From 127e786b70911bed54c1189e394e6744907395c1 Mon Sep 17 00:00:00 2001 From: Benjamin Morrison Date: Mon, 12 Jun 2023 22:40:57 -0400 Subject: wrapper script for adding users in bulk. cleanup and reconcile local changes. --- README.md | 2 +- bin/badprocs.py | 2 +- bin/connusers.py | 1 - bin/makeuser | 107 -------------------------------------------------- bin/makeuser.sh | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++ bin/makeuser_all.sh | 97 +++++++++++++++++++++++++++++++++++++++++++++ bin/motdrotate.py | 2 - bin/regusers.py | 1 - bin/rmuser | 7 +++- bin/showwhoison | 9 ++++- bin/weekconns.py | 1 - 11 files changed, 222 insertions(+), 117 deletions(-) delete mode 100755 bin/makeuser create mode 100755 bin/makeuser.sh create mode 100644 bin/makeuser_all.sh diff --git a/README.md b/README.md index 56b70ac..262ac3d 100644 --- a/README.md +++ b/README.md @@ -5,4 +5,4 @@ Scripts that make [tilde.institute](https://tilde.institute) work. Includes new user creation and other miscellaneous tasks, such as various monitoring scripts. -Scripts have author credited at the top of the file +Scripts have author credited at the top of the file if they were written by someone else. diff --git a/bin/badprocs.py b/bin/badprocs.py index ae41702..515e366 100755 --- a/bin/badprocs.py +++ b/bin/badprocs.py @@ -2,7 +2,6 @@ # Checks the process list for anything that could be potentially worrisome. # If something is found, emails the admins@tilde.institute account. -# gbmor from shlex import quote import subprocess @@ -47,6 +46,7 @@ if __name__ == "__main__": "transmission", "tshark", "xmr", # lots of monero miners have this in the name + "znc", ] procsFound = getBadProcs(procsList) diff --git a/bin/connusers.py b/bin/connusers.py index ebdde7f..0a1cafd 100755 --- a/bin/connusers.py +++ b/bin/connusers.py @@ -1,7 +1,6 @@ #!/usr/local/bin/python3 -I # Lists currently connected users for https://tilde.institute/stats -# gbmor # 'ps' truncates usernames at 8 characters (called by 'showwhoison' to find mosh users) # so I'm matching the potentially-partial username to a home directory to retrieve diff --git a/bin/makeuser b/bin/makeuser deleted file mode 100755 index e9a4c1f..0000000 --- a/bin/makeuser +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/local/bin/bash -# --------------------------------------------------------------------------- -# makeuser - tilde.institute new user creation -# Usage: makeuser [-h|--help] "" -# ben@gbmor.dev -# --------------------------------------------------------------------------- - -PROGNAME=${0##*/} -VERSION="0.1" - -error_exit() { - echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2 - exit 1 -} - -usage() { - echo -e "usage: $PROGNAME [-h|--help] \"\"" -} - -[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script." - -USERLIST=$( /etc/httpd/$1.conf - -# add the user's vhost config to the bridged vhost config, which -# is loaded by /etc/httpd.conf. This is necessary because httpd(8) -# does not support globbing on includes - echo "include \"/etc/httpd/$1.conf\"" >> /etc/httpd-vusers.conf - -# Sort and deduplicate entries in the bridged vhost config file -# Duplicate entries cause weird behavior. Subdomains after the -# duplicated entry won't resolve properly and instead resolve -# to the main site - sort -u /etc/httpd-vusers.conf > /etc/httpd-vusers.conf.sorted - cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf - #pkill -HUP httpd - rcctl restart httpd - -# send welcome email - sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2 - -# subscribe to mailing list - #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org - -# lock down the users' history files so they can't be deleted or truncated (bash and ksh only) - doas -u "$1" touch /home/$1/.history - doas -u "$1" touch /home/$1/.bash_history - chflags uappnd /home/$1/.history - chflags uappnd /home/$1/.bash_history - -# announce the new user's creation on mastodon -# then copy their ssh key to their home directory - /admin/bin/toot.py "Welcome new user ~$1!" - /var/www/htdocs/userlist - echo "$3" | tee /home/$1/.ssh/authorized_keys -esac diff --git a/bin/makeuser.sh b/bin/makeuser.sh new file mode 100755 index 0000000..b349459 --- /dev/null +++ b/bin/makeuser.sh @@ -0,0 +1,110 @@ +#!