1#!/bin/sh 2# 3# SPDX-License-Identifier: BSD-2-Clause 4# 5# Copyright (c) 2002-2004 Michael Telahun Makonnen. All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26# 27# Email: Mike Makonnen <mtm@FreeBSD.Org> 28# 29# 30 31# err msg 32# Display $msg on stderr, unless we're being quiet. 33# 34err() { 35 if [ -z "$quietflag" ]; then 36 echo 1>&2 ${THISCMD}: ERROR: $* 37 fi 38} 39 40# info msg 41# Display $msg on stdout, unless we're being quiet. 42# 43info() { 44 if [ -z "$quietflag" ]; then 45 echo ${THISCMD}: INFO: $* 46 fi 47} 48 49# get_nextuid 50# Output the value of $_uid if it is available for use. If it 51# is not, output the value of the next higher uid that is available. 52# If a uid is not specified, output the first available uid, as indicated 53# by pw(8). 54# 55get_nextuid () { 56 _uid=$1 57 _nextuid= 58 59 if [ -z "$_uid" ]; then 60 _nextuid="`${PWCMD} usernext | cut -f1 -d:`" 61 else 62 while : ; do 63 ${PWCMD} usershow $_uid > /dev/null 2>&1 64 if [ ! "$?" -eq 0 ]; then 65 _nextuid=$_uid 66 break 67 fi 68 _uid=$(($_uid + 1)) 69 done 70 fi 71 echo $_nextuid 72} 73 74# show_usage 75# Display usage information for this utility. 76# 77show_usage() { 78 echo "usage: ${THISCMD} [options]" 79 echo " options may include:" 80 echo " -C save to the configuration file only" 81 echo " -D do not attempt to create the home directory" 82 echo " -E disable this account after creation" 83 echo " -G additional groups to add accounts to" 84 echo " -L login class of the user" 85 echo " -M file permission for home directory" 86 echo " -N do not read configuration file" 87 echo " -Z do not attempt to create ZFS home dataset" 88 echo " -S a nonexistent shell is not an error" 89 echo " -d home directory" 90 echo " -f file from which input will be received" 91 echo " -g default login group" 92 echo " -h display this usage message" 93 echo " -k path to skeleton home directory" 94 echo " -m user welcome message file" 95 echo " -q absolute minimal user feedback" 96 echo " -s shell" 97 echo " -u uid to start at" 98 echo " -w password type: no, none, yes or random" 99} 100 101# valid_shells 102# Outputs a list of valid shells from /etc/shells. Only the 103# basename of the shell is output. 104# 105valid_shells() { 106 _prefix= 107 cat ${ETCSHELLS} | 108 while read _path _junk ; do 109 case $_path in 110 \#*|'') 111 ;; 112 *) 113 echo -n "${_prefix}`basename $_path`" 114 _prefix=' ' 115 ;; 116 esac 117 done 118 119 # /usr/sbin/nologin is a special case 120 [ -x "${NOLOGIN_PATH}" ] && echo -n " ${NOLOGIN}" 121} 122 123# fullpath_from_shell shell 124# Given $shell, which is either the full path to a shell or 125# the basename component of a valid shell, get the 126# full path to the shell from the /etc/shells file. 127# 128fullpath_from_shell() { 129 _shell=$1 130 [ -z "$_shell" ] && return 1 131 132 # /usr/sbin/nologin is a special case; it needs to be handled 133 # before the cat | while loop, since a 'return' from within 134 # a subshell will not terminate the function's execution, and 135 # the path to the nologin shell might be printed out twice. 136 # 137 if [ "$_shell" = "${NOLOGIN}" -o \ 138 "$_shell" = "${NOLOGIN_PATH}" ]; then 139 echo ${NOLOGIN_PATH} 140 return 0; 141 fi 142 143 cat ${ETCSHELLS} | 144 while read _path _junk ; do 145 case "$_path" in 146 \#*|'') 147 ;; 148 *) 149 if [ "$_path" = "$_shell" -o \ 150 "`basename $_path`" = "$_shell" ]; then 151 echo $_path 152 return 0 153 fi 154 ;; 155 esac 156 done 157 158 return 1 159} 160 161# shell_exists shell 162# If the given shell is listed in ${ETCSHELLS} or it is 163# the nologin shell this function will return 0. 