# Get an AFS token for the given user.
#
# This is used to deliver mail with the appropriate credentials.
+#
+# Usage:
+#
+# get-token $USER
+# - If user is root, call this script as $USER
+#
+# get-token $USER norecurse
+# - Don't recursively call this script, even if user if root
+
+REALUSER=$(whoami)
+USER=$1
+LOGFILE=/tmp/exim4/get-token-log.$USER
+
+if [ "$REALUSER" = "root" ]; then
+ if [ -n "$2" ]; then
+ echo "Error: running as root even after trying to change to $USER" \
+ > $LOGFILE
+ exit 1
+ fi
+
+ # Decide whether the user exists: getent returns 0 error code if so
+ getent passwd "$USER" >/dev/null
+ if [ $? -ne 0 ]; then
+ echo "$USER is not a local user, so ignoring them"
+ exit 1
+ else
+ exec su $USER -c "$0 $1 norecurse"
+ fi
+fi
# fuse stdin and stderr
exec 2>&1
-USER=$1
# all future output goes to this file
-exec >&/tmp/get-token-log.$USER
+exec >& $LOGFILE
-# check that setuid happened
-whoami
+# print name of user
+echo "Running as user $REALUSER"
# set the credentials cache
-export KRB5CCNAME=FILE:/tmp/krb5cc_$USER.email
+export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email
# eliminate any previous tokens
kdestroy