/usr/local/bin/bash +# --------------------------------------------------------------------------- +# makeuser - tilde.institute new user creation +# Usage: makeuser [-h|--help] "" +# --------------------------------------------------------------------------- + +PROGNAME=${0##*/} + +error_exit() { + echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2 + exit 1 +} + +usage() { + echo -e "usage: $PROGNAME [-h|--help] \"\"" +} + +[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script." + +USERLIST=$(cut /etc/httpd/$1.conf + + # add the user's vhost config to the bridged vhost config, which + # is loaded by /etc/httpd.conf. This is necessary because httpd(8) + # does not support globbing on includes + echo "include \"/etc/httpd/$1.conf\"" >>/etc/httpd-vusers.conf + + # Sort and deduplicate entries in the bridged vhost config file + # Duplicate entries cause weird behavior. Subdomains after the + # duplicated entry won't resolve properly and instead resolve + # to the main site + sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted + cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf + #pkill -HUP httpd + #rcctl restart httpd + + # send welcome email + sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2 + + # subscribe to mailing list + #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org + + # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) + doas -u "$1" touch /home/$1/.history + doas -u "$1" touch /home/$1/.bash_history + chflags uappnd /home/$1/.history + chflags uappnd /home/$1/.bash_history + + # announce the new user's creation on mastodon + # then copy their ssh key to their home directory + /admin/bin/toot.py "Welcome new user ~$1!" + cut /var/www/htdocs/userlist + echo "$3" | tee /home/$1/.ssh/authorized_keys + ;; +esac diff --git a/bin/makeuser_all.sh b/bin/makeuser_all.sh new file mode 100644 index 0000000..7fdad76 --- /dev/null +++ b/bin/makeuser_all.sh @@ -0,0 +1,97 @@ +#!/bin/sh + +new_users_file="$1" +if [ -z "${new_users_file}" ]; then + printf 'Please specify a new users file: ./%s new_users.txt\n' "$0" + exit 1 +fi + +add_user() { + user_name="$1" + user_email="$2" + user_pubkey="$3" + + # generate a random 20 digit password + # encrypt the password and pass it to + # useradd, set ksh as default shell + printf 'Adding new user %s\n' "$1" + new_pw="$(pwgen -1B 20)" + pw_crypt="$(encrypt "${new_pw}")" + useradd -m -g 1001 -p "$pw_crypt" -s /bin/ksh -k /etc/skel "${user_name}" + + # make the public_html directory for the users + mkdir "/var/www/users/$1" + chown "${user_name}:tilde" "/var/www/users/${user_name}" + doas -u "${user_name}" ln -s "/var/www/users/${user_name}" "/home/${user_name}/public_html" + + # make the public_repos directory + mkdir "/var/www/cgit_repos/${user_name}" + chown "${user_name}:tilde" "/var/www/cgit_repos/${user_name}" + doas -u "${user_name}" ln -s "/var/www/cgit_repos/${user_name}" "/home/${user_name}/public_repos" + + # set up the httpd configuration for + # individual users. this config forces tls + # for all subdomains + echo "server \"${user_name}.tilde.institute\" { + listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" + } + server \"${user_name}.tilde.institute\" { + listen on \$ext_addr tls port 443 + root \"/users/${user_name}\" + tls { + key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" + certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" + } + directory index index.html + directory auto index + location \"/*.cgi\" { + fastcgi + } + location \"/*.php\" { + fastcgi