#!/usr/bin/env bash
#
# Author: Georg Voell - georg.voell@standby.cloud
# Version: @(#)user-management 3.2.0 12.08.2024 (c)2024 Standby.cloud
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
#
# This script can be used free of charge. Use it as is or customize as needed. It is not guaranteed to be
# error free and you will not be reimbursed for any damage it may cause.
#
#@ Manages users within Linux.
#@
#@Usage: user-management [options] [action] username [groupname]
#@ Options:
#@ -h, --help : Displays helptext.
#@ -v, --version : Displays the version of the script.
#@ -a, --all : Display all users.
#@ -u, --uid <number> : User ID.
#@ -c, --comment <string>: Comment.
#@ -s, --shell <string> : Login Shell.
#@ -d, --home <string> : Home directory.
#@ -g, --groups <string> : Additional groups (comma separated) or empty string to remove groups.
#@
#@ Action:
#@ show : Show users.
#@ check : Check if user exists and has the given attributes - otherwise create or change.
#@ lock : Lock user.
#@ unlock: Unlock user.
#@ delete: Delete user.
#@
#@Examples:
#@ user-management check oracle dba -c "Oracle user"
#@ Create user 'oracle' (if it doesn't exist) and assign group 'dba'.
#@ user-management delete oracle
#@ Delete user 'oracle'.
#
# Exit codes:
# 01: Unknown or wrong parameter and only LINUX supported and script needs to be executed with ROOT privileges.
# 02: Unknown action.
# 03: No username specified.
# 99: User interrupt.
#
# See also:
# **bootstrap**(1), **disk-management**(1), **key-management**(1), **install-scripts**(1)
#
# ToDo:
#
# Known bugs:
#
# Update history:
#
# V 3.0.0 15.07.2020 New version
# V 3.0.1 16.05.2021 List all users
# V 3.0.2 22.05.2021 More actions
# V 3.0.3 04.06.2023 Minor bugfixes (create new user with specified home directory)
# V 3.1.0 05.06.2023 New copyright
# V 3.2.0 12.08.2024 New minor version
#
# Find executable bash library and source it
lib=`which lib.bash 2>/dev/null | sed 's|^no 'lib.bash' in .*||'`
if [ "$lib" != "" ]; then
source "$lib"
else
progdir=`dirname "$0"`
if [ -r "${progdir}/lib.bash" ]; then
source "${progdir}/lib.bash"
else
echo "Unexpected error: Unable to locate bash library 'lib.bash'."
exit 1
fi
fi
# Read configuration for users
function ReadConfig() {
local config="/etc/login.defs"
if [ -r "$config" ]; then
cat $config | tr -s ' ' ' ' | tr -s ' ' ' ' > $scratchfile
uid_min=`grep "^UID_MIN " $scratchfile | cut -d' ' -f2`
uid_max=`grep "^UID_MAX " $scratchfile | cut -d' ' -f2`
create_home=`grep "^CREATE_HOME " $scratchfile | cut -d' ' -f2 | tolower`
fi
}
# Display all regular users
function DisplayUsers() {
local username=""
local pass=""
local uid=0
local gid=0
local comment=""
local home=""
local shell=""
local result=""
local mgroup=""
local ogroup=""
local agroups=""
local keys=""
local token=""
local key=""
local name=""
if [ -r "$passwdfile" ]; then
printf "username\tpassword\tuid\tgid\tgroups\tcomment\thome\tshell\tkeys\n" > $scratchfile
while IFS=':' read -r username pass uid gid comment home shell; do
if [ "$showall" = true -o $uid -ge $uid_min -a $uid -le $uid_max ]; then
if [ "$pass" = " " -o "$pass" = "" ]; then
pass="null"
elif [ "$pass" = "*" ]; then
pass="Nologin"
elif [ "$pass" != "x" ]; then
result=`grep "^!.*"`
if [ "$result" != "" ]; then
pass="Locked"
else
pass="Set"
fi
else
pass="Unknown"
if [ -r "$shadowfile" ]; then
