labsync/packer/ansible/roles/windowmanager/files/guest-account.sh

#!/bin/sh -e
# (C) 2008 Canonical Ltd.
# Author: Martin Pitt <martin.pitt@ubuntu.com>
# License: GPL v2 or later
# modified by David D Lowe and Thomas Detoux
#
# Setup user and temporary home directory for guest session.
# If this succeeds, this script needs to print the username as the last line to
# stdout.

# github.com/CanonicalLtd/lightdm
# debian/guest-account.sh

export TEXTDOMAINDIR=/usr/share/locale-langpack
export TEXTDOMAIN=lightdm

# set the system wide locale for gettext calls
if [ -f /etc/default/locale ]; then
  . /etc/default/locale
  LANGUAGE=
  export LANG LANGUAGE
fi

# read list of supplementary groups of the guest account from file
if [ -f /etc/guest-account/groups ]; then
  GROUPS="$(awk '{ if (NR==1) printf "%s", $0; else printf ",%s", $0; } END { print "" }' /etc/guest-account/groups)"
fi

is_system_user ()
{
  UID_MIN=$(cat /etc/login.defs | grep UID_MIN | awk '{print $2}')
  SYS_UID_MIN=$(cat /etc/login.defs | grep SYS_UID_MIN | awk '{print $2}')
  SYS_UID_MAX=$(cat /etc/login.defs | grep SYS_UID_MAX | awk '{print $2}')

  SYS_UID_MIN=${SYS_UID_MIN:-101}
  SYS_UID_MAX=${SYS_UID_MAX:-$(( UID_MIN - 1 ))}

  [ ${1} -ge ${SYS_UID_MIN} ] && [ ${1} -le ${SYS_UID_MAX} ]
}

add_account ()
{
  temp_home=$(mktemp -td guest-XXXXXX)
  GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
  GUEST_USER=${GUEST_HOME#/tmp/}
  if [ "${GUEST_HOME}" != "${temp_home}" ]; then
    mkdir -m 700 "${GUEST_HOME}" || {
      echo "Failed to create ${GUEST_USER}'s home directory (${GUEST_HOME})"
      exit 1
    }
    rmdir "${temp_home}"
  fi
  if [ "${GROUPS}" != "" ]; then
	GROUPS="--groups ${GROUPS}"
  fi

  # if ${GUEST_USER} already exists, it must be a locked system account with no existing
  # home directory
  if PWSTAT=$(passwd -S ${GUEST_USER}) 2>/dev/null; then
    if [ $(echo ${PWSTAT} | cut -f2 -d' ') != L ]; then
      echo "User account ${GUEST_USER} already exists and is not locked"
      exit 1
    fi

    PWENT=$(getent passwd ${GUEST_USER}) || {
      echo "getent passwd ${GUEST_USER} failed"
      exit 1
    }

    GUEST_UID=$(echo ${PWENT} | cut -f3 -d:)

    if ! is_system_user ${GUEST_UID}; then
      echo "Account ${GUEST_USER} is not a system user"
      exit 1
    fi

    GUEST_HOME=$(echo ${PWENT} | cut -f6 -d:)

    if [ ${GUEST_HOME} != / ] && [ ${GUEST_HOME#/tmp} = ${GUEST_HOME} ] && [ -d ${GUEST_HOME} ]; then
      echo "Home directory of ${GUEST_USER} already exists"
      exit 1
    fi
  else
    # does not exist, so create it
    useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest") --user-group --shell /bin/bash ${GROUPS} ${GUEST_USER} || {
      rm -rf ${GUEST_HOME}
      exit 1
    }
  fi

  dist_gs=/usr/share/lightdm/guest-session
  site_gs=/etc/guest-session

  # create temporary home directory
  mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {
    rm -rf ${GUEST_HOME}
    exit 1
  }

  if [ -d ${site_gs}/skel ] && [ "$(ls -A ${site_gs}/skel)" ]; then
    # Only perform union-mounting if BindFS is available
    if [ -x /usr/bin/bindfs ]; then
      bindfs_mount=true

