lib/create-user-lib.sh

   1 # -*- sh-mode -*-
   2
   3 # Library functions for create-user scripts
   4 # Export the $NEWUSER variable before sourcing!
   5
   6 # Functionality is split so that the scripts for creating real users,
   7 # service users, and web service users can share as much code as
   8 # possible.
   9
  10 # This has probably grown to the point where it shouldn't be a shell
  11 # script any more.
  12
  13 # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
  14 # something that should be perfectly permissible, and is something
  15 # that we do somewhat regularly (to bring old accounts up to date).
  16
  17 export PATH=$PATH:/afs/hcoop.net/common/bin/
  18
  19 if test -z "$NEWUSER"; then
  20         echo "NEWUSER not set before sourcing create user library"
  21         exit 1
  22 fi
  23
  24 #
  25 # Construct various paths for later perusal.
  26 #
  27
  28 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
  29 PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
  30 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
  31 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
  32
  33 #
  34 # Helper functions
  35 #
  36
  37 function execute_on_web_nodes () {
  38     ssh -K shelob.hcoop.net $*
  39 }
  40
  41 function execute_on_domtool_server () {
  42     ssh -K gibran.hcoop.net $*
  43 }
  44
  45
  46 function execute_on_all_machines () {
  47     $*
  48     ssh -K marsh.hcoop.net $*
  49     ssh -K minsky.hcoop.net $*
  50     ssh -K shelob.hcoop.net $*
  51     ssh -K outpost.hcoop.net $*
  52 }
  53
  54 #
  55 # User credentials
  56 #
  57
  58 function create_pts_user () {
  59     # Create primary user kerberos principle and afs pts user
  60
  61     # We use -randkey for user's main principal as well, to make sure
  62     # that the creation process does not continue without having a
  63     # main principal. (But you who want to set password for a user,
  64     # don't worry - we'll invoke cpw later, so that it has the same
  65     # effect as setting password right now - while it is more error
  66     # tolerant).
  67
  68     sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
  69     sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
  70
  71     pts cu $NEWUSER || true
  72 }
  73
  74 function create_pts_user_daemon () {
  75
  76     # Create additional kerberos principles ($user.daemon for now, in
  77     # theory also $user.mail, $user.cgi) and pts users for any used to
  78     # gain afs access ($user.daemon only)
  79     sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
  80     pts cu $NEWUSER.daemon || true
  81 }
  82
  83 function export_user_keytabs () {
  84
  85     # Export .mailfilter and .cgi keys to a keytab file
  86
  87     # This is suboptimal, we need to generate keytabs for
  88     # cgi/mail/etc. separately, and only sync to the nodes that
  89     # perform the services in question
  90
  91     # create a daemon keytab (used by /etc/exim4/get-token)
  92     # *only* if it does not exist!
  93     test -e /etc/keytabs/user.daemon/$NEWUSER || \
  94         sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
  95
  96     # Properly chown/mod keytab files (must be $NEWUSER:www-data)
  97     sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
  98     sudo chmod 440            /etc/keytabs/user.daemon/$NEWUSER
  99
 100     # rsync keytabs
 101     # only needed on nodes that will run code on behalf of members
 102     # fixme: duplicates all server list
 103     (cd /etc/keytabs
 104         sudo tar clpf - user.daemon/$NEWUSER | \
 105             ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 106     (cd /etc/keytabs
 107         sudo tar clpf - user.daemon/$NEWUSER | \
 108             ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 109     (cd /etc/keytabs
 110         sudo tar clpf - user.daemon/$NEWUSER | \
 111             ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 112 }
 113
 114
 115 #
 116 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
 117 #
 118
 119 # Each function that creates an afs volume should ensure that the
 120 # backup volume is created and mounted for users.
 121
 122 function create_home_volume () {
 123
 124     if vos examine user.$NEWUSER.d 2>/dev/null; then
 125         echo "Reactivating old volume (user.$NEWUSER.d)"
 126         vos rename user.$NEWUSER.d user.$NEWUSER
 127     fi
 128     vos examine user.$NEWUSER 2>/dev/null || \
 129         vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 4000000
 130
 131     mkdir -p `dirname $HOMEPATH`
 132     fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER
 133     chown $NEWUSER:nogroup $HOMEPATH
 134     fs sa $HOMEPATH $NEWUSER            all
 135     fs sa $HOMEPATH system:anyuser   l
 136     # cleanliness / needed to keep suphp happy
 137     chown root:root $HOMEPATH/../../
 138     chown root:root $HOMEPATH/../
 139
 140     # backup volume
 141     mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
 142     fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
 143         fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
 144 }
 145
 146
 147 function create_mail_volume () {
 148
 149     if vos examine mail.$NEWUSER.d 2>/dev/null; then
 150         echo "Reactivating old volume (mail.$NEWUSER.d)"
 151         vos rename mail.$NEWUSER.d mail.$NEWUSER
 152     fi
 153     vos examine mail.$NEWUSER 2>/dev/null || \
 154         vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 4000000
 155
 156     mkdir -p `dirname $MAILPATH`
 157     fs ls $MAILPATH || fs mkm $MAILPATH         mail.$NEWUSER
 158     fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER
 159     chown $NEWUSER:nogroup $MAILPATH
 160     chown $NEWUSER:nogroup $HOMEPATH/Maildir
 161     fs sa $MAILPATH $NEWUSER        all
 162     fs sa $MAILPATH $NEWUSER.daemon all
 163
 164     if test ! -e $MAILPATH/new; then
 165         mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
 166         echo -e "This email account is provided as a service for HCoop members." \
 167             "\n\nTo learn how to use it, please visit the page" \
 168             "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
 169             mail -s "Welcome to your HCoop email store" \
 170             -e -a "From: postmaster@hcoop.net" \
 171             real-$NEWUSER@hcoop.net
 172     fi
 173
 174     chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
 175
 176     # Set up shared SpamAssassin folder
 177     if test -f $HOMEPATH/Maildir/shared-maildirs; then
 178         # Deal with case where user rsync'd their Maildir from fyodor
 179         # Not an issue now, but harmless and can be adapted when we
 180         # move the spamd dirs into afs where they belong later.