result=`grep "^${username}:" $shadowfile`
if [ "$result" != "" ]; then
pass=`echo "$result" | cut -d':' -f2`
if [ "$pass" = "!!" ]; then
pass="null"
elif [ "$pass" = '*' -o "$pass" = '!' ]; then
pass="Nologin"
else
result=`echo "$pass" | grep "^!.*"`
if [ "$result" != "" ]; then
pass="Locked"
else
pass="Set"
fi
fi
fi
fi
fi
if [ "$comment" = "" ]; then
comment="null"
fi
mgroup=`grep "^.*:.*:$gid:" $groupfile | cut -d':' -f1`
ogroup=`grep "$username" $groupfile | grep -v "^${mgroup}:" | cut -d':' -f1`
if [ "$ogroup" = "" ]; then
if [ "$mgroup" = "" ]; then
agroups=""
else
agroups="($mgroup)"
fi
else
if [ "$mgroup" = "" ]; then
agroups=`printf "$ogroup" | tr '\n' ','`
else
agroups=`printf "(${mgroup}),$ogroup" | tr '\n' ','`
fi
fi
keys=""
if [ ! -r "${home}/$keyfile" ]; then
keys="null"
else
while IFS=' ' read -r token key name; do
if [ "$token" = "ssh-rsa" ]; then
if [ "$name" = "" ]; then
name="Nameless"
fi
if [ "$keys" = "" ]; then
keys="$name"
else
keys="${keys},$name"
fi
fi
done < <(cat "${home}/$keyfile" | stripcomment | sed 's|^.*ssh-rsa |ssh-rsa |')
if [ "$keys" = "" ]; then
keys="null"
fi
fi
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n" "$username" "$pass" "$uid" "$gid" "$agroups" "$comment" "$home" "$shell" "$keys" >> $scratchfile
fi
done < <(cat "$passwdfile" | stripcomment | grep .)
if [ "$showall" = true ]; then
printf "\nAll users:\n\n"
else
printf "\nRegular users:\n\n"
fi
print-table --import $scratchfile
fi
}
function CreateUser() {
local username=${1}
local groupname=${2}
local newhome=""
local stat=0
if [ "$username" != "" -a "$groupname" != "" ]; then
# If we don't have a specific homedir - use a default
if [ "$home" = "" ]; then
newhome="/home/$username"
else
newhome="$home"
fi
# Create the user
if [ "$create_home" = "yes" ]; then
useradd "$username" -g "$groupname" -m -d "$newhome" 2>/dev/null
stat=$?
else
useradd "$username" -g "$groupname" -d "$newhome" 2>/dev/null
stat=$?
fi
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to create user '$username'."
else
# Modify
if [ "$uid" != "" ]; then
usermod -u "$uid" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to set UID to '$uid' for user '$username'. Using default."
fi
fi
if [ "$comment" != "" ]; then
usermod -c "$comment" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to set comment to '$comment' for user '$username'."
fi
fi
if [ "$shell" != "" ]; then
usermod -s "$shell" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to set login shell to '$shell' for user '$username'."
fi
fi
if [ "$addgroups" != "NoneSpecified" ]; then
usermod -G "$addgroups" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change secondary groups '$addgroups' for user '$username'."
fi
fi
fi
else
errormsg 0 "Unexpected: Empty username or groupname."
fi
}
function LockUser() {
local username=${1}
local userstr=""
local result=""
local pass=""
local stat=0
if [ -r "$passwdfile" -a "$username" != "" ]; then
userstr=`cat "$passwdfile" | stripcomment | grep "^${username}:"`
if [ "$userstr" != "" ]; then
if [ -r "$shadowfile" ]; then
result=`grep "^${username}:" $shadowfile`
if [ "$result" != "" ]; then
pass=`echo "$result" | cut -d':' -f2`
fi
fi
if [ "$pass" = "!!" ]; then
errormsg 0 "Password not set for user '$username'."
else
usermod -L "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to lock user '$username'."
fi
fi
else
errormsg 0 "User '$username' does not exist."
