#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # Adds an user to the system # License # ======= # # Copyright (C) 2015-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-adduser export TEXTDOMAINDIR="/usr/share/locale" CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg" UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*" for f in $UTILS_FILES do source "$f" done APP_FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*" for f in $APP_FILES do source "$f" done ADD_USERNAME=$1 SSH_PUBLIC_KEY="$2" GPG_KEYSERVER='hkp://keys.gnupg.net' SSH_PORT=2222 COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt DEFAULT_DOMAIN_NAME= if [ ! "$ADD_USERNAME" ]; then echo $'No username was given' exit 1 fi if [ -d "/home/$ADD_USERNAME" ]; then echo $"The user $ADD_USERNAME already exists" exit 2 fi if [ ! -f "$COMPLETION_FILE" ]; then echo $"$COMPLETION_FILE not found" userdel -r "$ADD_USERNAME" exit 3 fi # Minimum number of characters in a password MINIMUM_PASSWORD_LENGTH=$(grep 'MINIMUM_PASSWORD_LENGTH=' "/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords" | head -n 1 | awk -F '=' '{print $2}') NEW_USER_PASSWORD="$(create_password "${MINIMUM_PASSWORD_LENGTH}")" chmod 600 /etc/shadow chmod 600 /etc/gshadow useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash "$ADD_USERNAME" adduser "$ADD_USERNAME" sasl groupadd "$ADD_USERNAME" chmod 0000 /etc/shadow chmod 0000 /etc/gshadow if [ ! -d "/home/$ADD_USERNAME" ]; then echo $'Home directory was not created' exit 4 fi if [ "$SSH_PUBLIC_KEY" ]; then if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then if [ -f "$SSH_PUBLIC_KEY" ]; then mkdir "/home/$ADD_USERNAME/.ssh" cp "$SSH_PUBLIC_KEY" "/home/$ADD_USERNAME/.ssh/authorized_keys" chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.ssh" echo $'ssh public key installed' else if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then mkdir "/home/$ADD_USERNAME/.ssh" echo "$SSH_PUBLIC_KEY" > "/home/$ADD_USERNAME/.ssh/authorized_keys" chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.ssh" echo $'ssh public key installed' else echo $'The second parameter does not look like an ssh key' exit 5 fi fi fi fi if [ -d "/home/$ADD_USERNAME/Maildir" ]; then if grep -q "set from=" "/home/$ADD_USERNAME/.muttrc"; then sed -i "s|set from=.*|set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'|g" "/home/$ADD_USERNAME/.muttrc" else echo "set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'" >> "/home/$ADD_USERNAME/.muttrc" fi sed -i "s|\$USER@|$ADD_USERNAME@|g" "/home/$ADD_USERNAME/.procmailrc" fi # generate a gpg key echo "Making a GPG key for $ADD_USERNAME@$HOSTNAME" mkdir "/home/$ADD_USERNAME/.gnupg" { echo "keyserver $GPG_KEYSERVER"; echo 'keyserver-options auto-key-retrieve'; echo ''; echo '# default preferences'; echo 'personal-digest-preferences SHA256'; echo 'cert-digest-algo SHA256'; echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed'; } >> "/home/$ADD_USERNAME/.gnupg/gpg.conf" chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.gnupg" chmod 700 "/home/$ADD_USERNAME/.gnupg" chmod 600 "/home/$ADD_USERNAME/.gnupg/"* # Generate a GPG key { echo 'Key-Type: eddsa'; echo 'Key-Curve: Ed25519'; echo 'Subkey-Type: eddsa'; echo "Name-Real: $ADD_USERNAME"; echo "Name-Email: $ADD_USERNAME@$HOSTNAME"; echo 'Expire-Date: 0'; echo "Passphrase: $NEW_USER_PASSWORD"; } > "/home/$ADD_USERNAME/gpg-genkey.conf" chown "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/gpg-genkey.conf" su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - "$ADD_USERNAME" chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.gnupg" rm "/home/$ADD_USERNAME/gpg-genkey.conf" MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$ADD_USERNAME" "$ADD_USERNAME@$HOSTNAME") MY_GPG_PUBLIC_KEY="/home/$ADD_USERNAME/public_key.gpg" su -m root -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - "$ADD_USERNAME" if [ ! -f "$MY_GPG_PUBLIC_KEY" ]; then