socket \"/run/php-fpm.sock\" + } + }" >"/etc/httpd/${user_name}.conf" + + # httpd(8) does not support globbing on includes. + # we need to add the includes to a larger include file to keep the main config cleaner. + echo "include \"/etc/httpd/${user_name}.conf\"" >>/etc/httpd-vusers.conf + + # Sort and deduplicate entries in the bridged vhost config file + # Duplicate entries cause weird behavior. Subdomains after the + # duplicated entry won't resolve properly and instead resolve + # to the main site + sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted + cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf + + # send welcome email + sed -e "s/newusername/${user_name}/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" "${user_email}" + + # subscribe to mailing list + #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org + + # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) + doas -u "${user_name}" touch "/home/${user_name}/.history" + doas -u "${user_name}" touch "/home/${user_name}/.bash_history" + chflags uappnd "/home/${user_name}/.history" + chflags uappnd "/home/${user_name}/.bash_history" + + # announce the new user's creation on mastodon + # then copy their ssh key to their home directory + /admin/bin/toot.py "Welcome new user ~${user_name}!" + cut /var/www/htdocs/userlist + echo "${user_pubkey}" | tee "/home/${user_name}/.ssh/authorized_keys" +} + +mailing_list_users="" +while IFS="" read -r line || [ -n "$line" ]; do + [ -z "$line" ] && continue + this_user_name="$(echo "$line" | cut -d -f1)" + # shellcheck disable=SC2086 + add_user $line || continue + mailing_list_users="${this_user_name}@tilde.institute\n${mailing_list_users}" +done <"${new_users_file}" + +printf '\nRestarting httpd(8)\n' +rcctl restart httpd + +printf 'Users to add to mailing list:\n\n%s\n' "${mailing_list_users}" diff --git a/bin/motdrotate.py b/bin/motdrotate.py index 15593f0..cad8688 100755 --- a/bin/motdrotate.py +++ b/bin/motdrotate.py @@ -6,8 +6,6 @@ import random ############################################## ## Uses a skeleton motd plus a random quote ## ## to produce a motd with a nifty quote. ## -##------------------------------------------## -## ben@gbmor.dev ## ############################################## def pullfile(filename): diff --git a/bin/regusers.py b/bin/regusers.py index 53997da..d240b9e 100755 --- a/bin/regusers.py +++ b/bin/regusers.py @@ -2,7 +2,6 @@ # Lists all the currently registered users extant on the system # for the stats page at https://tilde.institute/stats -# gbmor import os import sys diff --git a/bin/rmuser b/bin/rmuser index 98c697a..b7f5932 100755 --- a/bin/rmuser +++ b/bin/rmuser @@ -1,5 +1,4 @@ #!/bin/sh -set -eu if [ -z "$1" ]; then printf 'Please pass a user as the first argument.\n' @@ -7,6 +6,12 @@ if [ -z "$1" ]; then fi printf 'Removing user %s from the system\n' "$1" + +chflags nouappnd "/home/$1/.history" +chflags nouappnd "/home/$1/.bash_history" + +set -e + userdel -r -v "$1" printf 'Cleaning /var/www/users/%s\n' "$1" rm -rf "/var/www/users/$1" diff --git a/bin/showwhoison b/bin/showwhoison index 6c36584..5247282 100755 --- a/bin/showwhoison +++ b/bin/showwhoison @@ -4,8 +4,13 @@ # Shows connected users, including those # connected via mosh -x=$(who | cut -d' ' -f1 ) +x=$(who | cut -d' ' -f1) y=$(ps aux | grep mosh | cut -d' ' -f1) +z=$(ps aux | grep notty | cut -d' ' -f1) echo "Currently logged in users, including MOSH: " -echo "$x" |sort | uniq +echo "$x" | sort | uniq echo "$y" | sort | uniq + +echo "" +echo "NO TTY:" +echo "$z" | sort | uniq diff --git a/bin/weekconns.py b/bin/weekconns.py index ed9d375..0c62263 100755 --- a/bin/weekconns.py +++ b/bin/weekconns.py @@ -3,7 +3,6 @@ # Lists the users who have connected in # the last week for the stats page at # https://tilde.institute/stats -# ben@gbmor.dev from sys import exit import subprocess -- cgit 1.4.1-2-gfad0