      # Try OverlayFS first
      if modinfo -n overlay >/dev/null 2>&1; then
        mkdir ${GUEST_HOME}/upper ${GUEST_HOME}/work
        chown ${GUEST_USER}:${GUEST_USER} ${GUEST_HOME}/upper ${GUEST_HOME}/work

        mount -t overlay -o lowerdir=${dist_gs}/skel:${site_gs}/skel,upperdir=${GUEST_HOME}/upper,workdir=${GUEST_HOME}/work overlay ${GUEST_HOME} || {
          umount ${GUEST_HOME}
          rm -rf ${GUEST_HOME}
          exit 1
        }
      # If OverlayFS is not available, try AuFS
      elif [ -x /sbin/mount.aufs ]; then
        mount -t aufs -o br=${GUEST_HOME}:${dist_gs}/skel:${site_gs}/skel none ${GUEST_HOME} || {
          umount ${GUEST_HOME}
          rm -rf ${GUEST_HOME}
          exit 1
        }
      # If none of them is available, fall back to copy over
      else
        cp -rT ${site_gs}/skel/ ${GUEST_HOME}
        cp -rT ${dist_gs}/skel/ ${GUEST_HOME}
        chown -R ${GUEST_USER}:${GUEST_USER} ${GUEST_HOME}
        bindfs_mount=false
      fi

      if ${bindfs_mount}; then
        # Wrap ${GUEST_HOME} in a BindFS mount, so that
        # ${GUEST_USER} will be seen as the owner of ${GUEST_HOME}'s contents.
        bindfs -u ${GUEST_USER} -g ${GUEST_USER} ${GUEST_HOME} ${GUEST_HOME} || {
          umount ${GUEST_HOME} # union mount
          umount ${GUEST_HOME} # tmpfs mount
          rm -rf ${GUEST_HOME}
          exit 1
        }
      fi
    # If BindFS is not available, just fall back to copy over
    else
      cp -rT ${site_gs}/skel/ ${GUEST_HOME}
      cp -rT ${dist_gs}/skel/ ${GUEST_HOME}
      chown -R ${GUEST_USER}:${GUEST_USER} ${GUEST_HOME}
    fi
  else
    cp -rT /etc/skel/ ${GUEST_HOME}
    cp -rT ${dist_gs}/skel/ ${GUEST_HOME}
    chown -R ${GUEST_USER}:${GUEST_USER} ${GUEST_HOME}
  fi

  # setup session
  su ${GUEST_USER} -c "env HOME=${GUEST_HOME} site_gs=${site_gs} ${dist_gs}/setup.sh"

  # set possible local guest session preferences
  source_local_prefs() {
    local USER=${GUEST_USER}
    local HOME=${GUEST_HOME}
    . ${site_gs}/prefs.sh
    chown -R ${USER}:${USER} ${HOME}
  }
  if [ -f ${site_gs}/prefs.sh ]; then
    source_local_prefs
  fi

  echo ${GUEST_USER}
}

remove_account ()
{
  GUEST_USER=${1}

  PWENT=$(getent passwd ${GUEST_USER}) || {
    echo "Error: invalid user ${GUEST_USER}"
    exit 1
  }

  GUEST_UID=$(echo ${PWENT} | cut -f3 -d:)

  if ! is_system_user ${GUEST_UID}; then
    echo "Error: user ${GUEST_USER} is not a system user."
    exit 1
  fi

  GUEST_HOME=$(echo ${PWENT} | cut -f6 -d:)

  # kill all remaining processes
  if [ -x /bin/loginctl ] || [ -x /usr/bin/loginctl ]; then
    loginctl --signal=9 kill-user ${GUEST_USER} >/dev/null || true
  else
    while ps h -u ${GUEST_USER} >/dev/null
    do
      killall -9 -u ${GUEST_USER} || true
      sleep 0.2;
    done
  fi

  if [ ${GUEST_HOME} = ${GUEST_HOME#/tmp/} ]; then
    echo "Warning: home directory ${GUEST_HOME} is not in /tmp/. It won't be removed."
  else
    umount ${GUEST_HOME} || umount -l ${GUEST_HOME} || true # BindFS mount
    umount ${GUEST_HOME} || umount -l ${GUEST_HOME} || true # union mount
    umount ${GUEST_HOME} || umount -l ${GUEST_HOME} || true # tmpfs mount
    rm -rf ${GUEST_HOME}
  fi

  # remove leftovers in /tmp
  find /tmp -mindepth 1 -maxdepth 1 -uid ${GUEST_UID} -print0 | xargs -0 rm -rf || true

  # remove possible {/run,}/media/guest-XXXXXX folder
  for media_dir in /run/media/${GUEST_USER} /media/${GUEST_USER}; do
    if [ -d ${media_dir} ]; then
      for dir in $(find ${media_dir} -mindepth 1 -maxdepth 1); do
        umount ${dir} || true
      done

      rmdir ${media_dir} || true
    fi
  done

  userdel --force ${GUEST_USER}
}

case ${1} in
  add)
    add_account
    ;;
  remove)
    if [ -z ${2} ] ; then
      echo "Usage: ${0} remove [account]"
      exit 1
    fi

    remove_account ${2}
    ;;
  *)
    echo "Usage: ${0} add"
    echo "       ${0} remove [account]"
    exit 1
esac