| 1 | #!/bin/bash |
| 2 | # Get an AFS token for the given user. |
| 3 | # |
| 4 | # This is used to deliver mail with the appropriate credentials. |
| 5 | # |
| 6 | # Usage: |
| 7 | # |
| 8 | # get-token $USER |
| 9 | # - If user is root, call this script as $USER |
| 10 | # |
| 11 | # get-token $USER norecurse |
| 12 | # - Don't recursively call this script, even if user if root |
| 13 | |
| 14 | REALUSER=$(whoami) |
| 15 | USER=$1 |
| 16 | LOGFILE=/tmp/exim4/get-token-log.$USER |
| 17 | |
| 18 | if test "$REALUSER" = "root"; then |
| 19 | if test "$2" = "norecurse"; then |
| 20 | echo "Error: running as root even after trying to change to $USER" \ |
| 21 | > $LOGFILE |
| 22 | exit 1 |
| 23 | fi |
| 24 | |
| 25 | # Decide whether the user exists: getent returns 0 error code if so |
| 26 | getent passwd "$USER" >/dev/null |
| 27 | if test $? -ne 0; then |
| 28 | echo "$USER is not a local user, so ignoring them" |
| 29 | exit 1 |
| 30 | else |
| 31 | exec su $USER -c "$0 $1 norecurse" |
| 32 | fi |
| 33 | fi |
| 34 | |
| 35 | # Make sure USER exists, and resolve UIDs to a login name |
| 36 | USER=$(getent passwd "$USER" | cut -d':' -f 1) |
| 37 | LOGFILE=/tmp/exim4/get-token-log.$USER |
| 38 | |
| 39 | if test -z "$USER"; then |
| 40 | echo "$USER is not a local user, so ignoring them" |
| 41 | exit 1 |
| 42 | fi |
| 43 | |
| 44 | # fuse stdin and stderr |
| 45 | exec 2>&1 |
| 46 | |
| 47 | # all future output goes to this file |
| 48 | exec >& $LOGFILE |
| 49 | |
| 50 | # print name of user |
| 51 | echo "Running as user $REALUSER" |
| 52 | |
| 53 | # debugging output |
| 54 | if test "$2" = "debug"; then |
| 55 | shift; shift |
| 56 | echo "Debugging output: $*" |
| 57 | fi |
| 58 | |
| 59 | # set the credentials cache |
| 60 | export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email |
| 61 | |
| 62 | # eliminate any previous tokens |
| 63 | kdestroy |
| 64 | unlog |
| 65 | KEYTAB=/etc/keytabs/user.daemon/$USER |
| 66 | |
| 67 | # display command-to-be-invoked as a sanity check |
| 68 | echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
| 69 | |
| 70 | kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
| 71 | aklog |
| 72 | |
| 73 | # list tokens, for the sake of debugging |
| 74 | #tokens |