szaydel
8/20/2018 - 4:50 PM

Automate changing Ownership and ACLs on Home Directorties

#!/bin/bash

# Set DEBUG to 1 in order to get more verbose information or >1 to see what 
# will be executed without actually making any changes.
DEBUG=${DEBUG:-0}
#
# Set FAILFAST to 1 in order to bail after fist failure of reset_to_baseline or
# apply_acl_recursively.
FAILFAST=${FAILFAST:-0}
# DOMAIN=lemanscorp.com
DOMAIN=racktoplabs.com
# %%tpl%% here is replaced with username when this ACL string is used in 
# apply_acl_recursively, since this value is actually unique by user.
ACL='A=user:%%tpl%%:rwxpd-aARWc--s:fd----I:allow,owner@:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-0:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-1:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-3-4:rwxpdDaARWcCos:fd----I:allow,groupsid:S-1-5-32-544:rwxpdDaARWcCos:fd----I:allow'

# If we do not want everyone to have any permissions, we should, instead of
# removing entry entirely, replace letters identifying permissions allowed
# with a `-`, i.e.: everyone@:--------------:-------:allow.
# We also set `fd` inherit bits for owner, to make sure all future creations
# inherit permissions set on home directory itself.

if [ -z  "$1" ] || [ ! -d "$1" ] ; then
    echo "Please enter valid path for root of users' home directories" >&2
    exit 1
fi

homedirs=${1%%\/}

function map_to_sid {
    [ "$DEBUG" -gt 0 ] && set -o xtrace
    user=$1
    if ! map=$(idmap show -c "$user@$DOMAIN" 2>/dev/null); then return ; fi
    # If lookup succeeded we print out what we got for ephemeral id.
    echo "$map" | awk '{split($3, v, ":")} {print v[2]}'
}

function reset_to_baseline {
    [ "$DEBUG" -gt 0 ] && set -o xtrace
    homedir="$1"
    username="$2"
    path="$homedir/$username"
    # Recursively drop non-trivial ACL entries
    if [ "$DEBUG" -gt 1 ]; then
        echo chmod -R A- "${path}"
    else
        chmod -R A- "${path}"
    fi
    return $?
}

function apply_acl_recursively {
    [ "$DEBUG" -gt 0 ] && set -o xtrace
    homedir="$1"
    username="$2"
    usid="$3"
    path="$homedir/$username"
    myacl=`sed -e "s/%%tpl%%/${usid}/g" <<< "${ACL}"`
    if [ "$DEBUG" -gt 1 ]; then
        echo chmod -R "${myacl}" "${path}"
    else
        chmod -R "${myacl}" "${path}"
    fi
    return $?
}

mapfile -t users < <(ls "$1")
[ "$DEBUG" -gt 0 ] && set -o xtrace
for u in  "${users[@]}"; do
    id=$(map_to_sid "$u") # If user does not exist, this will be empty.
    if [ -z "$id" ] ; then
        if [ "$DEBUG" -gt 0 ]; then
            echo "Failed Lookup, skipping User: $u" >&2
        fi
        continue # Continue to next entry
    fi
    if [ "$DEBUG" -gt 2 ]; then
        echo reset_to_baseline "$homedirs" "$u"
        echo apply_acl_recursively "$homedirs" "$u" "$id"
    else
        reset_to_baseline "$homedirs" "$u" || {
            if [ "${FAILFAST}" -gt 0 ] ; then exit 1 ; fi
        }
        apply_acl_recursively "$homedirs" "$u" "$id" || {
            if [ "${FAILFAST}" -gt 0 ] ; then exit 1 ; fi
        }
    fi
done
#!/bin/sh

DEBUG=${DEBUG:-0}
# DOMAIN=lemanscorp.com
# DOMADM_GID=2147491844
DOMAIN=racktoplabs.com
DOMADM_GID=2147483650
# If we do not want everyone to have any permissions, we should, instead of
# removing entry entirely, replace letters identifying permissions allowed
# with a `-`, i.e.: everyone@:--------------:-------:allow.
# We also set `fd` inherit bits for owner, to make sure all future creations
# inherit permissions set on home directory itself.
ACL="A=owner@:rwxpdDaARWcCos:fd-----:allow,everyone@:r-x---a-R-c--s:-d-----:allow,group:$DOMADM_GID:rwxpdDaARWcCos:fd-----:allow"

if [ -z  "$1" ] || [ ! -d "$1" ] ; then
  echo "Please enter valid path for root of users' home directories" >&2
  exit 1
fi

homedirs=${1%%\/}

function map_to_sid {
    [ $DEBUG -gt 0 ] && set -o xtrace
    user=$1
    map=`idmap show -c "$user@$DOMAIN" 2>/dev/null`
    if [ $? -ne 0 ]; then return; fi
    # If lookup succeeded we print out what we got for ephemeral id.
    echo "$map" | awk '{split($3, v, ":")} {print v[2]}'
}

users=(`ls "$1"`)
[ $DEBUG -gt 0 ] && set -o xtrace
for u in  ${users[@]}; do
    id=`map_to_sid $u` # If user does not exist, this will be empty.
    if [ -z "$id" ] ; then
        if [ $DEBUG -gt 0 ]; then
            echo "Failed Lookup, skipping User: $u" >&2
        fi
        continue # Continue to next entry
    fi
    if [ $DEBUG -gt 0 ]; then
        echo chown -R "$id:$DOMADM_GID" "$homedirs/$u"
        echo chmod -R "$ACL" "$homedirs/$u"
    else
        chown -R "$id:$DOMADM_GID" "$homedirs/$u"
        chmod -R "$ACL" "$homedirs/$u"
    fi
done