164# Otherwise, it will return 1. If shell is valid but 165# the path is invalid or it is not executable it 166# will emit an informational message saying so. 167# 168shell_exists() { 169 _sh="$1" 170 _shellchk="${GREPCMD} '^$_sh$' ${ETCSHELLS} > /dev/null 2>&1" 171 172 if ! eval $_shellchk; then 173 # The nologin shell is not listed in /etc/shells. 174 if [ "$_sh" != "${NOLOGIN_PATH}" ]; then 175 err "Invalid shell ($_sh) for user $username." 176 return 1 177 fi 178 fi 179 ! [ -x "$_sh" ] && 180 info "The shell ($_sh) does not exist or is not executable." 181 182 return 0 183} 184 185# save_config 186# Save some variables to a configuration file. 187# Note: not all script variables are saved, only those that 188# it makes sense to save. 189# 190save_config() { 191 echo "# Configuration file for adduser(8)." > ${ADDUSERCONF} 192 echo "# NOTE: only *some* variables are saved." >> ${ADDUSERCONF} 193 echo "# Last Modified on `${DATECMD}`." >> ${ADDUSERCONF} 194 echo '' >> ${ADDUSERCONF} 195 echo "defaultHomePerm=$uhomeperm" >> ${ADDUSERCONF} 196 echo "defaultLgroup=$ulogingroup" >> ${ADDUSERCONF} 197 echo "defaultclass=$uclass" >> ${ADDUSERCONF} 198 echo "defaultgroups=$ugroups" >> ${ADDUSERCONF} 199 echo "passwdtype=$passwdtype" >> ${ADDUSERCONF} 200 echo "homeprefix=$homeprefix" >> ${ADDUSERCONF} 201 echo "defaultshell=$ushell" >> ${ADDUSERCONF} 202 echo "udotdir=$udotdir" >> ${ADDUSERCONF} 203 echo "msgfile=$msgfile" >> ${ADDUSERCONF} 204 echo "disableflag=$disableflag" >> ${ADDUSERCONF} 205 echo "uidstart=$uidstart" >> ${ADDUSERCONF} 206} 207 208# add_user 209# Add a user to the user database. If the user chose to send a welcome 210# message or lock the account, do so. 211# 212add_user() { 213 214 # Is this a configuration run? If so, don't modify user database. 215 # 216 if [ -n "$configflag" ]; then 217 save_config 218 return 219 fi 220 221 _uid= 222 _name= 223 _comment= 224 _gecos= 225 _home= 226 _group= 227 _grouplist= 228 _shell= 229 _class= 230 _dotdir= 231 _expire= 232 _pwexpire= 233 _passwd= 234 _upasswd= 235 _passwdmethod= 236 237 _name="-n '$username'" 238 [ -n "$uuid" ] && _uid='-u "$uuid"' 239 [ -n "$ulogingroup" ] && _group='-g "$ulogingroup"' 240 [ -n "$ugroups" ] && _grouplist='-G "$ugroups"' 241 [ -n "$ushell" ] && _shell='-s "$ushell"' 242 [ -n "$uclass" ] && _class='-L "$uclass"' 243 [ -n "$ugecos" ] && _comment='-c "$ugecos"' 244 [ -n "$udotdir" ] && _dotdir='-k "$udotdir"' 245 [ -n "$uexpire" ] && _expire='-e "$uexpire"' 246 [ -n "$upwexpire" ] && _pwexpire='-p "$upwexpire"' 247 if [ -z "$Dflag" -a -n "$uhome" ]; then 248 # The /nonexistent home directory is special. It 249 # means the user has no home directory. 250 if [ "$uhome" = "$NOHOME" ]; then 251 _home='-d "$uhome"' 252 else 253 # Use home directory permissions if specified 254 if [ -n "$uhomeperm" ]; then 255 _home='-m -d "$uhome" -M "$uhomeperm"' 256 else 257 _home='-m -d "$uhome"' 258 fi 259 fi 260 elif [ -n "$Dflag" -a -n "$uhome" ]; then 261 _home='-d "$uhome"' 262 fi 263 case $passwdtype in 264 no) 265 _passwdmethod="-w no" 266 _passwd="-h -" 267 ;; 268 yes) 269 # Note on processing the password: The outer double quotes 270 # make literal everything except ` and \ and $. 271 # The outer single quotes make literal ` and $. 272 # We can ensure the \ isn't treated specially by specifying 273 # the -r switch to the read command used to obtain the input. 