fi
fi
}
function UnlockUser() {
local username=${1}
local userstr=""
local stat=0
if [ -r "$passwdfile" -a "$username" != "" ]; then
userstr=`cat "$passwdfile" | stripcomment | grep "^${username}:"`
if [ "$userstr" != "" ]; then
usermod -U "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to unlock user '$username'."
fi
else
errormsg 0 "User '$username' does not exist."
fi
fi
}
function DeleteUser() {
local username=${1}
local userstr=""
local stat=0
if [ -r "$passwdfile" -a "$username" != "" ]; then
userstr=`cat "$passwdfile" | stripcomment | grep "^${username}:"`
if [ "$userstr" != "" ]; then
userdel -f -r "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to delete user '$username'."
fi
else
errormsg 0 "User '$username' does not exist."
fi
fi
}
function CheckUser() {
local username=${1}
local groupname=${2}
local userstr=""
local groupstr=""
local olduid=""
local oldgid=""
local oldcomment=""
local oldhome=""
local oldshell=""
local gid=100
local stat=0
if [ -r "$passwdfile" -a -r "$groupfile" -a "$username" != "" ]; then
userstr=`cat "$passwdfile" | stripcomment | grep "^${username}:"`
if [ "$userstr" != "" ]; then
# User exists
# username pass uid gid comment home shell
olduid=`echo "$userstr" | cut -d':' -f3`
oldgid=`echo "$userstr" | cut -d':' -f4`
oldcomment=`echo "$userstr" | cut -d':' -f5`
oldhome=`echo "$userstr" | cut -d':' -f6`
oldshell=`echo "$userstr" | cut -d':' -f7`
if [ "$uid" != "" ]; then
if [ "$olduid" != "$uid" ]; then
usermod -u "$uid" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change UID from '$olduid' to '$uid' for user '$username'."
fi
fi
fi
if [ "$groupname" != "" ]; then
groupstr=`cat "$groupfile" | stripcomment | grep "^${groupname}:"`
if [ "$groupstr" = "" ]; then
# Group does not exists - create it first
groupadd "$groupname"
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to create group '$groupname'. Using default group 'users'."
groupname="users"
fi
groupstr=`cat "$groupfile" | stripcomment | grep "^${groupname}:"`
fi
if [ "$groupstr" != "" ]; then
# groupname pass gid member
gid=`echo "$groupstr" | cut -d':' -f3`
if [ "$oldgid" != "$gid" ]; then
usermod -g "$gid" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change group '$groupname' from '$oldgid' to '$gid' for user '$username'."
fi
fi
fi
fi
if [ "$comment" != "" ]; then
if [ "$oldcomment" != "$comment" ]; then
usermod -c "$comment" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change comment from '$oldcomment' to '$comment' for user '$username'."
fi
fi
fi
if [ "$home" != "" ]; then
if [ "$oldhome" != "$home" ]; then
if [ "$create_home" = "yes" ]; then
usermod -m -d "$home" "$username" 2>/dev/null
stat=$?
else
usermod -d "$home" "$username" 2>/dev/null
stat=$?
fi
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change home dir from '$oldhome' to '$home' for user '$username'."
fi
fi
fi
if [ "$shell" != "" ]; then
if [ "$oldshell" != "$shell" ]; then
usermod -s "$shell" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change login shell from '$oldshell' to '$shell' for user '$username'."
fi
fi
fi
if [ "$addgroups" != "NoneSpecified" ]; then
usermod -G "$addgroups" "$username" 2>/dev/null
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to change secondary groups '$addgroups' for user '$username'."
fi
fi
else
# User does not exist yet
if [ "$groupname" = "" ]; then
# Default group for users
groupname="users"
fi
groupstr=`cat "$groupfile" | stripcomment | grep "^${groupname}:"`
if [ "$groupstr" = "" ]; then
# Group does not exists - create it first
groupadd "$groupname"
stat=$?
if [ $stat -gt 0 ]; then
errormsg 0 "Unable to create group '$groupname'. Using default group 'users'."
groupname="users"
fi
fi
# Create user
CreateUser "$username" "$groupname"
fi
fi
}
# Check if we are running on Linux and have root privileges.
if [ "$OS" != "Linux" ]; then
errstr="This script only supports LINUX."
elif [ "$USER" != "root" ]; then
# Try sudo
check-sudo
stat=$?
if [ $stat -eq 0 ]; then
printf 'sudo -n "%s"' "$script" > $scratchfile
while [ $# -gt 0 ]; do
pname=${1}
printf ' "%s"' "$pname" >> $scratchfile
shift
done
# Execute script
chmod 700 $scratchfile
$scratchfile
stat=$?
