3 # Library functions for create-user scripts
4 # Export the $NEWUSER variable before sourcing!
6 # Functionality is split so that the scripts for creating real users,
7 # service users, and web service users can share as much code as
10 # This has probably grown to the point where it shouldn't be a shell
13 # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
14 # something that should be perfectly permissible, and is something
15 # that we do somewhat regularly (to bring old accounts up to date).
17 export PATH
=$PATH:/afs
/hcoop.net
/common
/bin
/
19 if test -z "$NEWUSER"; then
20 echo "NEWUSER not set before sourcing create user library"
25 # Construct various paths for later perusal.
28 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
29 PATHBITS
=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
30 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
31 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
37 function execute_on_web_nodes
() {
38 ssh -K shelob.hcoop.net $
*
41 function execute_on_domtool_server
() {
42 ssh -K gibran.hcoop.net $
*
45 function execute_on_mail_nodes
() {
46 ssh -K minsky.hcoop.net $
*
49 function execute_on_all_machines
() {
51 ssh -K marsh.hcoop.net $
*
52 ssh -K minsky.hcoop.net $
*
53 ssh -K shelob.hcoop.net $
*
54 ssh -K lovelace.hcoop.net $
*
55 ssh -K outpost.hcoop.net $
*
62 function create_pts_user
() {
63 # Create primary user kerberos principle and afs pts user
65 # We use -randkey for user's main principal as well, to make sure
66 # that the creation process does not continue without having a
67 # main principal. (But you who want to set password for a user,
68 # don't worry - we'll invoke cpw later, so that it has the same
69 # effect as setting password right now - while it is more error
72 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
73 sudo kadmin.
local -p root
/admin
-q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
75 pts cu
$NEWUSER || true
78 function create_pts_user_daemon
() {
80 # Create additional kerberos principles ($user.daemon for now, in
81 # theory also $user.mail, $user.cgi) and pts users for any used to
82 # gain afs access ($user.daemon only)
83 sudo kadmin.
local -p root
/admin
-q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
84 pts cu
$NEWUSER.daemon || true
87 function export_user_keytabs
() {
89 # Export .mailfilter and .cgi keys to a keytab file
91 # This is suboptimal, we need to generate keytabs for
92 # cgi/mail/etc. separately, and only sync to the nodes that
93 # perform the services in question
95 # create a daemon keytab (used by /etc/exim4/get-token)
96 # *only* if it does not exist!
97 test -e /etc
/keytabs
/user.daemon
/$NEWUSER || \
98 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
100 # Properly chown/mod keytab files (must be $NEWUSER:www-data)
101 sudo chown
$NEWUSER:www-data
/etc
/keytabs
/user.daemon
/$NEWUSER
102 sudo
chmod 440 /etc
/keytabs
/user.daemon
/$NEWUSER
105 # only needed on nodes that will run code on behalf of members
106 # fixme: duplicates all server list
108 sudo
tar clpf
- user.daemon
/$NEWUSER | \
109 ssh marsh.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
111 sudo
tar clpf
- user.daemon
/$NEWUSER | \
112 ssh minsky.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
114 sudo
tar clpf
- user.daemon
/$NEWUSER | \
115 ssh shelob.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
120 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
123 # Each function that creates an afs volume should ensure that the
124 # backup volume is created and mounted for users.
126 function create_home_volume
() {
128 if vos examine user.
$NEWUSER.d
2>/dev
/null
; then
129 echo "Reactivating old volume (user.$NEWUSER.d)"
130 vos rename user.
$NEWUSER.d user.
$NEWUSER
132 vos examine user.
$NEWUSER 2>/dev
/null || \
133 vos create gibran.hcoop.net
/vicepa user.
$NEWUSER -maxquota 10000000
135 mkdir
-p `dirname $HOMEPATH`
136 fs
ls $HOMEPATH ||
test -L $HOMEPATH || fs mkm
$HOMEPATH user.
$NEWUSER
137 chown
$NEWUSER:nogroup
$HOMEPATH
138 fs sa
$HOMEPATH $NEWUSER all
139 fs sa
$HOMEPATH system
:anyuser l
140 # cleanliness / needed to keep suphp happy
141 chown root
:root
$HOMEPATH/..
/..
/
142 chown root
:root
$HOMEPATH/..
/
145 mkdir
-p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
146 fs
ls /afs
/hcoop.net
/.old
/user
/$PATHBITS || \
147 fs mkm
/afs
/hcoop.net
/.old
/user
/$PATHBITS user.
$NEWUSER.backup
151 function create_mail_volume
() {
153 if vos examine
mail.
$NEWUSER.d
2>/dev
/null
; then
154 echo "Reactivating old volume (mail.$NEWUSER.d)"
155 vos rename
mail.
$NEWUSER.d
mail.
$NEWUSER
157 vos examine
mail.
$NEWUSER 2>/dev
/null || \
158 vos create gibran.hcoop.net
/vicepa
mail.