274 # 275 _passwdmethod="-w yes" 276 _passwd="-h 0" 277 _upasswd='echo "$upass" |' 278 ;; 279 none) 280 _passwdmethod="-w none" 281 ;; 282 random) 283 _passwdmethod="-w random" 284 ;; 285 esac 286 287 # create ZFS dataset before home directory is created with pw 288 if [ "${Zcreate}" = "yes" ]; then 289 if [ "${Zencrypt}" = "yes" ]; then 290 echo "Enter encryption keyphrase for ZFS dataset (${zhome}):" 291 fi 292 if [ -n "$BSDINSTALL_CHROOT" ]; then 293 create_zfs_chrooted_dataset 294 else 295 create_zfs_dataset 296 if [ "$?" -ne 0 ]; then 297 err "There was an error adding user ($username)." 298 return 1 299 fi 300 fi 301 fi 302 303 _pwcmd="$_upasswd ${PWCMD} useradd $_uid $_name $_group $_grouplist $_comment" 304 _pwcmd="$_pwcmd $_shell $_class $_home $_dotdir $_passwdmethod $_passwd" 305 _pwcmd="$_pwcmd $_expire $_pwexpire" 306 307 if ! _output=`eval $_pwcmd` ; then 308 err "There was an error adding user ($username)." 309 return 1 310 else 311 info "Successfully added ($username) to the user database." 312 if [ "random" = "$passwdtype" ]; then 313 randompass="$_output" 314 info "Password for ($username) is: $randompass" 315 fi 316 fi 317 318 if [ -n "$disableflag" ]; then 319 if ${PWCMD} lock $username ; then 320 info "Account ($username) is locked." 321 else 322 info "Account ($username) could NOT be locked." 323 fi 324 fi 325 326 # give newly created user permissions to their home zfs dataset 327 if [ "${Zcreate}" = "yes" ]; then 328 set_zfs_perms 329 if [ -n "$BSDINSTALL_CHROOT" ]; then 330 umount_legacy_zfs 331 fi 332 fi 333 334 _line= 335 _owner= 336 _perms= 337 if [ -n "$msgflag" ]; then 338 [ -r "$msgfile" ] && { 339 # We're evaluating the contents of an external file. 340 # Let's not open ourselves up for attack. _perms will 341 # be empty if it's writeable only by the owner. _owner 342 # will *NOT* be empty if the file is owned by root. 343 # 344 _dir="`dirname $msgfile`" 345 _file="`basename $msgfile`" 346 _perms=`/usr/bin/find $_dir -name $_file -perm +07022 -prune` 347 _owner=`/usr/bin/find $_dir -name $_file -user 0 -prune` 348 if [ -z "$_owner" -o -n "$_perms" ]; then 349 err "The message file ($msgfile) may be writeable only by root." 350 return 1 351 fi 352 cat "$msgfile" | 353 while read _line ; do 354 eval echo "$_line" 355 done | ${MAILCMD} -s"Welcome" ${username} 356 info "Sent welcome message to ($username)." 357 } 358 fi 359} 360 361# get_user 362# Reads username of the account from standard input or from a global 363# variable containing an account line from a file. The username is 364# required. If this is an interactive session it will prompt in 365# a loop until a username is entered. If it is batch processing from 366# a file it will output an error message and return to the caller. 367# 368get_user() { 369 _input= 370 371 # No need to take down user names if this is a configuration saving run. 372 [ -n "$configflag" ] && return 373 374 while : ; do 375 if [ -z "$fflag" ]; then 376 echo -n "Username: " 377 read _input 378 else 379 _input="`echo "$fileline" | cut -f1 -d:`" 380 fi 381 382 # There *must* be a username, and it must not exist. If 383 # this is an interactive session give the user an 384 # opportunity to retry. 385 # 386 if [ -z "$_input" ]; then 387 err "You must enter a username!" 388 [ -z "$fflag" ] && continue 389 fi 390 ${PWCMD} usershow $_input > /dev/null 2>&1 391 if [ "$?" -eq 0 ]; then 392 err "User exists!" 393 [ -z "$fflag" ] && continue 394 fi 395 break 396 done 397 username="$_input" 398} 399 400# get_gecos 401# Reads extra information about the user. Can be used both in interactive 402# and batch (from file) mode. 403# 404get_gecos() { 405 _input= 406 407 # No need to take down additional user information for a configuration run. 408 [ -n "$configflag" ] && return 409 410 if [ -z "$fflag" ]; then 411 echo -n "Full name: " 412 read _input 413 else 414 _input="`echo "$fileline" | cut -f7 -d:`" 415 fi 416 ugecos="$_input" 417} 418 419# get_shell 420# Get the account's shell. Works in interactive and batch mode. It 421# accepts either the base name of the shell or the full path. 422# If an invalid shell is entered it will simply use the default shell. 