 181         pattern='^SpamAssassin  /home/spamd'
 182         file=$HOMEPATH/Maildir/shared-maildirs
 183         if grep $pattern $file; then
 184             sed -i -r -e \
 185                 's!^(SpamAssassin       )/home/spamd!\1/var/local/lib/spamd!1' \
 186                 $file
 187         fi
 188     else
 189         maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \
 190             $HOMEPATH/Maildir
 191     fi
 192
 193     mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
 194     fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
 195         fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
 196     vos release old
 197 }
 198
 199 function seed_user_hcoop_directories () {
 200     # Additional standard directories. Some of these should probably
 201     # be on their own volumes, and access via a canonical path instead
 202     # to give users more control over their home dir without risking
 203     # breaking system services.
 204
 205     # Apache logs
 206     mkdir -p $HOMEPATH/.logs
 207     chown $NEWUSER:nogroup $HOMEPATH/.logs
 208     mkdir -p $HOMEPATH/.logs/apache
 209     chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
 210     fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
 211     fs sa $HOMEPATH/.logs/apache webalizer read
 212     mkdir -p $HOMEPATH/.logs/mail
 213     fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
 214     chown $NEWUSER:nogroup $HOMEPATH/.logs/mail
 215
 216     # public_html
 217     test -e $HOMEPATH/public_html || \
 218         (mkdir -p $HOMEPATH/public_html; \
 219         chown $NEWUSER:nogroup $HOMEPATH/public_html; \
 220         fs sa $HOMEPATH/public_html system:anyuser none; \
 221         fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)
 222
 223     # .procmail.d
 224     mkdir -p $HOMEPATH/.procmail.d
 225     chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
 226     fs sa $HOMEPATH/.procmail.d system:anyuser rl
 227
 228     # .public
 229     mkdir -p $HOMEPATH/.public/
 230     chown $NEWUSER:nogroup $HOMEPATH/.public
 231     fs sa $HOMEPATH/.public system:anyuser rl
 232
 233     # .domtool
 234     mkdir -p $HOMEPATH/.public/.domtool
 235     chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
 236     test -e $HOMEPATH/.domtool || \
 237         test -L $HOMEPATH/.domtool || \
 238         execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
 239         execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool
 240         # ^^ work around sudo env_reset crap without having to
 241         # actually figure out how to make it work cleanly -- clinton,
 242         # 2011-11-30
 243 }
 244
 245 #
 246 # Non-AFS files and directories
 247 #
 248
 249 function create_dav_locks () {
 250     # Make per-user apache DAV lock directory -- the directory must be
 251     # both user and group-writable, which is silly.
 252     execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER
 253     execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER
 254     execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER
 255 }
 256
 257 function setup_user_databases () {
 258     sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
 259 }
 260
 261 #
 262 # etc
 263 #
 264
 265 function enable_domtool () {
 266     execute_on_domtool_server domtool-adduser $NEWUSER
 267 }
 268
 269 function subscribe_to_lists () {
 270     # Subscribe user to our mailing lists.
 271
 272     echo $NEWUSER@hcoop.net | ssh -K minsky sudo -u list  \
 273         /var/lib/mailman/bin/add_members -r - hcoop-announce
 274 }
 275
 276 function ensure_afs_servers_synced () {
 277     vos release old
 278
 279     # technically this might not be necessary, but for good measure...
 280     local srv
 281     for srv in gibran lovelace; do
 282         vos syncserv $srv
 283         vos syncvldb $srv
 284     done
 285
 286     # refresh volume location cache (takes ~2hrs otherwise)
 287     execute_on_all_machines fs checkvolumes
 288 }
 289
 290 #
 291 # webserver
 292 #
 293
 294 function create_fcgi_wrapper () {
 295     # note: might want to move this to domtool-adduser
 296     local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
 297     local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
 298     mkdir -p $wrapper_dir
 299     cat > $wrapper <<EOF
 300 #!/bin/bash
 301
 302 exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
 303 EOF
 304
 305     chmod +x $wrapper
 306     chown $NEWUSER:nogroup $wrapper
 307     chown $NEWUSER:nogroup $wrapper_dir
 308 }