Commit | Line | Data |
---|---|---|
8f42d430 | 1 | #!/bin/bash |
cf08a29f | 2 | # Get an AFS token for the given user. |
3 | # | |
4 | # This is used to deliver mail with the appropriate credentials. | |
7a82fe65 | 5 | # |
6 | # Usage: | |
7 | # | |
8 | # get-token $USER | |
9 | # - If user is root, call this script as $USER | |
10 | # | |
11 | # get-token $USER norecurse | |
12 | # - Don't recursively call this script, even if user if root | |
13 | ||
14 | REALUSER=$(whoami) | |
15 | USER=$1 | |
ebec2a0b CE |
16 | LOGFILE=/var/local/mail-tokens/weird-error.log |
17 | ||
18 | echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE | |
19 | #ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE | |
7a82fe65 | 20 | |
9ce616e3 | 21 | if test "$REALUSER" = "root"; then |
f4f251b1 | 22 | if test "$2" = "norecurse"; then |
7a82fe65 | 23 | echo "Error: running as root even after trying to change to $USER" \ |
9cc698fa | 24 | >> $LOGFILE |
7a82fe65 | 25 | exit 1 |
26 | fi | |
27 | ||
28 | # Decide whether the user exists: getent returns 0 error code if so | |
29 | getent passwd "$USER" >/dev/null | |
9ce616e3 | 30 | if test $? -ne 0; then |
9cc698fa | 31 | echo "$USER is not a local user, so ignoring them" \ |
32 | >> $LOGFILE | |
7a82fe65 | 33 | exit 1 |
34 | else | |
9cc698fa | 35 | USER=$(getent passwd "$1" | cut -d':' -f 1) |
57de5395 | 36 | exec sudo -u $USER -- $0 $1 norecurse |
7a82fe65 | 37 | fi |
38 | fi | |
cf08a29f | 39 | |
9ce616e3 | 40 | # Make sure USER exists, and resolve UIDs to a login name |
41 | USER=$(getent passwd "$USER" | cut -d':' -f 1) | |
ebec2a0b | 42 | LOGFILE=/var/local/mail-tokens/get-token-log.$USER |
9ce616e3 | 43 | |
44 | if test -z "$USER"; then | |
9cc698fa | 45 | echo "$USER is not a local user, so ignoring them" \ |
ebec2a0b | 46 | >> /var/local/mail-tokens/weird-error.log |
9ce616e3 | 47 | exit 1 |
48 | fi | |
49 | ||
c3a1fc9a | 50 | # fuse stdin and stderr |
51 | exec 2>&1 | |
c3a1fc9a | 52 | |
53 | # all future output goes to this file | |
7a82fe65 | 54 | exec >& $LOGFILE |
c3a1fc9a | 55 | |
7a82fe65 | 56 | # print name of user |
57 | echo "Running as user $REALUSER" | |
c3a1fc9a | 58 | |
f4f251b1 | 59 | # debugging output |
60 | if test "$2" = "debug"; then | |
61 | shift; shift | |
62 | echo "Debugging output: $*" | |
63 | fi | |
64 | ||
ebec2a0b CE |
65 | date |
66 | groups | |
67 | ||
c3a1fc9a | 68 | # set the credentials cache |
ebec2a0b | 69 | export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email |
c3a1fc9a | 70 | |
71 | # eliminate any previous tokens | |
ebec2a0b CE |
72 | #kdestroy |
73 | #unlog | |
0a3b3788 | 74 | KEYTAB=/etc/keytabs/user.daemon/$USER |
c3a1fc9a | 75 | |
76 | # display command-to-be-invoked as a sanity check | |
ebec2a0b | 77 | set -x |
c3a1fc9a | 78 | |
ebec2a0b CE |
79 | ( |
80 | flock -s 666 | |
e1781f2a | 81 | krenew -vtH 30 || (kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET && aklog) |
5092a970 | 82 | |
ff958aaf | 83 | # list tokens, for the sake of debugging |
ebec2a0b CE |
84 | tokens |
85 | ||
86 | ) 666>/var/local/mail-tokens/lock.$USER |