423# 424get_shell() { 425 _input= 426 _fullpath= 427 ushell="$defaultshell" 428 429 # Make sure the current value of the shell is a valid one 430 if [ -z "$Sflag" ]; then 431 if ! shell_exists $ushell ; then 432 info "Using default shell ${defaultshell}." 433 ushell="$defaultshell" 434 fi 435 fi 436 437 if [ -z "$fflag" ]; then 438 echo -n "Shell ($shells) [`basename $ushell`]: " 439 read _input 440 else 441 _input="`echo "$fileline" | cut -f9 -d:`" 442 fi 443 if [ -n "$_input" ]; then 444 if [ -n "$Sflag" ]; then 445 ushell="$_input" 446 else 447 _fullpath=`fullpath_from_shell $_input` 448 if [ -n "$_fullpath" ]; then 449 ushell="$_fullpath" 450 else 451 err "Invalid shell ($_input) for user $username." 452 info "Using default shell ${defaultshell}." 453 ushell="$defaultshell" 454 fi 455 fi 456 fi 457} 458 459# get_homedir 460# Reads the account's home directory. Used both with interactive input 461# and batch input. 462# 463get_homedir() { 464 _input= 465 if [ -z "$fflag" ]; then 466 echo -n "Home directory [${homeprefix}/${username}]: " 467 read _input 468 else 469 _input="`echo "$fileline" | cut -f8 -d:`" 470 fi 471 472 if [ -n "$_input" ]; then 473 uhome="$_input" 474 # if this is a configuration run, then user input is the home 475 # directory prefix. Otherwise it is understood to 476 # be $prefix/$user 477 # 478 [ -z "$configflag" ] && homeprefix="`dirname $uhome`" || homeprefix="$uhome" 479 else 480 uhome="${homeprefix}/${username}" 481 fi 482} 483 484# get_homeperm 485# Reads the account's home directory permissions. 486# 487get_homeperm() { 488 uhomeperm=$defaultHomePerm 489 _input= 490 _prompt= 491 492 if [ -n "$uhomeperm" ]; then 493 _prompt="Home directory permissions [${uhomeperm}]: " 494 else 495 _prompt="Home directory permissions (Leave empty for default): " 496 fi 497 if [ -z "$fflag" ]; then 498 echo -n "$_prompt" 499 read _input 500 fi 501 502 if [ -n "$_input" ]; then 503 uhomeperm="$_input" 504 fi 505} 506 507# get_zfs_home 508# Determine if homeprefix is located on a ZFS filesystem and if 509# so, enable ZFS home dataset creation. 510# 511get_zfs_home() { 512 # check if zfs kernel module is loaded before attempting to run zfs to 513 # prevent loading the kernel module on systems that don't use ZFS 514 if ! "$KLDSTATCMD" -q -m zfs; then 515 Zcreate="no" 516 return 517 fi 518 zfs_homeprefix=`${ZFSCMD} list -Ho name "${homeprefix}" 2>/dev/null` 519 if [ "$?" -ne 0 ]; then 520 Zcreate="no" 521 elif [ -z "${zfs_homeprefix}" ]; then 522 Zcreate="no" 523 fi 524 zhome="${zfs_homeprefix}/${username}" 525} 526 527# get_uid 528# Reads a numeric userid in an interactive or batch session. Automatically 529# allocates one if it is not specified. 530# 531get_uid() { 532 uuid=${uidstart} 533 _input= 534 _prompt= 535 536 if [ -n "$uuid" ]; then 537 uuid=`get_nextuid $uuid` 538 _prompt="Uid [$uuid]: " 539 else 540 _prompt="Uid (Leave empty for default): " 541 fi 542 if [ -z "$fflag" ]; then 543 echo -n "$_prompt" 544 read _input 545 else 546 _input="`echo "$fileline" | cut -f2 -d:`" 547 fi 548 549 [ -n "$_input" ] && uuid=$_input 550 uuid=`get_nextuid $uuid` 551 uidstart=$uuid 552} 553 554# get_class 555# Reads login class of account. Can be used in interactive or batch mode. 556# 557get_class() { 558 uclass="$defaultclass" 559 _input= 560 _class=${uclass:-"default"} 561 562 if [ -z "$fflag" ]; then 563 echo -n "Login class [$_class]: " 564 read _input 565 else 566 _input="`echo "$fileline" | cut -f4 -d:`" 567 fi 568 569 [ -n "$_input" ] && uclass="$_input" 570} 571 572# get_logingroup 573# Reads user's login group. Can be used in both interactive and batch 574# modes. The specified value can be a group name or its numeric id. 575# This routine leaves the field blank if nothing is provided and 576# a default login group has not been set. The pw(8) command 577# will then provide a login group with the same name as the username. 