$NEWUSER -maxquota 10000000
160 mkdir
-p `dirname $MAILPATH`
161 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$NEWUSER
162 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$NEWUSER
163 chown
$NEWUSER:nogroup
$MAILPATH
164 chown
$NEWUSER:nogroup
$HOMEPATH/Maildir
165 fs sa
$MAILPATH $NEWUSER all
166 fs sa
$MAILPATH $NEWUSER.daemon all
168 if test ! -e $MAILPATH/new
; then
169 mkdir
-p $MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
170 echo -e "This email account is provided as a service for HCoop members." \
171 "\n\nTo learn how to use it, please visit the page" \
172 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
173 mail -s "Welcome to your HCoop email store" \
174 -e -a "From: postmaster@hcoop.net" \
175 real-
$NEWUSER@hcoop.net
178 chown
$NEWUSER:nogroup
$MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
180 # Set up shared SpamAssassin folder
181 if test -f $HOMEPATH/Maildir
/shared-maildirs
; then
182 # Deal with case where user rsync'd their Maildir from fyodor
183 # Not an issue now, but harmless and can be adapted when we
184 # move the spamd dirs into afs where they belong later.
185 pattern
='^SpamAssassin /home/spamd'
186 file=$HOMEPATH/Maildir
/shared-maildirs
187 if grep $pattern $file; then
189 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
193 maildirmake
--add SpamAssassin
=/afs
/hcoop.net
/user
/s
/sp
/spamd
/Maildir \
197 mkdir
-p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
198 fs
ls /afs
/hcoop.net
/.old
/mail
/$PATHBITS || \
199 fs mkm
/afs
/hcoop.net
/.old
/mail
/$PATHBITS mail.
$NEWUSER.backup
203 function seed_user_hcoop_directories
() {
204 # Additional standard directories. Some of these should probably
205 # be on their own volumes, and access via a canonical path instead
206 # to give users more control over their home dir without risking
207 # breaking system services.
210 mkdir
-p $HOMEPATH/.logs
211 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
212 mkdir
-p $HOMEPATH/.logs
/apache
213 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/apache
214 fs sa
$HOMEPATH/.logs
/apache
$NEWUSER.daemon rlwidk
215 fs sa
$HOMEPATH/.logs
/apache webalizer
read
216 mkdir
-p $HOMEPATH/.logs
/mail
217 fs sa
$HOMEPATH/.logs
/mail $NEWUSER.daemon rlwidk
218 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/mail
221 test -e $HOMEPATH/public_html || \
222 (mkdir
-p $HOMEPATH/public_html
; \
223 chown
$NEWUSER:nogroup
$HOMEPATH/public_html
; \
224 fs sa
$HOMEPATH/public_html system
:anyuser none
; \
225 fs sa
$HOMEPATH/public_html
$NEWUSER.daemon rl
)
228 mkdir
-p $HOMEPATH/.procmail.d
229 chown
$NEWUSER:nogroup
$HOMEPATH/.procmail.d
230 fs sa
$HOMEPATH/.procmail.d system
:anyuser rl
233 mkdir
-p $HOMEPATH/.public
/
234 chown
$NEWUSER:nogroup
$HOMEPATH/.public
235 fs sa
$HOMEPATH/.public system
:anyuser rl
238 mkdir
-p $HOMEPATH/.public
/.domtool
239 chown
$NEWUSER:nogroup
$HOMEPATH/.public
/.domtool
240 test -e $HOMEPATH/.domtool || \
241 test -L $HOMEPATH/.domtool || \
242 execute_on_domtool_server
ln -s $HOMEPATH/.public
/.domtool
$HOMEPATH/.domtool
243 execute_on_domtool_server chown
$NEWUSER $HOMEPATH/.domtool
244 # ^^ work around sudo env_reset crap without having to
245 # actually figure out how to make it work cleanly -- clinton,
250 # Non-AFS files and directories
253 function create_dav_locks
() {
254 # Make per-user apache DAV lock directory -- the directory must be
255 # both user and group-writable, which is silly.
256 execute_on_web_nodes sudo mkdir
-p /var
/lock
/apache
2/dav
/$NEWUSER
257 execute_on_web_nodes sudo chown
$NEWUSER:www-data
/var
/lock
/apache
2/dav
/$NEWUSER
258 execute_on_web_nodes sudo
chmod ug
=rwx
,o
= /var
/lock
/apache
2/dav
/$NEWUSER
261 function setup_user_databases
() {
262 sudo
/afs
/hcoop.net
/common
/etc
/scripts
/create-user-database
$NEWUSER
269 function enable_domtool
() {
270 execute_on_domtool_server domtool-adduser
$NEWUSER
273 function subscribe_to_lists
() {
274 # Subscribe user to our mailing lists.
276 echo $NEWUSER@hcoop.net |
ssh -K minsky sudo
-u list \
277 /var
/lib
/mailman
/bin
/add_members
-r - hcoop-announce
280 function ensure_afs_servers_synced
() {
283 # technically this might not be necessary, but for good measure...
285 for srv
in gibran lovelace
; do
290 # refresh volume location cache (takes ~2hrs otherwise)
291 execute_on_all_machines fs checkvolumes
298 function create_fcgi_wrapper
() {
299 # note: might want to move this to domtool-adduser
300 local wrapper_dir
="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
301 local wrapper
="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
302 mkdir
-p $wrapper_dir
306 exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
310 chown
$NEWUSER:nogroup
$wrapper
311 chown
$NEWUSER:nogroup
$wrapper_dir