#!/usr/bin/perl -w #---------------------------------------------------------------------- # copyright (C) 2011-2012 Firewall Services # Daniel Berteaud # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #---------------------------------------------------------------------- use strict; use esmith::templates; use esmith::ConfigDB; use esmith::AccountsDB; use File::Path qw(mkpath rmtree); use PHP::Serialization qw(serialize unserialize); my $c = esmith::ConfigDB->open_ro; my $a = esmith::AccountsDB->open_ro; my $domain = $c->get('DomainName')->value; # Remove all the permissions unlink(); # Remove active sessions unlink(); # Remove plugin and i18n cache unlink(); unlink(); foreach my $user (($a->users),$a->get('admin')){ my $name = $user->key; my $first = $user->prop('FirstName') || ''; my $last = $user->prop('LastName') || $name; my $data; mkpath('/var/lib/ajaxplorer/plugins/auth.serial/' . $name); chmod 0770, "/var/lib/ajaxplorer/plugins/auth.serial/$name"; chown '0', '102', "/var/lib/ajaxplorer/plugins/auth.serial/$name"; if (-s "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser"){ open RROLE, "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser"; $data = ; close RROLE; $data = unserialize($data); delete $data->{"\0*\0acls"} if (defined $data->{"\0*\0acls"}); } # No role yet ? lets create it else{ $data->{"\0*\0groupPath"} = undef; $data->{"\0*\0autoApplies"} = []; $data->{"\0*\0roleLabel"} = undef; $data->{"\0*\0actions"} = []; $data->{"\0*\0roleId"} = "AJXP_USR_/$name"; $data = bless $data, 'PHP::Serialization::Object::AJXP_Role'; } # In any case, re-compute the effective permissions foreach my $share ($a->get_all_by_prop(type => 'share')){ my $sharename = $share->key; my $access = $share->prop('Ajaxplorer') || 'disabled'; next unless ($access eq 'enabled'); my @readgroups = split(/[;,]/, $share->prop('ReadGroups') || ''); my @writegroups = split(/[;,]/, $share->prop('WriteGroups') || ''); my @readusers = split(/[;,]/, $share->prop('ReadUsers') || ''); my @writeusers = split(/[;,]/, $share->prop('WriteUsers') || ''); foreach (@readgroups){ $data->{"\0*\0acls"}->{$sharename} = 'r' if ( $a->is_user_in_group($name,$_) ); } foreach (@writegroups){ $data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $a->is_user_in_group($name,$_) ); } foreach (@readusers){ $data->{"\0*\0acls"}->{$sharename} = 'r' if ( $_ eq $name ); } foreach (@writeusers){ $data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $_ eq $name ); } # Special case: admin has access to everything $data->{"\0*\0acls"}->{$sharename} = 'rw' if ($name eq 'admin'); } # As we're here, lets update the email address and the display name # First, delete parameter if it's an array (meaning it's empty) delete $data->{"\0*\0parameters"} if (ref ($data->{"\0*\0parameters"})=~ m/ARRAY/i); $data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'email'} = "$name\@$domain"; $data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'USER_DISPLAY_NAME'} = "$first $last"; open WROLE, '+>', "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser"; print WROLE serialize($data); close WROLE; } my $ajxp = $c->get('ajaxplorer') || die "Couldn't find ajaxplorer entry in ConfigDB\n"; my $homedir = $ajxp->prop('HomeDir') || 'none'; if ($homedir eq 'enabled'){ foreach ($a->users){ my $name = $_->key; set_user_acl($name); } } elsif ($homedir eq 'users'){ foreach ($a->users){ my $name = $_->key; if (($_->prop('AjxpHomeDir') || 'disabled') eq 'enabled'){ set_user_acl($name); } else{ remove_user_acl($name); } } } else{ foreach ($a->users){ my $name = $_->key; remove_user_acl($name); } } sub set_user_acl{ my $user = shift; my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`; chomp($acl); return if ($acl > 0); system('/usr/bin/setfacl', '-m', 'u:www:x', "/home/e-smith/files/users/$user"); system('/usr/bin/setfacl', '-R', '-m', 'u:www:rX,d:u:www:rX', "/home/e-smith/files/users/$user/home"); } sub remove_user_acl{ my $user = shift; my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`; chomp($acl); return if ($acl < 1); system('/usr/bin/setfacl', '-R', '-x', 'u:www,d:u:www', "/home/e-smith/files/users/$user/home"); system('/usr/bin/setfacl', '-x', 'u:www', "/home/e-smith/files/users/$user"); }