3 # Library functions for create-user scripts
4 # Export the $NEWUSER variable before sourcing!
6 # Functionality is split so that the scripts for creating real users,
7 # service users, and web service users can share as much code as
10 # This has probably grown to the point where it shouldn't be a shell
13 # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
14 # something that should be perfectly permissible, and is something
15 # that we do somewhat regularly (to bring old accounts up to date).
17 export PATH
=$PATH:/afs
/hcoop.net
/common
/bin
/
19 if test -z "$NEWUSER"; then
20 echo "NEWUSER not set before sourcing create user library"
25 # Construct various paths for later perusal.
28 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
29 PATHBITS
=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
30 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
31 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
37 function execute_on_web_nodes
() {
38 ssh -K shelob.hcoop.net $
*
41 function execute_on_domtool_server
() {
42 ssh -K gibran.hcoop.net $
*
46 function execute_on_all_machines
() {
48 ssh -K marsh.hcoop.net $
*
49 ssh -K minsky.hcoop.net $
*
50 ssh -K shelob.hcoop.net $
*
51 ssh -K outpost.hcoop.net $
*
58 function create_pts_user
() {
59 # Create primary user kerberos principle and afs pts user
61 # We use -randkey for user's main principal as well, to make sure
62 # that the creation process does not continue without having a
63 # main principal. (But you who want to set password for a user,
64 # don't worry - we'll invoke cpw later, so that it has the same
65 # effect as setting password right now - while it is more error
68 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
69 sudo kadmin.
local -p root
/admin
-q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
71 pts cu
$NEWUSER || true
74 function create_pts_user_daemon
() {
76 # Create additional kerberos principles ($user.daemon for now, in
77 # theory also $user.mail, $user.cgi) and pts users for any used to
78 # gain afs access ($user.daemon only)
79 sudo kadmin.
local -p root
/admin
-q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
80 pts cu
$NEWUSER.daemon || true
83 function export_user_keytabs
() {
85 # Export .mailfilter and .cgi keys to a keytab file
87 # This is suboptimal, we need to generate keytabs for
88 # cgi/mail/etc. separately, and only sync to the nodes that
89 # perform the services in question
91 # create a daemon keytab (used by /etc/exim4/get-token)
92 # *only* if it does not exist!
93 test -e /etc
/keytabs
/user.daemon
/$NEWUSER || \
94 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
96 # Properly chown/mod keytab files (must be $NEWUSER:www-data)
97 sudo chown
$NEWUSER:www-data
/etc
/keytabs
/user.daemon
/$NEWUSER
98 sudo
chmod 440 /etc
/keytabs
/user.daemon
/$NEWUSER
101 # only needed on nodes that will run code on behalf of members
102 # fixme: duplicates all server list
104 sudo
tar clpf
- user.daemon
/$NEWUSER | \
105 ssh marsh.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
107 sudo
tar clpf
- user.daemon
/$NEWUSER | \
108 ssh minsky.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
110 sudo
tar clpf
- user.daemon
/$NEWUSER | \
111 ssh shelob.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
116 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
119 # Each function that creates an afs volume should ensure that the
120 # backup volume is created and mounted for users.
122 function create_home_volume
() {
124 if vos examine user.
$NEWUSER.d
2>/dev
/null
; then
125 echo "Reactivating old volume (user.$NEWUSER.d)"
126 vos rename user.
$NEWUSER.d user.
$NEWUSER
128 vos examine user.
$NEWUSER 2>/dev
/null || \
129 vos create gibran.hcoop.net
/vicepa user.
$NEWUSER -maxquota 4000000
131 mkdir
-p `dirname $HOMEPATH`
132 fs
ls $HOMEPATH ||
test -L $HOMEPATH || fs mkm
$HOMEPATH user.
$NEWUSER
133 chown
$NEWUSER:nogroup
$HOMEPATH
134 fs sa
$HOMEPATH $NEWUSER all
135 fs sa
$HOMEPATH system
:anyuser l
136 # cleanliness / needed to keep suphp happy
137 chown root
:root
$HOMEPATH/..
/..
/
138 chown root
:root
$HOMEPATH/..
/
141 mkdir
-p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
142 fs
ls /afs
/hcoop.net
/.old
/user
/$PATHBITS || \
143 fs mkm
/afs
/hcoop.net
/.old
/user
/$PATHBITS user.
$NEWUSER.backup
147 function create_mail_volume
() {
149 if vos examine
mail.
$NEWUSER.d
2>/dev
/null
; then
150 echo "Reactivating old volume (mail.$NEWUSER.d)"
151 vos rename
mail.
$NEWUSER.d
mail.
$NEWUSER
153 vos examine
mail.
$NEWUSER 2>/dev
/null || \
154 vos create gibran.hcoop.net
/vicepa
mail.