578# 579get_logingroup() { 580 ulogingroup="$defaultLgroup" 581 _input= 582 583 if [ -z "$fflag" ]; then 584 echo -n "Login group [${ulogingroup:-$username}]: " 585 read _input 586 else 587 _input="`echo "$fileline" | cut -f3 -d:`" 588 fi 589 590 # Pw(8) will use the username as login group if it's left empty 591 [ -n "$_input" ] && ulogingroup="$_input" 592} 593 594# get_groups 595# Read additional groups for the user. It can be used in both interactive 596# and batch modes. 597# 598get_groups() { 599 ugroups="$defaultgroups" 600 _input= 601 _group=${ulogingroup:-"${username}"} 602 603 if [ -z "$configflag" ]; then 604 [ -z "$fflag" ] && echo -n "Login group is $_group. Invite $username" 605 [ -z "$fflag" ] && echo -n " into other groups? [$ugroups]: " 606 else 607 [ -z "$fflag" ] && echo -n "Enter additional groups [$ugroups]: " 608 fi 609 read _input 610 611 [ -n "$_input" ] && ugroups="$_input" 612} 613 614# get_expire_dates 615# Read expiry information for the account and also for the password. This 616# routine is used only from batch processing mode. 617# 618get_expire_dates() { 619 upwexpire="`echo "$fileline" | cut -f5 -d:`" 620 uexpire="`echo "$fileline" | cut -f6 -d:`" 621} 622 623# get_password 624# Read the password in batch processing mode. The password field matters 625# only when the password type is "yes" or "random". If the field is empty and the 626# password type is "yes", then it assumes the account has an empty passsword 627# and changes the password type accordingly. If the password type is "random" 628# and the password field is NOT empty, then it assumes the account will NOT 629# have a random password and set passwdtype to "yes." 630# 631get_password() { 632 # We may temporarily change a password type. Make sure it's changed 633 # back to whatever it was before we process the next account. 634 # 635 [ -n "$savedpwtype" ] && { 636 passwdtype=$savedpwtype 637 savedpwtype= 638 } 639 640 # There may be a ':' in the password 641 upass=${fileline#*:*:*:*:*:*:*:*:*:} 642 643 if [ -z "$upass" ]; then 644 case $passwdtype in 645 yes) 646 # if it's empty, assume an empty password 647 passwdtype=none 648 savedpwtype=yes 649 ;; 650 esac 651 else 652 case $passwdtype in 653 random) 654 passwdtype=yes 655 savedpwtype=random 656 ;; 657 esac 658 fi 659} 660 661# get_zfs_encryption 662# Ask user if they want to enable encryption on their ZFS home dataset. 663# 664get_zfs_encryption() { 665 _input= 666 _prompt="Enable ZFS encryption? (yes/no) [${Zencrypt}]: " 667 while : ; do 668 echo -n "$_prompt" 669 read _input 670 671 [ -z "$_input" ] && _input=$Zencrypt 672 case $_input in 673 [Nn][Oo]|[Nn]) 674 Zencrypt="no" 675 break 676 ;; 677 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 678 Zencrypt="yes" 679 break 680 ;; 681 *) 682 # invalid answer; repeat loop 683 continue 684 ;; 685 esac 686 done 687 688 if [ "${Zencrypt}" = "yes" ]; then 689 zfsopt="-o encryption=on -o keylocation=prompt -o keyformat=passphrase" 690 fi 691} 692 693# create_zfs_chrooted_dataset 694# Create ZFS dataset owned by the user that was just added within a bsdinstall chroot 695# 696create_zfs_chrooted_dataset() { 697 if ! ${ZFSCMD} create -u ${zfsopt} "${zhome}"; then 698 err "There was an error creating ZFS dataset (${zhome})." 