#!/bin/bash

# Set the base directory
BASE_DIR="/home/publicaccess/home"

# Iterate over each directory inside /home/publicaccess/home/
for dir in "$BASE_DIR"/*/; do
    # Check if it's a directory
    if [ -d "$dir" ]; then
        # Extract the directory name (username)
        cp motd.txt "$dir"/motd.txt

        username=$(basename "$dir")
        setfacl -m mask::rwx "$dir"

        # Apply chmod 700 to the user's home directory to keep it secure
        chown "$username:$username" "$dir"/motd.txt

        # Set ownership of the home directory to the user
        chown "$username:$username" "$dir"
        # Set permissions so SSH can enter the dir, but no one else can list
        setfacl -m u:"$username":rwx "$dir"
        # Block access to this dir from all other users
        for otherdir in "$BASE_DIR"/*; do
            otheruser=$(basename "$otherdir")
            if [ "$otheruser" != "$username" ]; then
                setfacl -m u:$otheruser:0 "$dir"
            fi

        done
        
        # Create or overwrite the .bashrc with environment restrictions
        cat << 'EOF' > "$dir/.bashrc"
# Restricted shell environment

# Set and lock important variables
export PATH="/bin:/usr/bin:/safecommands"
export HOME="$HOME"
export SHELL="/bin/bash"
export TERM="xterm-256color"

readonly PATH
readonly HOME
readonly SHELL
readonly TERM

# Disable export and unset commands
export() {
  echo "export: Command not allowed."
}

unset() {
  echo "unset: Command not allowed."
}

# Disable direct use of 'git'
git() {
  echo "Direct use of 'git' is disabled. Use the git-init-h tool."
}

# Set noclobber option to prevent overwriting files
set -o noclobber
PS1='(KILLSWITCH PUBLIC ACCESS)$ '
echo -e "`cat motd.txt`"

# Welcome message
echo "Welcome UUSER."

EOF

        # Create or overwrite the .bash_profile to source .bashrc
        cat << 'EOF' > "$dir/.bash_profile"
# Source the restricted .bashrc if it exists
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

PS1='(KILLSWITCH PUBLIC UNIX)$ '
echo -e "`cat motd.txt`"
EOF

        # Set permissions: .bashrc and .bash_profile readable but NOT writable by user
        chmod 755 "$dir/.bashrc"
        chmod 755 "$dir/.bash_profile"

        # Set ownership of .bashrc and .bash_profile to root:root
        sudo chown root:root "$dir/.bashrc"
        sudo chown root:root "$dir/.bash_profile"

        # Set the permissions on the user's git directory so it's readable by everyone
        git_dir="$dir/git"
        sudo mkdir -p "$git_dir/listed"
        # Ensure that the git directory exists
        if [ -d "$git_dir" ]; then
            # Set the permissions so the git directory is readable by everyone, but only writable by the owner
            sudo chmod -R 755 "$git_dir"
            sudo chown -R "$username:$username" "$git_dir"
        fi

        echo "Configured restricted shell for $username in $dir"
    fi
       
       sudo chown -R "$username":"$username" "$dir/.ssh" 
       chmod 701 "$dir"
        chmod 600 /home/publicaccess/home/"$username"/.ssh/authorized_keys
        chmod 700 /home/publicaccess/home/"$username"/.ssh
       setfacl -m g::r-x "$dir"

       setfacl -m mask::r-x "$dir"

done
setfacl -m g::r-x "/home/publicaccess/home"
setfacl -m g::r-x "/home/publiccaccess"
# Set the permissions for the shared git folder
sudo chown root:root /srv/git/listed
sudo chmod 755 /srv/git/listed
sudo setfacl -R -m u:www-data:rx /srv/git/listed

echo "Completed applying permissions, ownership, and restrictions to all directories inside $BASE_DIR."