echo "GPG public key was not generated for $ADD_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID" userdel -r "$ADD_USERNAME" exit 7 fi gpg_agent_setup "$ADD_USERNAME" # add a monkeysphere subkey #echo $'Adding monkeysphere subkey' #su -c "monkeysphere gen-subkey" - $ADD_USERNAME #echo $'Adding monkeysphere subkey to ssh-agent' #su -c "monkeysphere s" - $ADD_USERNAME # add authorized GPG email address #mkdir /home/$ADD_USERNAME/.monkeysphere #chmod 755 /home/$ADD_USERNAME/.monkeysphere #echo "$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>" > /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids #chmod 644 /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids #chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.monkeysphere #echo $'Updating monkeysphere users' #monkeysphere-authentication update-users if [ -f "/home/$ADD_USERNAME/.muttrc" ]; then # encrypt outgoing mail to the "sent" folder if ! grep -q "pgp_encrypt_only_command" "/home/$ADD_USERNAME/.muttrc"; then { echo ''; echo $'# Encrypt items in the Sent folder'; echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\""; } >> "/home/$ADD_USERNAME/.muttrc" else sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$ADD_USERNAME/.muttrc" fi if ! grep -q "pgp_encrypt_sign_command" "/home/$ADD_USERNAME/.muttrc"; then echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> "/home/$ADD_USERNAME/.muttrc" else sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$ADD_USERNAME/.muttrc" fi fi if ! grep -q "Change your GPG password" "/home/$ADD_USERNAME/README"; then { echo ''; echo ''; echo $'# Change your GPG password'; echo $"It's very important to add a password to your GPG key so that"; echo $"if anyone does get access to your email they still won't be able"; echo $'to read them without knowning the GPG password.'; echo $'You can change the it with:'; echo ''; echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID"; echo ' passwd'; echo ' save'; echo ' quit'; } >> "/home/$ADD_USERNAME/README" fi chown "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/README" chown "$ADD_USERNAME":"$ADD_USERNAME" "$MY_GPG_PUBLIC_KEY" chmod 600 "/home/$ADD_USERNAME/README" echo $'Detecting installed apps...' detect_apps get_apps_installed_names # shellcheck disable=SC2068 for app_name in ${APPS_INSTALLED_NAMES[@]} do if [[ $(function_exists "add_user_${app_name}") == "1" ]]; then echo $"Adding user to ${app_name}" app_load_variables "${app_name}" retval=$("add_user_${app_name}" "$ADD_USERNAME" "$NEW_USER_PASSWORD" | tail -n 1) if [[ $retval != '0' ]]; then echo $"Failed with error code ${retval}" "${PROJECT_NAME}-rmuser" "$ADD_USERNAME" --force exit 672392 fi if ! grep -q "${app_name}_${ADD_USERNAME}" "$APP_USERS_FILE"; then echo "${app_name}_${ADD_USERNAME}" >> "$APP_USERS_FILE" fi fi done if [ -f /etc/nginx/.htpasswd ]; then if ! grep -q "${ADD_USERNAME}:" /etc/nginx/.htpasswd; then echo "$NEW_USER_PASSWORD" | htpasswd -i -s /etc/nginx/.htpasswd "$ADD_USERNAME" fi fi # add user menu on ssh login if ! grep -q 'controluser' "/home/$ADD_USERNAME/.bashrc"; then echo 'export PS1="\W \$"' >> "/home/$ADD_USERNAME/.bashrc" echo 'controluser' >> "/home/$ADD_USERNAME/.bashrc" fi # fix some gpg strangeness when searching for keys printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "/home/$ADD_USERNAME/.gnupg/S.dirmngr" if [ -d "/home/$ADD_USERNAME/.gnupg/crls.d" ]; then chmod +x "/home/$ADD_USERNAME/.gnupg/crls.d" fi "${PROJECT_NAME}-pass" -u "$ADD_USERNAME" -a login -p "$NEW_USER_PASSWORD" gpg_agent_enable "$ADD_USERNAME" clear echo $"New user $ADD_USERNAME was created" echo $"Their login password is $NEW_USER_PASSWORD" echo '' echo $"They can download their GPG keys with:" echo '' echo " scp -P $SSH_PORT -r $ADD_USERNAME@$HOSTNAME:/home/$ADD_USERNAME/.gnupg ~/" echo '' echo $"They should also run ${PROJECT_NAME}-client on their system to ensure" echo $'the best security.' exit 0