openpkg/aux.usrgrp.sh@0ba300bdf30a (annotated)
openpkg/aux.usrgrp.sh
Mon, 20 Apr 2009 19:22:00 +0200
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Mon, 20 Apr 2009 19:22:00 +0200
- changeset 178
- 0ba300bdf30a
- permissions
- -rw-r--r--
Change unfortunate but partly useful overreaching security tradeoff.
The principle of allocating each running process an individual system
user and group can have security benefits, however maintining a plethora
of users, groups, processes, file modes, file permissions, and even
nonportable file ACLs on a host serving from a hundred processes has
some security disadvantages. This tradeoff is even worse for systems
like OpenPKG which benefit from administration transparency through the
use of minimal system intrusion and only three usage privilege levels.
| michael@13 | 1 | #!/bin/sh |
| michael@13 | 2 | ## |
| michael@13 | 3 | ## usrgrp.sh -- user/group name/id determination |
| michael@13 | 4 | ## Copyright (c) 2000-2007 OpenPKG Foundation e.V. <http://openpkg.net/> |
| michael@13 | 5 | ## Copyright (c) 2000-2007 Ralf S. Engelschall <http://engelschall.com/> |
| michael@13 | 6 | ## |
| michael@13 | 7 | ## Permission to use, copy, modify, and distribute this software for |
| michael@13 | 8 | ## any purpose with or without fee is hereby granted, provided that |
| michael@13 | 9 | ## the above copyright notice and this permission notice appear in all |
| michael@13 | 10 | ## copies. |
| michael@13 | 11 | ## |
| michael@13 | 12 | ## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED |
| michael@13 | 13 | ## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| michael@13 | 14 | ## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| michael@13 | 15 | ## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR |
| michael@13 | 16 | ## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| michael@13 | 17 | ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| michael@13 | 18 | ## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
| michael@13 | 19 | ## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| michael@13 | 20 | ## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| michael@13 | 21 | ## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
| michael@13 | 22 | ## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| michael@13 | 23 | ## SUCH DAMAGE. |
| michael@13 | 24 | ## |
| michael@13 | 25 | |
| michael@13 | 26 | # command line parameters (defaults) |
| michael@13 | 27 | help=0 |
| michael@13 | 28 | usr=''; grp='' |
| michael@13 | 29 | susr=''; sgrp='' |
| michael@13 | 30 | musr=''; mgrp='' |
| michael@13 | 31 | rusr=''; rgrp='' |
| michael@13 | 32 | nusr=''; ngrp='' |
| michael@13 | 33 | suid=''; sgid='' |
| michael@13 | 34 | muid=''; mgid='' |
| michael@13 | 35 | ruid=''; rgid='' |
| michael@13 | 36 | nuid=''; ngid='' |
| michael@13 | 37 | |
| michael@13 | 38 | # parse command line options |
| michael@13 | 39 | for opt |
| michael@13 | 40 | do |
