-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathft_util_usrmgmt
More file actions
executable file
·101 lines (86 loc) · 3.48 KB
/
ft_util_usrmgmt
File metadata and controls
executable file
·101 lines (86 loc) · 3.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env bash
# Check if a user exists
user_exists() {
id "$1" &>/dev/null
local exit_code=$?
if [ $exit_code -eq 0 ]; then
$S_LOG -s debug -d "$S_NAME" "User [${1}] does exist.."
else
$S_LOG -s crit -d "$S_NAME" "User [${1}] does not exist."
return $exit_code
fi
}
export -f user_exists
# Check if a group exists
group_exists() {
getent group "$1" &>/dev/null
local exit_code=$?
if [ $exit_code -eq 0 ]; then
$S_LOG -s debug -d "$S_NAME" "Group [${1}] does exist.."
else
$S_LOG -s crit -d "$S_NAME" "Group [${1}] does not exist."
return $exit_code
fi
}
export -f group_exists
# Apply ownership to a path
enforce_ownership() {
if [ $# -lt 2 ]; then
$S_LOG -s err -d "$S_NAME" "Usage: enforce_ownership <path> <group> [user=root]"
return 1
fi
local path="$1"
local group="${2}"
local user="${3:-root}" # Default user is root if not provided
if [ -d "$path" ]; then
run_cmd_quiet find \'$path\' -exec chown --changes $user:$group {} +
else
run_cmd_quiet find \'${path%/*}\' -maxdepth 1 -name \'${path##*/}*\' -exec chown --changes $user:$group {} +
fi
}
export -f enforce_ownership
# Apply permissions to a path (file or directory)
enforce_permissions() {
local operation="$1"
local path="$2"
set_perms() {
local dperm="$1" fperm="$2" def_acl="$3"
# Note: read (r), write (w), execute (x) permissions, execute (X) permissions if the file is a directory or already has execute permission for some user, (-) are ignored.
if [[ "$path" != *"*"* && -d "$path" ]]; then
run_cmd_quiet find \'$path\' -type d -exec setfacl --default --set $def_acl {} +
run_cmd_quiet find \'$path\' -type d -exec chmod --changes $dperm {} +
run_cmd_quiet find \'$path\' -type f -exec chmod --changes $fperm {} +
else
local parent="${path%/*}"
local pattern="${path##*/}*"
run_cmd_quiet find \'$parent\' -maxdepth 1 -name \'$pattern\' -type d -exec setfacl --default --set $def_acl {} +
run_cmd_quiet find \'$parent\' -maxdepth 1 -name \'$pattern\' -type d -exec chmod --changes $dperm {} +
run_cmd_quiet find \'$parent\' -maxdepth 1 -name \'$pattern\' -type f -exec chmod --changes $fperm {} +
fi
}
if [ "$operation" == "public_conf" ] || [ "$operation" == "public_log" ] || [ "$operation" == "public_data" ]; then
set_perms 755 644 "u::rwX,g::r-X,o::r-X"
elif [ "$operation" == "conf" ] || [ "$operation" == "log" ] || [ "$operation" == "data" ]; then
set_perms 750 640 "u::rwX,g::r-X,o::---"
elif [ "$operation" == "exec" ]; then
set_perms 750 750 "u::rwx,g::r-x,o::---"
elif [ "$operation" == "secret" ]; then
set_perms 700 600 "u::rwX,g::---,o::---"
else
$S_LOG -s err -d "$S_NAME" "Invalid operation: $operation"
return 1
fi
}
export -f enforce_permissions
# Apply security settings to a path (file or directory)
enforce_security() {
local operation="$1"
local path="$2"
local group="${3:-root}" # Default group is root if not provided
local user="${4:-root}" # Default user is root if not provided
# Remove all extended ACL entries on dir
[[ "$path" != *"*"* && -d "$path" ]] && run_cmd_silent setfacl --recursive --remove-all \'$path\'
enforce_ownership "$path" "$group" "$user"
enforce_permissions "$operation" "$path"
}
export -f enforce_security