| 1 | #!/bin/bash |
| 2 | # Get an AFS token for the given user. |
| 3 | # |
| 4 | # This is used to deliver mail with the appropriate credentials. |
| 5 | # |
| 6 | # Usage: |
| 7 | # |
| 8 | # get-token $USER |
| 9 | # - If user is root, call this script as $USER |
| 10 | # |
| 11 | # get-token $USER norecurse |
| 12 | # - Don't recursively call this script, even if user if root |
| 13 | |
| 14 | REALUSER=$(whoami) |
| 15 | USER=$1 |
| 16 | LOGFILE=/tmp/exim4/weird-error.log |
| 17 | |
| 18 | if test "$REALUSER" = "root"; then |
| 19 | if test "$2" = "norecurse"; then |
| 20 | echo "Error: running as root even after trying to change to $USER" \ |
| 21 | >> $LOGFILE |
| 22 | exit 1 |
| 23 | fi |
| 24 | |
| 25 | # Decide whether the user exists: getent returns 0 error code if so |
| 26 | getent passwd "$USER" >/dev/null |
| 27 | if test $? -ne 0; then |
| 28 | echo "$USER is not a local user, so ignoring them" \ |
| 29 | >> $LOGFILE |
| 30 | exit 1 |
| 31 | else |
| 32 | USER=$(getent passwd "$1" | cut -d':' -f 1) |
| 33 | exec su $USER -c "$0 $1 norecurse" |
| 34 | fi |
| 35 | fi |
| 36 | |
| 37 | # Make sure USER exists, and resolve UIDs to a login name |
| 38 | USER=$(getent passwd "$USER" | cut -d':' -f 1) |
| 39 | LOGFILE=/tmp/exim4/get-token-log.$USER |
| 40 | |
| 41 | if test -z "$USER"; then |
| 42 | echo "$USER is not a local user, so ignoring them" \ |
| 43 | >> /tmp/exim4/weird-error.log |
| 44 | exit 1 |
| 45 | fi |
| 46 | |
| 47 | # fuse stdin and stderr |
| 48 | exec 2>&1 |
| 49 | |
| 50 | # all future output goes to this file |
| 51 | exec >& $LOGFILE |
| 52 | |
| 53 | # print name of user |
| 54 | echo "Running as user $REALUSER" |
| 55 | |
| 56 | # debugging output |
| 57 | if test "$2" = "debug"; then |
| 58 | shift; shift |
| 59 | echo "Debugging output: $*" |
| 60 | fi |
| 61 | |
| 62 | # set the credentials cache |
| 63 | export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email |
| 64 | |
| 65 | # eliminate any previous tokens |
| 66 | kdestroy |
| 67 | unlog |
| 68 | KEYTAB=/etc/keytabs/user.daemon/$USER |
| 69 | |
| 70 | # display command-to-be-invoked as a sanity check |
| 71 | echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
| 72 | |
| 73 | kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
| 74 | aklog |
| 75 | |
| 76 | # list tokens, for the sake of debugging |
| 77 | #tokens |