| michael@13 | 41 | case $opt in |
| michael@13 | 42 | -*=*) arg=`echo "$opt" | sed 's/^[-_a-zA-Z0-9]*=//'` ;; |
| michael@13 | 43 | *) arg='' ;; |
| michael@13 | 44 | esac |
| michael@13 | 45 | case $opt in |
| michael@13 | 46 | -h | --help ) help=1 ;; |
| michael@13 | 47 | --usr=* | --user=* ) usr=$arg ;; |
| michael@13 | 48 | --grp=* | --group=* ) grp=$arg ;; |
| michael@13 | 49 | --susr=* ) susr=$arg ;; |
| michael@13 | 50 | --sgrp=* ) sgrp=$arg ;; |
| michael@13 | 51 | --musr=* ) musr=$arg ;; |
| michael@13 | 52 | --mgrp=* ) mgrp=$arg ;; |
| michael@13 | 53 | --rusr=* ) rusr=$arg ;; |
| michael@13 | 54 | --rgrp=* ) rgrp=$arg ;; |
| michael@13 | 55 | --nusr=* ) nusr=$arg ;; |
| michael@13 | 56 | --ngrp=* ) ngrp=$arg ;; |
| michael@13 | 57 | --suid=* ) suid=$arg ;; |
| michael@13 | 58 | --sgid=* ) sgid=$arg ;; |
| michael@13 | 59 | --muid=* ) muid=$arg ;; |
| michael@13 | 60 | --mgid=* ) mgid=$arg ;; |
| michael@13 | 61 | --ruid=* ) ruid=$arg ;; |
| michael@13 | 62 | --rgid=* ) rgid=$arg ;; |
| michael@13 | 63 | --nuid=* ) nuid=$arg ;; |
| michael@13 | 64 | --ngid=* ) ngid=$arg ;; |
| michael@13 | 65 | * ) help=1 ;; |
| michael@13 | 66 | esac |
| michael@13 | 67 | done |
| michael@13 | 68 | if [ ".$help" = .1 ]; then |
| michael@13 | 69 | echo "Usage: sh $0 [-h|--help]" 2>&1 |
| michael@13 | 70 | echo " [--[smrn]?usr=<usr>] [--[smrn]?grp=<usr>]" 2>&1 |
| michael@13 | 71 | echo " [--[smrn]uid=<uid>] [--[smrn]gid=<gid>]" 2>&1 |
| michael@13 | 72 | exit 1 |
| michael@13 | 73 | fi |
| michael@13 | 74 | |
| michael@13 | 75 | # determine cusr/cgrp |
| michael@13 | 76 | cusr=`(id -un) 2>/dev/null ||\ |
| michael@13 | 77 | (id | sed -e 's;^[^(]*(\([^)]*\)).*;\1;') 2>/dev/null ||\ |
| michael@13 | 78 | (whoami) 2>/dev/null ||\ |
| michael@13 | 79 | (who am i | cut "-d " -f1) 2>/dev/null ||\ |
| michael@13 | 80 | echo $LOGNAME` |
| michael@13 | 81 | cgid=`(id -g $cusr) 2>/dev/null ||\ |
| michael@13 | 82 | ((getent passwd "${cusr}"; grep "^${cusr}:" /etc/passwd; ypmatch "${cusr}" passwd; nismatch "${cusr}" passwd; nidump passwd . | grep "^${cusr}:") 2>/dev/null |\ |
| michael@13 | 83 | sed -n -e '1p' | awk -F: '{ print $4; }')` |
| michael@13 | 84 | cgrp=`(id -gn $cusr) 2>/dev/null ||\ |
| michael@13 | 85 | ((getent group; cat /etc/group; ypcat group; niscat group; nidump group .) 2>/dev/null | grep "^[^:]*:[^:]*:${cgid}:" |\ |
| michael@13 | 86 | sed -n -e '1p' | awk -F: '{ print $1; }')` |
| michael@13 | 87 | [ ".$cgrp" = . ] && cgrp="$cusr" |
| michael@13 | 88 | |
| michael@13 | 89 | # determine OpenPKG susr/sgrp |
| michael@13 | 90 | if [ ".$susr" = . ]; then |
| michael@13 | 91 | if [ ".$usr" = . ]; then |
| michael@13 | 92 | susr="$cusr" |
| michael@13 | 93 | else |
| michael@13 | 94 | susr="root" |
| michael@13 | 95 | fi |
| michael@13 | 96 | fi |
| michael@13 | 97 | if [ ".$sgrp" = . ]; then |
| michael@13 | 98 | sgrp=`(id -gn $susr) 2>/dev/null` |
| michael@13 | 99 | if [ ".$sgrp" = . ]; then |
