162 lines
4.7 KiB
Bash
Executable File
162 lines
4.7 KiB
Bash
Executable File
#!/bin/bash
|
|
#% Usage: check-member [-l <login>]
|
|
#% Performs sanity checks on a Hackerspace member to see if their infrastructure access is correct.
|
|
|
|
. $LIB_DIR/common.sh
|
|
|
|
function readvar() {
|
|
vname=$1
|
|
prompt=${2:-$1}
|
|
echo -n "$prompt: "
|
|
read $vname
|
|
}
|
|
|
|
function fail() {
|
|
problem="$1"
|
|
remediation="$2"
|
|
fatal="$3"
|
|
|
|
echo -ne "\n\e[31mFatal:\e[0m "
|
|
echo $problem
|
|
|
|
[ ! "$remediation" == "" ] && ( echo 'To fix, try: $' $remediation; echo )
|
|
|
|
if [ ! "$fatal" == "" ] ; then
|
|
echo -n "Cannot continue checks. "
|
|
if [ ! "$remediation" == "" ] ; then
|
|
echo "Please apply fix and retry."
|
|
else
|
|
echo ""
|
|
fi
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function weird() {
|
|
problem="$1"
|
|
|
|
echo -ne "\e[33mWeird:\e[0m "
|
|
echo $problem
|
|
echo ""
|
|
|
|
}
|
|
|
|
function ldap() {
|
|
ldapsearch -ZZ "$@" 2>/dev/null
|
|
}
|
|
|
|
kadmin=kadmin.local
|
|
kadminopts=""
|
|
if [ $(whoami) != "root" ] ; then
|
|
kadmin=kadmin
|
|
echo "You are not running as root - please provide Kerberos password for $(whoami)/admin@HACKERSPACE.PL:"
|
|
read -s krbpass
|
|
kadminopts="-w $krbpass"
|
|
$kadmin $kadminopts listprincs | grep -q $(whoami) || fail "Invalid password provided." "" fatal
|
|
echo "$krbpass" | kinit $(whoami)
|
|
else
|
|
kinit -k -t /etc/krb5.keytab
|
|
fi
|
|
|
|
|
|
member="$1"
|
|
|
|
[ ! "$member" ] && readvar login "Login"
|
|
|
|
echo -e "\e[32mStep 1\e[0m - Checking basic LDAP for $member"
|
|
|
|
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep -q "uid: $member" || \
|
|
fail "User $member does not exist in LDAP" "add-user -l $member" fatal
|
|
|
|
memberdn="uid=$1,ou=People,dc=hackerspace,dc=pl"
|
|
|
|
function check_group() {
|
|
group_cn="$1"
|
|
ldap -b 'ou=Group,dc=hackerspace,dc=pl' "cn=$group_cn" | grep -q "uniqueMember: $memberdn"
|
|
res=$?
|
|
return $res
|
|
}
|
|
|
|
check_group wikiuser || fail "User $member does not have wiki access" "add-to-wiki $member"
|
|
|
|
ldap -b 'ou=Group,dc=hackerspace,dc=pl' "cn=$member" | grep -q "cn: $member" || \
|
|
fail "User $member does not own a POSIX group in LDAP" "create-posix-group $member $(id -u $member)"
|
|
|
|
check_group $member || fail "User $member is not a member of their POSIX group"
|
|
|
|
echo -e "\e[32mStep 2\e[0m - Checking correct membership of $member"
|
|
|
|
is_fatty=0
|
|
is_starving=0
|
|
check_group fatty
|
|
if [ $? == 0 ] ; then
|
|
is_fatty=1
|
|
fi
|
|
check_group starving
|
|
if [ $? == 0 ] ; then
|
|
is_starving=1
|
|
fi
|
|
|
|
is_hs_member=0
|
|
if [ $is_fatty == 1 ] ; then
|
|
is_hs_member=1
|
|
fi
|
|
if [ $is_starving == 1 ] ; then
|
|
is_hs_member=1
|
|
fi
|
|
[ $is_fatty == 1 ] && [ $is_starving == 1 ] && fail "Member $member is both fatty and starving."
|
|
[ $is_fatty == 0 ] && [ $is_starving == 0 ] && weird "Member $member is neither fatty nor starving. Are they just friends of friends?"
|
|
|
|
if [ $is_hs_member == 1 ]; then
|
|
echo -e "\e[32mStep 3\e[0m - Checking member privileges."
|
|
check_group xmpp-users || fail "User $member does not have access to XMPP." "enable-xmpp $member"
|
|
check_group boston-shell || fail "User $member does not have access to SSH." "enable-boston-shell $member"
|
|
check_group vpn-users || fail "User $member does not have access to VPN." "enable-vpn $member"
|
|
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep loginShell: /bin/false && fail "User $member has /bin/false as shell." "set-shell $member"
|
|
else
|
|
echo -e "\e[32mStep 3\e[0m - Skipping member privilege checks (SSH, VPN, XMPP...)"
|
|
fi
|
|
|
|
|
|
echo -e "\e[32mStep 4\e[0m - Checking local filesystem."
|
|
|
|
maildir="/var/spool/mail/$member"
|
|
[ -d $maildir ] || fail "User $member does not have maildir" "sudo mkdir $maildir"
|
|
stat --printf="%U:%G" $maildir | grep -q "$member:mail" || fail "User $member has broken ownership on maildir" "sudo chown -R $member:mail $maildir"
|
|
stat --printf="%a" $maildir | grep -q '700' || fail "User $member has broken permissions on maildir" "sudo chmod -R 700 $maildir"
|
|
|
|
echo -e "\e[32mStep 5\e[0m - Checking kerberos integration."
|
|
|
|
if check_group boston-shell; then
|
|
homedir="/home/$member"
|
|
[ -d $homedir ] || fail "User $member does not have a homedir" "sudo cp -rv /etc/skel $homedir"
|
|
stat --printf="%U:%G" $homedir | grep -q "$member:$member" || fail "User $member has broken ownership on homedir" "sudo chown $member:$member $homedir"
|
|
fi
|
|
|
|
if $kadmin $kadminopts listprincs | grep -q $member ; then
|
|
principal="$member@HACKERSPACE.PL"
|
|
has_sasl=0
|
|
has_ssha=0
|
|
|
|
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
|
echo $line | cut -d" " -f 2 | base64 -d
|
|
done | grep -q "{SASL}$principal"
|
|
if [ $? == 0 ] ; then
|
|
has_sasl=1
|
|
fi
|
|
|
|
ldap -b 'ou=People,dc=hackerspace,dc=pl' "uid=$member" | grep 'userPassword' | while read line; do
|
|
echo $line | cut -d" " -f 2 | base64 -d
|
|
done | grep -q "{SSHA}"
|
|
if [ $? == 0 ] ; then
|
|
has_ssha=1
|
|
fi
|
|
|
|
[ $has_sasl == 1 ] && [ $has_ssha == 1 ] && fail "User $member has both SASL and SSHA password in LDAP"
|
|
else
|
|
weird "User $member has no kerberos principal" "kadmin add_principal $member@HACKERSPACE.PL"
|
|
fi
|
|
|
|
|
|
|