$NEWUSER -maxquota 4000000
156 mkdir
-p `dirname $MAILPATH`
157 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$NEWUSER
158 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$NEWUSER
159 chown
$NEWUSER:nogroup
$MAILPATH
160 chown
$NEWUSER:nogroup
$HOMEPATH/Maildir
161 fs sa
$MAILPATH $NEWUSER all
162 fs sa
$MAILPATH $NEWUSER.daemon all
164 if test ! -e $MAILPATH/new
; then
165 mkdir
-p $MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
166 echo -e "This email account is provided as a service for HCoop members." \
167 "\n\nTo learn how to use it, please visit the page" \
168 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
169 mail -s "Welcome to your HCoop email store" \
170 -e -a "From: postmaster@hcoop.net" \
171 real-
$NEWUSER@hcoop.net
174 chown
$NEWUSER:nogroup
$MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
176 # Set up shared SpamAssassin folder
177 if test -f $HOMEPATH/Maildir
/shared-maildirs
; then
178 # Deal with case where user rsync'd their Maildir from fyodor
179 # Not an issue now, but harmless and can be adapted when we
180 # move the spamd dirs into afs where they belong later.
181 pattern
='^SpamAssassin /home/spamd'
182 file=$HOMEPATH/Maildir
/shared-maildirs
183 if grep $pattern $file; then
185 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
189 maildirmake
--add SpamAssassin
=/afs
/hcoop.net
/user
/s
/sp
/spamd
/Maildir \
193 mkdir
-p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
194 fs
ls /afs
/hcoop.net
/.old
/mail
/$PATHBITS || \
195 fs mkm
/afs
/hcoop.net
/.old
/mail
/$PATHBITS mail.
$NEWUSER.backup
199 function seed_user_hcoop_directories
() {
200 # Additional standard directories. Some of these should probably
201 # be on their own volumes, and access via a canonical path instead
202 # to give users more control over their home dir without risking
203 # breaking system services.
206 mkdir
-p $HOMEPATH/.logs
207 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
208 mkdir
-p $HOMEPATH/.logs
/apache
209 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/apache
210 fs sa
$HOMEPATH/.logs
/apache
$NEWUSER.daemon rlwidk
211 fs sa
$HOMEPATH/.logs
/apache webalizer
read
212 mkdir
-p $HOMEPATH/.logs
/mail
213 fs sa
$HOMEPATH/.logs
/mail $NEWUSER.daemon rlwidk
214 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/mail
217 test -e $HOMEPATH/public_html || \
218 (mkdir
-p $HOMEPATH/public_html
; \
219 chown
$NEWUSER:nogroup
$HOMEPATH/public_html
; \
220 fs sa
$HOMEPATH/public_html system
:anyuser none
; \
221 fs sa
$HOMEPATH/public_html
$NEWUSER.daemon rl
)
224 mkdir
-p $HOMEPATH/.procmail.d
225 chown
$NEWUSER:nogroup
$HOMEPATH/.procmail.d
226 fs sa
$HOMEPATH/.procmail.d system
:anyuser rl
229 mkdir
-p $HOMEPATH/.public
/
230 chown
$NEWUSER:nogroup
$HOMEPATH/.public
231 fs sa
$HOMEPATH/.public system
:anyuser rl
234 mkdir
-p $HOMEPATH/.public
/.domtool
235 chown
$NEWUSER:nogroup
$HOMEPATH/.public
/.domtool
236 test -e $HOMEPATH/.domtool || \
237 test -L $HOMEPATH/.domtool || \
238 execute_on_domtool_server
ln -s $HOMEPATH/.public
/.domtool
$HOMEPATH/.domtool
239 execute_on_domtool_server chown
$NEWUSER $HOMEPATH/.domtool
240 # ^^ work around sudo env_reset crap without having to
241 # actually figure out how to make it work cleanly -- clinton,
246 # Non-AFS files and directories
249 function create_dav_locks
() {
250 # Make per-user apache DAV lock directory -- the directory must be
251 # both user and group-writable, which is silly.
252 execute_on_web_nodes sudo mkdir
-p /var
/lock
/apache
2/dav
/$NEWUSER
253 execute_on_web_nodes sudo chown
$NEWUSER:www-data
/var
/lock
/apache
2/dav
/$NEWUSER
254 execute_on_web_nodes sudo
chmod ug
=rwx
,o
= /var
/lock
/apache
2/dav
/$NEWUSER
257 function setup_user_databases
() {
258 sudo
/afs
/hcoop.net
/common
/etc
/scripts
/create-user-database
$NEWUSER
265 function enable_domtool
() {
266 execute_on_domtool_server domtool-adduser
$NEWUSER
269 function subscribe_to_lists
() {
270 # Subscribe user to our mailing lists.
272 echo $NEWUSER@hcoop.net |
ssh -K minsky sudo
-u list \
273 /var
/lib
/mailman
/bin
/add_members
-r - hcoop-announce
276 function ensure_afs_servers_synced
() {
279 # technically this might not be necessary, but for good measure...
281 for srv
in gibran lovelace
; do
286 # refresh volume location cache (takes ~2hrs otherwise)
287 execute_on_all_machines fs checkvolumes
294 function create_fcgi_wrapper
() {
295 # note: might want to move this to domtool-adduser
296 local wrapper_dir
="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
297 local wrapper
="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
298 mkdir
-p $wrapper_dir
302 exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
306 chown
$NEWUSER:nogroup
$wrapper
307 chown
$NEWUSER:nogroup
$wrapper_dir