| michael@13 | 100 | tgid=`(getent passwd "${susr}"; grep "^${susr}:" /etc/passwd; ypmatch "${susr}" passwd; nismatch "${susr}" passwd; nidump passwd . | grep "^${susr}:") 2>/dev/null |\ |
| michael@13 | 101 | sed -n -e '1p' | awk -F: '{ print $4; }'` |
| michael@13 | 102 | if [ ".$tgid" != . ]; then |
| michael@13 | 103 | sgid="${tgid}" |
| michael@13 | 104 | sgrp=`(getent group; cat /etc/group; ypcat group; niscat group; nidump group .) 2>/dev/null |\ |
| michael@13 | 105 | grep "^[^:]*:[^:]*:${sgid}:" | sed -n -e '1p' | awk -F: '{ print $1; }'` |
| michael@13 | 106 | fi |
| michael@13 | 107 | if [ ".$sgrp" = . ]; then |
| michael@13 | 108 | sgrp="wheel" |
| michael@13 | 109 | fi |
| michael@13 | 110 | fi |
| michael@13 | 111 | fi |
| michael@13 | 112 | |
| michael@13 | 113 | # determine OpenPKG musr/mgrp |
| michael@13 | 114 | if [ ".$musr" = . ]; then |
| michael@13 | 115 | musr="$usr" |
| michael@13 | 116 | fi |
| michael@13 | 117 | if [ ".$musr" = . ]; then |
| michael@13 | 118 | musr="$cusr" |
| michael@13 | 119 | fi |
| michael@13 | 120 | if [ ".$mgrp" = . ]; then |
| michael@13 | 121 | mgrp=`(id -gn $musr) 2>/dev/null` |
| michael@13 | 122 | if [ ".$mgrp" = . ]; then |
| michael@13 | 123 | tgid=`(getent passwd "${musr}"; grep "^${musr}:" /etc/passwd; ypmatch "${musr}" passwd; nismatch "${musr}" passwd; nidump passwd . | grep "^${musr}:") 2>/dev/null |\ |
| michael@13 | 124 | sed -n -e '1p' | awk -F: '{ print $4; }'` |
| michael@13 | 125 | if [ ".$tgid" != . ]; then |
| michael@13 | 126 | mgid="${tgid}" |
| michael@13 | 127 | mgrp=`(getent group; cat /etc/group; ypcat group; niscat group; nidump group .) 2>/dev/null |\ |
| michael@13 | 128 | grep "^[^:]*:[^:]*:${mgid}:" | sed -n -e '1p' | awk -F: '{ print $1; }'` |
| michael@13 | 129 | fi |
| michael@13 | 130 | if [ ".$mgrp" = . ]; then |
| michael@13 | 131 | mgrp="$grp" |
| michael@13 | 132 | fi |
| michael@13 | 133 | if [ ".$mgrp" = . ]; then |
| michael@13 | 134 | mgrp="$cgrp" |
| michael@13 | 135 | fi |
| michael@13 | 136 | fi |
| michael@13 | 137 | fi |
| michael@13 | 138 | |
| michael@13 | 139 | # determine OpenPKG rusr/rgrp |
| michael@13 | 140 | if [ ".$rusr" = . ]; then |
| michael@13 | 141 | rusr="${usr}-r" |
| michael@13 | 142 | fi |
| michael@13 | 143 | if [ ".$rusr" = ".-r" ]; then |
| michael@13 | 144 | rusr="$cusr" |
| michael@13 | 145 | fi |
| michael@13 | 146 | if [ ".$rgrp" = . ]; then |
| michael@13 | 147 | rgrp=`(id -gn $rusr) 2>/dev/null` |
| michael@13 | 148 | if [ ".$rgrp" = . ]; then |
| michael@13 | 149 | tgid=`(getent passwd "${rusr}"; grep "^${rusr}:" /etc/passwd; ypmatch "${rusr}" passwd; nismatch "${rusr}" passwd; nidump passwd . | grep "^${rusr}:") 2>/dev/null |\ |
| michael@13 | 150 | sed -n -e '1p' | awk -F: '{ print $4; }'` |
| michael@13 | 151 | if [ ".$tgid" != . ]; then |
| michael@13 | 152 | rgid="${tgid}" |
| michael@13 | 153 | rgrp=`(getent group; cat /etc/group; ypcat group; nismatch group; nidump group .) 2>/dev/null |\ |