699 return 1 700 fi 701 ${ZFSCMD} set mountpoint=legacy "${zhome}" 702 ${MKDIRCMD} -p "${uhome}" 703 ${MOUNTCMD} -t zfs "${zhome}" "${uhome}" 704} 705 706# umount_legacy_zfs 707# Unmount ZFS home directory created as a legacy mount and switch inheritance 708# 709umount_legacy_zfs() { 710 ${UMOUNTCMD} "${uhome}" 711 ${ZFSCMD} inherit mountpoint "${zhome}" 712} 713 714# create_zfs_dataset 715# Create ZFS dataset owned by the user that was just added. 716# 717create_zfs_dataset() { 718 if ! ${ZFSCMD} create ${zfsopt} "${zhome}"; then 719 err "There was an error creating ZFS dataset (${zhome})." 720 return 1 721 else 722 info "Successfully created ZFS dataset (${zhome})." 723 fi 724} 725 726# set_zfs_perms 727# Give new user ownership of newly created zfs dataset. 728# 729set_zfs_perms() { 730 if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot "${zhome}"; then 731 err "There was an error setting permissions on ZFS dataset (${zhome})." 732 return 1 733 fi 734} 735 736# input_from_file 737# Reads a line of account information from standard input and 738# adds it to the user database. 739# 740input_from_file() { 741 _field= 742 743 while read -r fileline ; do 744 case "$fileline" in 745 \#*|'') 746 ;; 747 *) 748 get_user || continue 749 get_gecos 750 get_uid 751 get_logingroup 752 get_class 753 get_shell 754 get_homedir 755 get_zfs_home 756 get_homeperm 757 get_password 758 get_expire_dates 759 ugroups="$defaultgroups" 760 761 add_user 762 ;; 763 esac 764 done 765} 766 767# input_interactive 768# Prompts for user information interactively, and commits to 769# the user database. 770# 771input_interactive() { 772 _disable= 773 _pass= 774 _passconfirm= 775 _random="no" 776 _emptypass="no" 777 _usepass="yes" 778 _logingroup_ok="no" 779 _groups_ok="no" 780 _all_ok="yes" 781 _another_user="no" 782 case $passwdtype in 783 none) 784 _emptypass="yes" 785 _usepass="yes" 786 ;; 787 no) 788 _usepass="no" 789 ;; 790 random) 791 _random="yes" 792 ;; 793 esac 794 795 get_user 796 get_gecos 797 get_uid 798 799 # The case where group = user is handled elsewhere, so 800 # validate any other groups the user is invited to. 801 until [ "$_logingroup_ok" = yes ]; do 802 get_logingroup 803 _logingroup_ok=yes 804 if [ -n "$ulogingroup" -a "$username" != "$ulogingroup" ]; then 805 if ! ${PWCMD} show group $ulogingroup > /dev/null 2>&1; then 806 echo "Group $ulogingroup does not exist!" 807 _logingroup_ok=no 808 fi 809 fi 810 done 811 until [ "$_groups_ok" = yes ]; do 812 get_groups 813 _groups_ok=yes 814 for i in $ugroups; do 815 if [ "$username" != "$i" ]; then 816 if ! ${PWCMD} show group $i > /dev/null 2>&1; then 817 echo "Group $i does not exist!" 818 _groups_ok=no 819 fi 820 fi 821 done 822 done 823 824 get_class 825 get_shell 826 get_homedir 827 get_homeperm 828 get_zfs_home 829 [ "$Zcreate" = "yes" ] && get_zfs_encryption 830 831 while : ; do 832 echo -n "Use password-based authentication? [$_usepass]: " 833 read _input 834 [ -z "$_input" ] && _input=$_usepass 835 case $_input in 836 [Nn][Oo]|[Nn]) 837 passwdtype="no" 838 ;; 839 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 840 while : ; do 841 echo -n "Use an empty password? (yes/no) [$_emptypass]: " 842 read _input 843 [ -n "$_input" ] && _emptypass=$_input 844 case $_emptypass in 845 [Nn][Oo]|[Nn]) 846 echo -n "Use a random password? (yes/no) [$_random]: " 847 read _input 848 [ -n "$_input" ] && _random="$_input" 849 case $_random in 850 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 851 passwdtype="random" 852 break 853 ;; 854 esac 855 passwdtype="yes" 856 [ -n "$configflag" ] && break 857 trap 'stty echo; exit' 0 1 2 3 15 858 stty -echo 859 echo -n "Enter password: " 860 IFS= read -r upass 861 echo'' 862 echo -n "Enter password again: " 863 IFS= read -r _passconfirm 864 echo '' 865 stty echo 866 # if user entered a blank password 867 # explicitly ask again. 