X-Git-Url: http://git.hcoop.net/hcoop/config/exim.git/blobdiff_plain/c3a1fc9a1e99722e7e660880b80a60bec70f7b7f..2a78b68690f959ffa9d033cc822d549c2cd666c7:/get-token

diff --git a/get-token b/get-token
index a837762..2a94863 100755
--- a/get-token
+++ b/get-token
@@ -2,28 +2,86 @@
 # Get an AFS token for the given user.
 #
 # This is used to deliver mail with the appropriate credentials.
+#
+# Usage:
+#
+# get-token $USER
+# - If user is root, call this script as $USER
+#
+# get-token $USER norecurse
+# - Don't recursively call this script, even if user if root
+
+REALUSER=$(whoami)
+USER=$1
+LOGFILE=/var/local/mail-tokens/weird-error.log
+
+echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE
+#ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE
+
+if test "$REALUSER" = "root"; then
+    if test "$2" = "norecurse"; then
+        echo "Error: running as root even after trying to change to $USER" \
+            >> $LOGFILE
+        exit 1
+    fi
+
+    # Decide whether the user exists: getent returns 0 error code if so
+    getent passwd "$USER" >/dev/null
+    if test $? -ne 0; then
+        echo "$USER is not a local user, so ignoring them" \
+            >> $LOGFILE
+        exit 1
+    else
+        USER=$(getent passwd "$1" | cut -d':' -f 1)
+        exec sudo -u $USER -- $0 $1 norecurse
+    fi
+fi
+
+# Make sure USER exists, and resolve UIDs to a login name
+USER=$(getent passwd "$USER" | cut -d':' -f 1)
+LOGFILE=/var/local/mail-tokens/get-token-log.$USER
+
+if test -z "$USER"; then
+    echo "$USER is not a local user, so ignoring them" \
+        >> /var/local/mail-tokens/weird-error.log
+    exit 1
+fi
 
 # fuse stdin and stderr
 exec 2>&1
-USER=$1
 
 # all future output goes to this file
-exec >&/tmp/get-token-log.$USER
+exec >& $LOGFILE
 
-# check that setuid happened
-whoami
+# print name of user
+echo "Running as user $REALUSER"
+
+# debugging output
+if test "$2" = "debug"; then
+    shift; shift
+    echo "Debugging output: $*"
+fi
+
+date
+groups
 
 # set the credentials cache
-export KRB5CCNAME=FILE:/tmp/krb5cc_$USER.email
+export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email
 
 # eliminate any previous tokens
-kdestroy
-unlog
-KEYTAB=/etc/keytabs/mailfilter/$USER
+#kdestroy
+#unlog
+KEYTAB=/etc/keytabs/user.daemon/$USER
 
 # display command-to-be-invoked as a sanity check
-echo kinit -kt $KEYTAB $USER/mailfilter@HCOOP.NET
+set -x
+
+(
+flock -s 666
+krenew -vtH 30 || kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET
+#aklog
 
-kinit -kt $KEYTAB $USER/mailfilter@HCOOP.NET
-aklog
+# list tokens, for the sake of debugging
+tokens
 
+) 666>/var/local/mail-tokens/lock.$USER