commit be7cc194438d7fec7e3dfde77f88cec98d0b573e parent d05458dac9b1f429fb0a2d6aa657d5267ba6f8b3 Author: Anders Damsgaard <anders@adamsgaard.dk> Date: Mon, 16 Dec 2019 10:18:01 +0100 Add script that creates new users for running programs with priviledge separation Diffstat:
| A | .local/bin/newuser | | | 82 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
1 file changed, 82 insertions(+), 0 deletions(-)
diff --git a/.local/bin/newuser b/.local/bin/newuser @@ -0,0 +1,82 @@ +#!/bin/sh +set -e + +version=0.1.0 + +die() { + printf '%s\n' "$1" + exit 1 +} + +help() { + echo "usage: ${0##*/} [OPTIONS] USER ..." + echo "will create a new USER with 'nopass' and 'keepenv' rules." + echo "Use this user to run programs with priviledge separation:" + echo " $ doas -u USER COMMAND" + echo "Graphical commands can be started with:" + echo " $ ssh -Y USER@localhost COMMAND" + echo " $ ssh -X USER@localhost COMMAND" + echo "The -Y option has native performance but full access to the" + echo "current X session. The -X option has restricted access but" + echo "reduced performance." + echo + echo "${0##*/} requires super-user priviledges." + echo + echo "OPTIONS are one or more of the following:" + echo " -h, --help show this message" + echo " -v, --version show version and license information" + echo " -V, --verbose show verbose information during execution" + echo " -- do not consider any following args as options" +} + +show_version() { + echo "${0##*/} version $version" + echo "Licensed under the ISC License" + echo "written by Anders Damsgaard, anders@adamsgaard.dk" + echo "https://src.adamsgaard.dk/dotfiles" +} + +if [ $# -lt 1 ]; then + die 'error: no USER specified' + exit 1 +fi + +verbose=0 +while :; do + case "$1" in + -h|-\?|--help) + help + exit 0 + ;; + -v|--version) + show_version + exit 0 + ;; + -V|--verbose) + verbose=1 + ;; + --) + shift + break + ;; + -?*) + die 'error: unknown option specified' + ;; + *) + break; + esac + shift +done + +add_user() { + [ "$verbose" = 1 ] && echo "adding user $1" || : + useradd -m "$1" + [ "$verbose" = 1 ] && echo "adding entry to /etc/doas.conf" || : + echo "permit nopass keepenv ad as $1" >> /etc/doas.conf + cat /home/ad/.ssh/id_rsa.pub >> /home/$1/.ssh/authorized_keys +} + +for u in "$@"; do + [ "$verbose" = 1 ] && echo "processing $u" || : + add_user "$u" +done