudo rm -f /etc/keytabs/mailfilter/$USER +sudo rm -f /etc/keytabs/cgi/$USER + +# LDAP +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + uid=$USER,ou=People,dc=hcoop,dc=net +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + uid=$USER.cgi,ou=People,dc=hcoop,dc=net +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + cn=$USER,ou=Group,dc=hcoop,dc=net +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + cn=$USER.cgi,ou=Group,dc=hcoop,dc=net +sudo ldapdelete -v -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \ + cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net + +# Invalidate nscd cache +sudo nscd -i passwd +sudo nscd -i group + +# Remove from databases +sudo -u postgres psql -c "DROP TABLESPACE user_$USER" +#sudo -u postgres psql -c "DROP USER $USER" +#sudo -H mysql -e "DROP USER $USER@localhost" + +fs rm $MAILPATH +fs rm $HOMEPATH +#fs rm $LOGSPATH +fs rm $DBPATH +fs rm /afs/hcoop.net/old/user/$PATHBITS +fs rm /afs/hcoop.net/old/mail/$PATHBITS +vos remove deleuze.hcoop.net /vicepa user.$USER +vos remove deleuze.hcoop.net /vicepa mail.$USER +vos remove deleuze.hcoop.net /vicepa db.$USER +#vos remove deleuze.hcoop.net /vicepa logs.$USER + +vos release common.databases +#vos release common.logs + +sudo kadmin.local -q "delprinc -force $USER@HCOOP.NET" +sudo kadmin.local -q "delprinc -force $USER/mailfilter@HCOOP.NET" +sudo kadmin.local -q "delprinc -force $USER/cgi@HCOOP.NET" + +pts delete $USER +pts delete $USER.mailfilter +pts delete $USER.cgi + +#fs rm /afs/hcoop.net/old/user/$PATHBITS +#fs rm /afs/hcoop.net/old/mail/$PATHBITS +#fs rm /afs/hcoop.net/old/logs/$PATHBITS + +vos syncserv deleuze +vos syncvldb deleuze +fs checkvolumes + diff --git a/k5start-suexec b/k5start-suexec new file mode 100755 index 0000000..0b44b49 --- /dev/null +++ b/k5start-suexec @@ -0,0 +1,15 @@ +#!/bin/bash + +USER=$1 +shift 1 + +export KINIT_PROG="/usr/bin/aklog -c hcoop.net" + +exec \ + /usr/bin/k5start \ + -u $USER/cgi@HCOOP.NET \ + -t \ + -r HCOOP.NET \ + -f /etc/keytabs/cgi/$USER.cgi.keytab \ + -- $@ + -- 2.20.1