diff --git a/etc/accounts.cf b/etc/accounts.cf index 8f7f46c..79ae37d 100644 --- a/etc/accounts.cf +++ b/etc/accounts.cf @@ -6,7 +6,6 @@ member_min_id = 20001 member_max_id = 29999 member_shell = "/bin/bash" member_home = "/users" -member_home_acl = "u::rwx,g::rx,o::rx" member_home_skel = "/users/skel" ### Club Account Options ### @@ -15,7 +14,6 @@ club_min_id = 30001 club_max_id = 39999 club_shell = "/bin/bash" club_home = "/users" -club_home_acl = "A+group:%s:rwpRAxaWdDcCs:fd:allow" club_home_skel = "/users/skel" ### Administrative Account Options ### diff --git a/src/homedir.c b/src/homedir.c index b808fcd..bf17ba6 100644 --- a/src/homedir.c +++ b/src/homedir.c @@ -11,7 +11,23 @@ #include "util.h" #include "config.h" -int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid) { +static int set_acl(char *dir, char *acl_text, acl_type_t type) { + acl_t acl = acl_from_text(acl_text); + if (acl == (acl_t)NULL) { + errorpe("acl_from_text: %s", acl_text); + return -1; + } + if (acl_set_file(dir, type, acl) != 0) { + errorpe("acl_set_file: %s %s 0x%X %p", acl_text, dir, (int)type, (void*)acl); + acl_free(acl); + return -1; + } + acl_free(acl); + + return 0; +} + +int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid, char *access_acl, char *default_acl) { int mask; DIR *skeldir; struct dirent *skelent; @@ -23,6 +39,11 @@ int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid) { return -1; } + if (access_acl && set_acl(homedir, access_acl, ACL_TYPE_ACCESS) != 0) + return -1; + if (default_acl && set_acl(homedir, default_acl, ACL_TYPE_DEFAULT) != 0) + return -1; + skeldir = opendir(skel); if (!skeldir) { errorpe("failed to open %s", skel); diff --git a/src/homedir.h b/src/homedir.h index 0637867..9dc8b54 100644 --- a/src/homedir.h +++ b/src/homedir.h @@ -1,3 +1,5 @@ #include -int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid); +#define CLUB_ACL "u::rwx,g::r-x,o::r-x,g:%d:rwx,m::rwx" + +int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid, char *access_acl, char *default_acl); diff --git a/src/op-adduser.c b/src/op-adduser.c index b1465cc..e9a05c0 100644 --- a/src/op-adduser.c +++ b/src/op-adduser.c @@ -171,7 +171,7 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) { else response_message(out, 0, "successfully created ldap group"); - if ((home_stat = ceo_create_home(homedir, member_home_skel, id, id))) + if ((home_stat = ceo_create_home(homedir, member_home_skel, id, id, NULL, NULL))) response_message(out, EHOME, "unable to create home directory for %s", in->username); else response_message(out, 0, "successfully created home directory"); @@ -182,16 +182,19 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) { static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) { char homedir[1024]; + char acl[64]; int krb_stat, user_stat, group_stat, sudo_stat, home_stat; int id; - if (snprintf(homedir, sizeof(homedir), "%s/%s", - club_home, in->username) >= sizeof(homedir)) + if (snprintf(homedir, sizeof(homedir), "%s/%s", club_home, in->username) >= sizeof(homedir)) fatal("homedir overflow"); if ((id = ceo_new_uid(club_min_id, club_max_id)) <= 0) fatal("no available uids in range [%ld, %ld]", club_min_id, club_max_id); + if (snprintf(acl, sizeof(acl), CLUB_ACL, id) >= sizeof(acl)) + fatal("acl overflow"); + if ((krb_stat = ceo_del_princ(in->username))) return response_message(out, EKERB, "unable to clear principal %s", in->username); @@ -212,7 +215,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) { else response_message(out, 0, "successfully created ldap sudoers"); - if ((home_stat = ceo_create_home(homedir, club_home_skel, id, id))) + if ((home_stat = ceo_create_home(homedir, club_home_skel, id, id, acl, acl))) response_message(out, EHOME, "unable to create home directory for %s", in->username); else response_message(out, 0, "successfully created home directory");