#!/bin/bash
# Set DEBUG to 1 in order to get more verbose information or >1 to see what
# will be executed without actually making any changes.
DEBUG=${DEBUG:-0}
#
# Set FAILFAST to 1 in order to bail after fist failure of reset_to_baseline or
# apply_acl_recursively.
FAILFAST=${FAILFAST:-0}
# DOMAIN=lemanscorp.com
DOMAIN=racktoplabs.com
# %%tpl%% here is replaced with username when this ACL string is used in
# apply_acl_recursively, since this value is actually unique by user.
ACL='A=user:%%tpl%%:rwxpd-aARWc--s:fd----I:allow,owner@:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-0:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-1:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-4:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-5-32-544:rwxpdDaARWcCos:fd----I:allow'
# If we do not want everyone to have any permissions, we should, instead of
# removing entry entirely, replace letters identifying permissions allowed
# with a `-`, i.e.: everyone@:--------------:-------:allow.
# We also set `fd` inherit bits for owner, to make sure all future creations
# inherit permissions set on home directory itself.
if [ -z "$1" ] || [ ! -d "$1" ] ; then
echo "Please enter valid path for root of users' home directories" >&2
exit 1
fi
homedirs=${1%%\/}
function map_to_sid {
[ "$DEBUG" -gt 0 ] && set -o xtrace
user=$1
if ! map=$(idmap show -c "$user@$DOMAIN" 2>/dev/null); then return ; fi
# If lookup succeeded we print out what we got for ephemeral id.
echo "$map" | awk '{split($3, v, ":")} {print v[2]}'
}
function reset_to_baseline {
[ "$DEBUG" -gt 0 ] && set -o xtrace
homedir="$1"
username="$2"
path="$homedir/$username"
# Recursively drop non-trivial ACL entries
if [ "$DEBUG" -gt 1 ]; then
echo chmod -R A- "${path}"
else
chmod -R A- "${path}"
fi
return $?
}
function apply_acl_recursively {
[ "$DEBUG" -gt 0 ] && set -o xtrace
homedir="$1"
username="$2"
usid="$3"
path="$homedir/$username"
myacl=`sed -e "s/%%tpl%%/${usid}/g" <<< "${ACL}"`
if [ "$DEBUG" -gt 1 ]; then
echo chmod -R "${myacl}" "${path}"
else
chmod -R "${myacl}" "${path}"
fi
return $?
}
mapfile -t users < <(ls "$1")
[ "$DEBUG" -gt 0 ] && set -o xtrace
for u in "${users[@]}"; do
id=$(map_to_sid "$u") # If user does not exist, this will be empty.
if [ -z "$id" ] ; then
if [ "$DEBUG" -gt 0 ]; then
echo "Failed Lookup, skipping User: $u" >&2
fi
continue # Continue to next entry
fi
if [ "$DEBUG" -gt 2 ]; then
echo reset_to_baseline "$homedirs" "$u"
echo apply_acl_recursively "$homedirs" "$u" "$id"
else
reset_to_baseline "$homedirs" "$u" || {
if [ "${FAILFAST}" -gt 0 ] ; then exit 1 ; fi
}
apply_acl_recursively "$homedirs" "$u" "$id" || {
if [ "${FAILFAST}" -gt 0 ] ; then exit 1 ; fi
}
fi
done