commit 4e6fb274243b74e3589f38b7d77d32c5ccf3530c
parent d675e7e8cb1d057bfe86f105177dec9ff8d5d0f2
Author: Anders Damsgaard <anders@adamsgaard.dk>
Date: Mon, 17 Feb 2020 21:11:13 +0100
Allow USER to run COMMAND
Diffstat:
| M | .local/bin/newuser | | | 83 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------- |
1 file changed, 59 insertions(+), 24 deletions(-)
diff --git a/.local/bin/newuser b/.local/bin/newuser
@@ -9,10 +9,10 @@ die() {
}
help() {
- echo "usage: ${0##*/} [OPTIONS] USER ..."
+ echo "usage: ${0##*/} [OPTIONS] USER [CMD]"
echo "will create a new USER with 'nopass' and 'keepenv' rules."
- echo "Use this user to run programs with priviledge separation:"
- echo " $ doas -u USER COMMAND"
+ echo "If USER already exists, run CMD as USER."
+ echo
echo "Graphical commands can be started with:"
echo " $ ssh -Y USER@localhost COMMAND"
echo " $ ssh -X USER@localhost COMMAND"
@@ -20,13 +20,12 @@ help() {
echo "current X session. The -X option has restricted access but"
echo "reduced performance."
echo
- echo "${0##*/} requires super-user priviledges."
- echo
echo "OPTIONS are one or more of the following:"
- echo " -h, --help show this message"
- echo " -v, --version show version and license information"
- echo " -V, --verbose show verbose information during execution"
- echo " -- do not consider any following args as options"
+ echo " -h show this message"
+ echo " -v show version and license information"
+ echo " -V show verbose information during execution"
+ echo " -t transfer any output files from CMD to current directory"
+ echo " -- do not consider any following args as options"
}
show_version() {
@@ -42,19 +41,23 @@ if [ $# -lt 1 ]; then
fi
verbose=0
+transfer=0
while :; do
case "$1" in
- -h|-\?|--help)
+ -h)
help
exit 0
;;
- -v|--version)
+ -v)
show_version
exit 0
;;
- -V|--verbose)
+ -V)
verbose=1
;;
+ -t)
+ transfer=1
+ ;;
--)
shift
break
@@ -69,17 +72,49 @@ while :; do
done
add_user() {
- [ "$verbose" = 1 ] && echo "adding user $1" || :
- useradd -m "$1"
- [ "$verbose" = 1 ] && echo "adding entry to /etc/doas.conf" || :
- echo "permit nopass keepenv ad as $1" >> /etc/doas.conf
- [ "$verbose" = 1 ] && echo "adding ssh key to $1" || :
- cat /home/ad/.ssh/id_rsa.pub >> /home/$1/.ssh/authorized_keys
- [ "$verbose" = 1 ] && echo "limiting home-directory $1" || :
- chmod go-rx /home/$1
+ if [ "$verbose" = 1 ]; then
+ printf 'adding user %s\n' "$1"
+ printf 'adding entry to /etc/doas.conf\n'
+ printf 'adding ssh key to %s\n' "$1"
+ printf 'limiting access to /home/%s\n' "$1"
+ fi
+ doas "useradd -m '$1' && \
+ echo 'permit nopass keepenv ad as $1' >> /etc/doas.conf && \
+ cat /home/$HOME/.ssh/id_rsa.pub >> /home/'$1'/.ssh/authorized_keys && \
+ chmod go-rx /home/'$1'"
}
-for u in "$@"; do
- [ "$verbose" = 1 ] && echo "processing $u" || :
- add_user "$u"
-done
+run_as_user() {
+ u="$1"
+ shift
+ orig="$PWD"
+ if [ "$transfer" = 1 ]; then
+ d="$(mktemp -d)"
+ mkdir -p "$d"
+ chmod 777 "$d"
+ cd "$d"
+ else
+ d="$orig"
+ fi
+ if [ "$verbose" = 1 ]; then
+ printf 'executing "%s" as %s in %s\n' "$*" "$u" "$d"
+ fi
+ doas -u "$u" sh -c "cd '$d' && \
+ PATH=/home/'$u'/.local/bin:/home/'$u'/bin:\$PATH && \
+ $*"
+ if [ "$transfer" = 1 ]; then
+ if ls -lqA "$d" | grep -q .; then
+ if cp -prf "$d"/* "$orig"; then
+ rm -rf "$d"
+ else
+ die "could not transfer files from '$d' to '$orig'"
+ fi
+ fi
+ fi
+}
+
+if [ -d "/home/${1}" ]; then
+ run_as_user "$@"
+else
+ add_user "$1"
+fi