# Cleanup
rm -f $scratchfile
exit $stat
else
# Need root privileges
errstr="Root privileges needed to continue."
fi
fi
# Preset
action=""
param1=""
param2=""
comment=""
shell=""
home=""
uid=""
addgroups="NoneSpecified"
showall=false
uid_min=1000
uid_max=60000
create_home="yes"
# Check parameters: Loop until all parameters are used up
while [ $# -gt 0 ]; do
pname=${1}
case "$pname" in
-v | --version)
shift
showversion=true
;;
-h | --help)
shift
showhelp=true
;;
-a | --all)
shift
showall=true
;;
-u | --uid)
shift
if [ "$1" != "" ]; then
uid=${1}
result=`echo "$uid" | grep '^[0123456789]*$'`
if [ "$result" = "" ]; then
errstr="Id has to be a number."
fi
shift
else
errstr="Please specify an id after parameter '$pname'."
fi
;;
-c | --comment)
shift
if [ "$1" != "" ]; then
comment=${1}
shift
else
errstr="Please specify a comment after parameter '$pname'."
fi
;;
-s | --shell)
shift
if [ "$1" != "" ]; then
shell=${1}
result=`filecheck -x "$shell"`
if [ "$result" = "" ]; then
errstr="Login shell '$shell' does not exist or is not executable."
fi
shift
else
errstr="Please specify a comment after parameter '$pname'."
fi
;;
-d | --home)
shift
if [ "$1" != "" ]; then
home=${1}
shift
else
errstr="Please specify a directory after parameter '$pname'."
fi
;;
-g | --groups)
shift
paramck=`echo "$1" | grep '^-'`
if [ "$paramck" = "" ]; then
addgroups=${1}
shift
else
errstr="Please specify none (empty string), one or more groups (comma separated) after parameter '$pname'."
fi
;;
*)
shift
paramck=`echo "$pname" | grep '^-'` # Keys don't begin with '-'
if [ "$paramck" != "" ]; then
errstr="Unknown option '$pname'."
else
if [ "$action" = "" ]; then
action=`echo "$pname" | tolower`
elif [ "$param1" = "" ]; then
param1="$pname"
elif [ "$param2" = "" ]; then
param2="$pname"
else
errstr="Unknown additional parameter: '$pname'."
fi
fi
esac
done
# Display help or error message
DisplayHelp
# Plausibilty check
if [ "$action" = "" ]; then
action="show"
fi
# Main
passwdfile="/etc/passwd"
shadowfile="/etc/shadow"
gshadowfile="/etc/gshadow"
groupfile="/etc/group"
keyfile=".ssh/authorized_keys"
if [ "$USER" = "root" ]; then
ReadConfig
case "$action" in
show)
DisplayUsers
;;
check)
if [ "$param1" = "" ]; then
exitcode=3
errormsg $exitcode "No username specified."
else
CheckUser "$param1" "$param2"
fi
;;
lock)
if [ "$param1" = "" ]; then
exitcode=3
errormsg $exitcode "No username specified."
else
LockUser "$param1"
fi
;;
unlock)
if [ "$param1" = "" ]; then
exitcode=3
errormsg $exitcode "No username specified."
else
UnlockUser "$param1"
fi
;;
delete)
if [ "$param1" = "" ]; then
exitcode=3
errormsg $exitcode "No username specified."
else
DeleteUser "$param1"
fi
;;
*)
exitcode=2
errormsg $exitcode "Unknown action: '$action'."
esac
fi
# Cleanup and exit
Cleanup
exit $exitcode