868 [ -z "$upass" -a -z "$_passconfirm" ] \ 869 && continue 870 ;; 871 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 872 passwdtype="none" 873 break; 874 ;; 875 *) 876 # invalid answer; repeat the loop 877 continue 878 ;; 879 esac 880 if [ "$upass" != "$_passconfirm" ]; then 881 echo "Passwords did not match!" 882 continue 883 fi 884 break 885 done 886 ;; 887 *) 888 # invalid answer; repeat loop 889 continue 890 ;; 891 esac 892 break; 893 done 894 _disable=${disableflag:-"no"} 895 while : ; do 896 echo -n "Lock out the account after creation? [$_disable]: " 897 read _input 898 [ -z "$_input" ] && _input=$_disable 899 case $_input in 900 [Nn][Oo]|[Nn]) 901 disableflag= 902 ;; 903 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 904 disableflag=yes 905 ;; 906 *) 907 # invalid answer; repeat loop 908 continue 909 ;; 910 esac 911 break 912 done 913 914 # Display the information we have so far and prompt to 915 # commit it. 916 # 917 _disable=${disableflag:-"no"} 918 [ -z "$configflag" ] && printf "%-11s : %s\n" Username $username 919 case $passwdtype in 920 yes) 921 _pass='*****' 922 ;; 923 no) 924 _pass='<disabled>' 925 ;; 926 none) 927 _pass='<blank>' 928 ;; 929 random) 930 _pass='<random>' 931 ;; 932 esac 933 [ -z "$configflag" ] && printf "%-11s : %s\n" "Password" "$_pass" 934 [ -n "$configflag" ] && printf "%-11s : %s\n" "Pass Type" "$passwdtype" 935 [ -z "$configflag" ] && printf "%-11s : %s\n" "Full Name" "$ugecos" 936 [ -z "$configflag" ] && printf "%-11s : %s\n" "Uid" "$uuid" 937 [ "$Zcreate" = "yes" -a -z "$configflag" ] && printf "%-11s : %s\n" "ZFS dataset" "${zhome}" 938 [ "$Zencrypt" = "yes" -a -z "$configflag" ] && printf "%-11s : %s\n" "Encrypted" "${Zencrypt}" 939 printf "%-11s : %s\n" "Class" "$uclass" 940 printf "%-11s : %s %s\n" "Groups" "${ulogingroup:-$username}" "$ugroups" 941 printf "%-11s : %s\n" "Home" "$uhome" 942 printf "%-11s : %s\n" "Home Mode" "$uhomeperm" 943 printf "%-11s : %s\n" "Shell" "$ushell" 944 printf "%-11s : %s\n" "Locked" "$_disable" 945 while : ; do 946 echo -n "OK? (yes/no) [$_all_ok]: " 947 read _input 948 if [ -z "$_input" ]; then 949 _input=$_all_ok 950 fi 951 case $_input in 952 [Nn][Oo]|[Nn]) 953 return 1 954 ;; 955 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 956 add_user 957 ;; 958 *) 959 continue 960 ;; 961 esac 962 break 963 done 964 return 0 965} 966 967#### END SUBROUTINE DEFINITION #### 968 969THISCMD=`/usr/bin/basename $0` 970DEFAULTSHELL=/bin/sh 971ADDUSERCONF="${ADDUSERCONF:-/etc/adduser.conf}" 972PWCMD="${PWCMD:-/usr/sbin/pw}" 973MAILCMD="${MAILCMD:-mail}" 974ETCSHELLS="${ETCSHELLS:-/etc/shells}" 975NOHOME="/nonexistent" 976NOLOGIN="nologin" 977NOLOGIN_PATH="/usr/sbin/nologin" 978GREPCMD="/usr/bin/grep" 979DATECMD="/bin/date" 980MKDIRCMD="/bin/mkdir" 981MOUNTCMD="/sbin/mount" 982UMOUNTCMD="/sbin/umount" 983ZFSCMD="/sbin/zfs" 984KLDSTATCMD="/sbin/kldstat" 985 986# Set default values 987# 988username= 989uuid= 990uidstart= 991ugecos= 992ulogingroup= 993uclass= 994uhome= 995uhomeperm= 996upass= 997ushell= 998udotdir=/usr/share/skel 999ugroups= 1000uexpire= 1001upwexpire= 1002shells="`valid_shells`" 1003passwdtype="yes" 1004msgfile=/etc/adduser.msg 1005msgflag= 1006quietflag= 1007configflag= 1008fflag= 1009infile= 1010disableflag= 1011Dflag= 1012Sflag= 1013Zcreate="yes" 1014readconfig="yes" 1015homeprefix="/home" 1016randompass= 1017fileline= 1018savedpwtype= 1019defaultclass= 1020defaultLgroup= 1021defaultgroups= 1022defaultshell="${DEFAULTSHELL}" 1023defaultHomePerm= 1024zfsopt= 1025Zencrypt="no" 1026 1027# Make sure the user running this program is root. This isn't a security 1028# measure as much as it is a useful method of reminding the user to 1029# 'su -' before he/she wastes time entering data that won't be saved. 