summaryrefslogtreecommitdiff
path: root/userinfo.sh
diff options
context:
space:
mode:
Diffstat (limited to 'userinfo.sh')
-rw-r--r--userinfo.sh/description1
-rw-r--r--userinfo.sh/userinfo.sh172
2 files changed, 173 insertions, 0 deletions
diff --git a/userinfo.sh/description b/userinfo.sh/description
new file mode 100644
index 0000000..27c1966
--- /dev/null
+++ b/userinfo.sh/description
@@ -0,0 +1 @@
+Script that Displays User Info \ No newline at end of file
diff --git a/userinfo.sh/userinfo.sh b/userinfo.sh/userinfo.sh
new file mode 100644
index 0000000..33be1db
--- /dev/null
+++ b/userinfo.sh/userinfo.sh
@@ -0,0 +1,172 @@
+#!/bin/sh
+# Filename: userinfo.sh
+# Author: bgstack15@gmail.com
+# Startdate: 2018-01-03 16:11
+# Title: Script that Displays User Info
+# Purpose: Displays specific metrics this environment would like to query
+# History:
+# Usage:
+# Reference:
+# id -Gnz https://stackoverflow.com/questions/14059916/is-there-a-command-to-list-all-unix-group-names/29615866#29615866
+# Improve:
+# Document:
+
+# FUNCTIONS
+clean_userinfo() {
+ rm -rf "${tmpdir:-NOTHINGTODEL}" 1>/dev/null 2>&1
+}
+
+fail() {
+ local number=$1 ; shift ;
+ echo "$@"
+ exit "${number}"
+}
+
+f_user() {
+ printf "%s: %s\n" "user" "${1}"
+}
+
+f_getent() {
+ local output="$( "${GETENT}" passwd "${user}" 2>/dev/null )"
+ if test -z "${output}";
+ then
+ printf "%s: %s\n" "getent" "NO"
+ return 1
+ else
+ printf "%s: %s\n" "getent" "YES"
+ return 0
+ fi
+}
+
+f_getent_type() {
+ local is_files="" ; local is_sss="" ;
+ "${GETENT}" passwd -s files "${user}" 1>/dev/null 2>&1 && is_files="files"
+ "${GETENT}" passwd -s sss "${user}" 1>/dev/null 2>&1 && is_sss="sss"
+ local is="$( echo "${is_files},${is_sss}" | sed -r -e 's/,$//;' -e 's/^,//;' )"
+ printf "%s: %s\n" "getent_type" "${is}"
+}
+
+f_can_ssh() {
+ # Get all ssh access limit strings
+ local ssh_limit="$( grep -iE '^\s*allow(groups|users)\s' /etc/ssh/sshd_config )"
+ local can_ssh=0
+ # error if more than one line returned
+ local line_count="$( echo -n "${ssh_limit}" | grep -E '.' | wc -l )"
+ case "${line_count}" in
+ 0)
+ # no restrictions on ssh
+ can_ssh=1
+ ;;
+
+ 1)
+ # check allowusers string
+ echo "${ssh_limit}" | grep -qE "AllowUsers\s+.*\<${user}\>" && can_ssh=1
+
+ # check allowgroup string
+ if ! test ${can_ssh} -eq 1;
+ then
+ id -Gnz "${user}" 2>/dev/null | tr '\0' '\n' | sed -r -e 's/^/\\\</;' -e 's/$/\\\>/;' > "${tmpfile1}"
+ echo "${ssh_limit}" | grep -E "AllowGroups\s+.*" | grep -qf "${tmpfile1}" && can_ssh=1
+ fi
+ ;;
+
+ *)
+ fail 1 "Invalid ssh config detected. Please check /etc/ssh/sshd_config. Aborted."
+ # the fail function will exit, so this return 1 will never actually execute.
+ return 1
+ ;;
+
+ esac
+
+ if test ${can_ssh} -gt 0 ;
+ then
+ printf "%s: %s\n" "can_ssh" "YES"
+ else
+ printf "%s: %s\n" "can_ssh" "NO"
+ fi
+}
+
+f_can_sss() {
+ # determine if sss user
+ local can_sss=0
+ if f_getent_type | grep -vqE 'sss' ;
+ then
+ can_sss=2
+ else
+
+ # Get all sssd access limit strings
+ local sss_limit="$( grep -iE '^\s*simple_allow_(groups|users)\s' /etc/sssd/sssd.conf )"
+
+ # error if more than one line returned
+ local line_count="$( echo -n "${sss_limit}" | grep -E '.' | wc -l )"
+ case "${line_count}" in
+ 0)
+ # no restrictions on sss
+ can_sss=1
+ ;;
+
+ 1)
+ # check simple_allow_users string
+ echo "${sss_limit}" | grep -qE "AllowUsers\s+.*\<${user}\>" && can_sss=1
+
+ # check simple_allow_groups string
+ if ! test ${can_sss} -eq 1;
+ then
+ id -Gnz "${user}" 2>/dev/null | tr '\0' '\n' | sed -r -e 's/^/\\\</;' -e 's/$/\\\>/;' > "${tmpfile1}"
+ echo "${sss_limit}" | grep -E "simple_allow_groups\s+.*" | grep -q -f "${tmpfile1}" && can_sss=1
+ fi
+ ;;
+
+ *)
+ fail 1 "Invalid sssd config detected. Please check /etc/sssd/sssd.conf. Aborted."
+ # the fail function will exit, so this return 1 will never actually execute.
+ return 1
+ ;;
+
+ esac
+
+ fi
+
+ case "${can_sss}" in
+ 0)
+ printf "%s: %s\n" "can_sss" "NO"
+ ;;
+ 1)
+ printf "%s: %s\n" "can_sss" "YES"
+ ;;
+ *)
+ printf "%s: %s\n" "can_sss" "na"
+ ;;
+ esac
+
+}
+
+# TEMP FILES
+tmpdir="$( mktemp -d )"
+tmpfile1="$( TMPDIR="${tmpdir}" mktemp )"
+logfile="$( TMPDIR="${tmpdir}" mktemp )"
+trap 'clean_userinfo ; trap "" 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; exit 0 ;' 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+
+# GET USERNAME FROM PARAMETERS
+user="${1}" ; test -z "${user}" && fail 1 "${0} needs a username provided on the command line. Aborted."
+
+# DEPENDENCIES
+GETENT=$( which getent ) ; test -x "${GETENT}" || fail 1 "${0} needs getent. Aborted."
+
+# RUN AS ROOT
+test "$( id -u 2>/dev/null )" -eq 0 || fail 1 "${0} must be run as root. Aborted."
+
+# MAIN LOOP
+{
+
+ # LEARN AND PRINT INFO
+ f_user "${user}"
+ f_getent
+ f_getent_type
+ f_can_ssh
+ f_can_sss
+
+} | tee -a "${logfile}"
+
+# EXIT CLEANLY
+exit 0 \ No newline at end of file
bgstack15