custom scripts used to manage the public access systemHEADmaster

1 files changed, 120 insertions, 0 deletions

diff --git a/setown.sh b/setown.sh
new file mode 100755
index 0000000..062cc17
--- /dev/null
+++ b/setown.sh
@@ -0,0 +1,120 @@
+#!/bin/bash
+
+# Set the base directory
+BASE_DIR="/home/publicaccess/home"
+
+# Iterate over each directory inside /home/publicaccess/home/
+for dir in "$BASE_DIR"/*/; do
+    # Check if it's a directory
+    if [ -d "$dir" ]; then
+        # Extract the directory name (username)
+        cp motd.txt "$dir"/motd.txt
+
+        username=$(basename "$dir")
+        setfacl -m mask::rwx "$dir"
+
+        # Apply chmod 700 to the user's home directory to keep it secure
+        chown "$username:$username" "$dir"/motd.txt
+
+        # Set ownership of the home directory to the user
+        chown "$username:$username" "$dir"
+        # Set permissions so SSH can enter the dir, but no one else can list
+        setfacl -m u:"$username":rwx "$dir"
+        # Block access to this dir from all other users
+        for otherdir in "$BASE_DIR"/*; do
+            otheruser=$(basename "$otherdir")
+            if [ "$otheruser" != "$username" ]; then
+                setfacl -m u:$otheruser:0 "$dir"
+            fi
+
+        done
+        
+        # Create or overwrite the .bashrc with environment restrictions
+        cat << 'EOF' > "$dir/.bashrc"
+# Restricted shell environment
+
+# Set and lock important variables
+export PATH="/bin:/usr/bin:/safecommands"
+export HOME="$HOME"
+export SHELL="/bin/bash"
+export TERM="xterm-256color"
+
+readonly PATH
+readonly HOME
+readonly SHELL
+readonly TERM
+
+# Disable export and unset commands
+export() {
+  echo "export: Command not allowed."
+}
+
+unset() {
+  echo "unset: Command not allowed."
+}
+
+# Disable direct use of 'git'
+git() {
+  echo "Direct use of 'git' is disabled. Use the git-init-h tool."
+}
+
+# Set noclobber option to prevent overwriting files
+set -o noclobber
+PS1='(KILLSWITCH PUBLIC ACCESS)$ '
+echo -e "`cat motd.txt`"
+
+# Welcome message
+echo "Welcome UUSER."
+
+EOF
+
+        # Create or overwrite the .bash_profile to source .bashrc
+        cat << 'EOF' > "$dir/.bash_profile"
+# Source the restricted .bashrc if it exists
+if [ -f ~/.bashrc ]; then
+    . ~/.bashrc
+fi
+
+PS1='(KILLSWITCH PUBLIC UNIX)$ '
+echo -e "`cat motd.txt`"
+EOF
+
+        # Set permissions: .bashrc and .bash_profile readable but NOT writable by user
+        chmod 755 "$dir/.bashrc"
+        chmod 755 "$dir/.bash_profile"
+
+        # Set ownership of .bashrc and .bash_profile to root:root
+        sudo chown root:root "$dir/.bashrc"
+        sudo chown root:root "$dir/.bash_profile"
+
+        # Set the permissions on the user's git directory so it's readable by everyone
+        git_dir="$dir/git"
+        sudo mkdir -p "$git_dir/listed"
+        # Ensure that the git directory exists
+        if [ -d "$git_dir" ]; then
+            # Set the permissions so the git directory is readable by everyone, but only writable by the owner
+            sudo chmod -R 755 "$git_dir"
+            sudo chown -R "$username:$username" "$git_dir"
+        fi
+
+        echo "Configured restricted shell for $username in $dir"
+    fi
+       
+       sudo chown -R "$username":"$username" "$dir/.ssh" 
+       chmod 701 "$dir"
+        chmod 600 /home/publicaccess/home/"$username"/.ssh/authorized_keys
+        chmod 700 /home/publicaccess/home/"$username"/.ssh
+       setfacl -m g::r-x "$dir"
+
+       setfacl -m mask::r-x "$dir"
+
+done
+setfacl -m g::r-x "/home/publicaccess/home"
+setfacl -m g::r-x "/home/publiccaccess"
+# Set the permissions for the shared git folder
+sudo chown root:root /srv/git/listed
+sudo chmod 755 /srv/git/listed
+sudo setfacl -R -m u:www-data:rx /srv/git/listed
+
+echo "Completed applying permissions, ownership, and restrictions to all directories inside $BASE_DIR."
+