1030# 1031procowner=${procowner:-`/usr/bin/id -u`} 1032if [ "$procowner" != "0" ]; then 1033 err 'you must be the super-user (uid 0) to use this utility.' 1034 exit 1 1035fi 1036 1037# Override from our conf file 1038# Quickly go through the commandline line to see if we should read 1039# from our configuration file. The actual parsing of the commandline 1040# arguments happens after we read in our configuration file (commandline 1041# should override configuration file). 1042# 1043for _i in $* ; do 1044 if [ "$_i" = "-N" ]; then 1045 readconfig= 1046 break; 1047 fi 1048done 1049if [ -n "$readconfig" ]; then 1050 # On a long-lived system, the first time this script is run it 1051 # will barf upon reading the configuration file for its perl predecessor. 1052 if ( . ${ADDUSERCONF} > /dev/null 2>&1 ); then 1053 [ -r ${ADDUSERCONF} ] && . ${ADDUSERCONF} > /dev/null 2>&1 1054 fi 1055fi 1056 1057# Process command-line options 1058# 1059for _switch ; do 1060 case $_switch in 1061 -L) 1062 defaultclass="$2" 1063 shift; shift 1064 ;; 1065 -C) 1066 configflag=yes 1067 shift 1068 ;; 1069 -D) 1070 Dflag=yes 1071 shift 1072 ;; 1073 -E) 1074 disableflag=yes 1075 shift 1076 ;; 1077 -k) 1078 udotdir="$2" 1079 shift; shift 1080 ;; 1081 -f) 1082 [ "$2" != "-" ] && infile="$2" 1083 fflag=yes 1084 shift; shift 1085 ;; 1086 -g) 1087 defaultLgroup="$2" 1088 shift; shift 1089 ;; 1090 -G) 1091 defaultgroups="$2" 1092 shift; shift 1093 ;; 1094 -h) 1095 show_usage 1096 exit 0 1097 ;; 1098 -d) 1099 homeprefix="$2" 1100 shift; shift 1101 ;; 1102 -m) 1103 case "$2" in 1104 [Nn][Oo]) 1105 msgflag= 1106 ;; 1107 *) 1108 msgflag=yes 1109 msgfile="$2" 1110 ;; 1111 esac 1112 shift; shift 1113 ;; 1114 -M) 1115 defaultHomePerm=$2 1116 shift; shift 1117 ;; 1118 -N) 1119 readconfig= 1120 shift 1121 ;; 1122 -w) 1123 case "$2" in 1124 no|none|random|yes) 1125 passwdtype=$2 1126 ;; 1127 *) 1128 show_usage 1129 exit 1 1130 ;; 1131 esac 1132 shift; shift 1133 ;; 1134 -q) 1135 quietflag=yes 1136 shift 1137 ;; 1138 -s) 1139 defaultshell="`fullpath_from_shell $2`" 1140 shift; shift 1141 ;; 1142 -S) 1143 Sflag=yes 1144 shift 1145 ;; 1146 -u) 1147 uidstart=$2 1148 shift; shift 1149 ;; 1150 -Z) 1151 Zcreate="no" 1152 shift 1153 ;; 1154 esac 1155done 1156 1157# If the -f switch was used, get input from a file. Otherwise, 1158# this is an interactive session. 1159# 1160if [ -n "$fflag" ]; then 1161 if [ -z "$infile" ]; then 1162 input_from_file 1163 elif [ -n "$infile" ]; then 1164 if [ -r "$infile" ]; then 1165 input_from_file < $infile 1166 else 1167 err "File ($infile) is unreadable or does not exist." 1168 fi 1169 fi 1170else 1171 input_interactive 1172 while : ; do 1173 if [ -z "$configflag" ]; then 1174 echo -n "Add another user? (yes/no) [$_another_user]: " 1175 else 1176 echo -n "Re-edit the default configuration? (yes/no) [$_another_user]: " 1177 fi 1178 read _input 1179 if [ -z "$_input" ]; then 1180 _input=$_another_user 1181 fi 1182 case $_input in 1183 [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) 1184 uidstart=`get_nextuid $uidstart` 1185 input_interactive 1186 continue 1187 ;; 1188 [Nn][Oo]|[Nn]) 1189 echo "Goodbye!" 1190 ;; 1191 *) 1192 continue 1193 ;; 1194 esac 1195 break 1196 done 1197fi 1198