| michael@13 | 154 | grep "^[^:]*:[^:]*:${rgid}:" | sed -n -e '1p' | awk -F: '{ print $1; }'` |
| michael@13 | 155 | fi |
| michael@13 | 156 | if [ ".$rgrp" = . ]; then |
| michael@13 | 157 | rgrp="${grp}-r" |
| michael@13 | 158 | fi |
| michael@13 | 159 | if [ ".$rgrp" = ".-r" ]; then |
| michael@13 | 160 | rgrp="$cgrp" |
| michael@13 | 161 | fi |
| michael@13 | 162 | fi |
| michael@13 | 163 | fi |
| michael@13 | 164 | |
| michael@13 | 165 | # determine OpenPKG nusr/ngrp |
| michael@13 | 166 | if [ ".$nusr" = . ]; then |
| michael@13 | 167 | nusr="${usr}-n" |
| michael@13 | 168 | fi |
| michael@13 | 169 | if [ ".$nusr" = ".-n" ]; then |
| michael@13 | 170 | nusr="$cusr" |
| michael@13 | 171 | fi |
| michael@13 | 172 | if [ ".$ngrp" = . ]; then |
| michael@13 | 173 | ngrp=`(id -gn $nusr) 2>/dev/null` |
| michael@13 | 174 | if [ ".$ngrp" = . ]; then |
| michael@13 | 175 | tgid=`(getent passwd "${nusr}"; grep "^${nusr}:" /etc/passwd; ypmatch "${nusr}" passwd; nismatch "${nusr}" passwd; nidump passwd . | grep "^${nusr}:") 2>/dev/null |\ |
| michael@13 | 176 | sed -n -e '1p' | awk -F: '{ print $4; }'` |
| michael@13 | 177 | if [ ".$tgid" != . ]; then |
| michael@13 | 178 | ngid="${tgid}" |
| michael@13 | 179 | ngrp=`(getent group; cat /etc/group; ypcat group; niscat group; nidump group .) 2>/dev/null |\ |
| michael@13 | 180 | grep "^[^:]*:[^:]*:${ngid}:" | sed -n -e '1p' | awk -F: '{ print $1; }'` |
| michael@13 | 181 | fi |
| michael@13 | 182 | if [ ".$ngrp" = . ]; then |
| michael@13 | 183 | ngrp="${grp}-n" |
| michael@13 | 184 | fi |
| michael@13 | 185 | if [ ".$ngrp" = ".-n" ]; then |
| michael@13 | 186 | ngrp="$cgrp" |
| michael@13 | 187 | fi |
| michael@13 | 188 | fi |
| michael@13 | 189 | fi |
| michael@13 | 190 | |
| michael@13 | 191 | # determine OpenPKG suid/sgid |
| michael@13 | 192 | # (currently not necessary) |
| michael@13 | 193 | |
| michael@13 | 194 | # determine OpenPKG muid/mgid |
| michael@13 | 195 | # (currently not necessary) |
| michael@13 | 196 | |
| michael@13 | 197 | # determine OpenPKG ruid/rgid |
| michael@13 | 198 | # (currently not necessary) |
| michael@13 | 199 | |
| michael@13 | 200 | # determine OpenPKG nuid/ngid |
| michael@13 | 201 | # (currently not necessary) |
| michael@13 | 202 | |
| michael@13 | 203 | # print results |
| michael@13 | 204 | output="" |
| michael@13 | 205 | for var in \ |
| michael@13 | 206 | susr sgrp \ |
| michael@13 | 207 | musr mgrp \ |
| michael@13 | 208 | rusr rgrp \ |
| michael@13 | 209 | nusr ngrp \ |
| michael@13 | 210 | suid sgid \ |
| michael@13 | 211 | muid mgid \ |
| michael@13 | 212 | ruid rgid \ |
| michael@13 | 213 | nuid ngid; do |
| michael@13 | 214 | eval "val=\"\$$var\"" |
| michael@13 | 215 | if [ ".$output" = . ]; then |
| michael@13 | 216 | output="$var=\"$val\"" |
| michael@13 | 217 | else |
| michael@13 | 218 | output="$output; $var=\"$val\"" |
| michael@13 | 219 | fi |
| michael@13 | 220 | done |
| michael@13 | 221 | echo $output |
| michael@13 | 222 |
