#!/usr/bin/perl -wT # BEGIN SURETEC TAGGED BLOCK {{{ #============================================================================= # # FILE: create_dovecot_shares # # USAGE: create_dovecot_shares --help # # DESCRIPTION: Create Dovecot shares and put symlinks into user Maildir # # OPTIONS: --username # --group # --clean # --dry-run # --History # --share-with # --maildir # --home # --override # --prefix # --restore # --skip # --Version # --verbose # --man # --help # # REQUIREMENTS: Data::Dumper # File::Find # Fcntl # Getopt::Long # List::Util # Pod::Usage # POSIX # Term::ANSIColor # Storable # # BUGS: N/A # NOTES: N/A # AUTHOR: Gavin Henry (GH), # COMPANY: Suretec Systems Ltd. - http://www.suretecsystems.com # SUPPORT: # VERSION: 1.06 # CREATED: 26/05/06 # UPDATED: 01/11/06 # # CHANGES: # 01/11/06 - Added --home option to allow home base directory # to be somewhere else like /var/hosted/home etc. # - General doc cleanup # #============================================================================= # END SURETEC TAGGED BLOCK }}} # Untaint environment $ENV{'PATH'} = '/usr/local/bin:/usr/bin:/bin'; $ENV{'SHELL'} = '/bin/bash'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Returned by Perl::MinimumVersion 0.13 require 5.006; use strict; use warnings; use Data::Dumper; use File::Find; use Fcntl qw(:mode); use Getopt::Long; use List::Util qw(min); use Pod::Usage; use POSIX qw(strftime); use Term::ANSIColor qw(:constants); use Storable qw(nstore retrieve); # Unbuffer output $| = 1; # Normally use Readonly for this, but want to keep to Core Modules our $VERSION = '1.06'; our $SHARED = '/dovecot-shared'; our $PROGNAME = 'create_dovecot_shares'; our $SAVED = '/var/cache/dovecot_shares.hist'; our $HUMAN_RUN_DATE = strftime "%a %b %e %H:%M:%S %Y", localtime; our $NOW = time; #----------------------------------------------------------------------------- # Standard Suretec method for parsing program arguments # # "perldoc Getopt::Long" for more info #----------------------------------------------------------------------------- die "Sorry, you need to be the root user - Suretec.\n" if ( $< != 0 ); my %options; # Arrays for our options and one for tracking directories my ( @users, @share_with, @maildir, @skip, @change_perms_on, ); GetOptions( \%options, qw( group=s override dry-run prefix=s home=s restore:s History clean Version verbose help|? man ), 'username=s' => \@users, 'share-with=s' => \@share_with, 'maildir=s' => \@maildir, 'skip=s' => \@skip, ); pod2usage(1) if $options{help} or ( !keys %options ); pod2usage( -verbose => 2 ) if $options{man}; print "This is $PROGNAME version $VERSION\n" if $options{Version}; #----------------------------------------------------------------------------- # Begin #----------------------------------------------------------------------------- my %SAVE; # we only use $File::Find:name, so we set no_chdir here my %find_options = ( untaint => 1, untaint_pattern => qr{^([-+@\w\s&!\.\{\}#]+)$}, no_chdir => '1', wanted => \&emails_and_dirs, ); # Load previous save my $SAVE = retrieve("$SAVED") if -e $SAVED; # Reset counter my $run; if ( defined $SAVE->{counter} ) { # We only keep a history of 10 runs $SAVE->{counter} = 0 if $SAVE->{counter} == 10; # Track from the counter $run = $SAVE->{counter}; } # New run ++$run and ++$SAVE->{counter}; @share_with = split_args(@share_with); @users = split_args(@users); @maildir = split_args(@maildir); @skip = split_args(@skip); # Initialise directory and file start no. for save_previous my $dir_num = 0; my $file_num = 0; #----------------------------------------------------------------------------- # Here we are checking the group we got passed #----------------------------------------------------------------------------- my $share_group; if ( $options{group} ) { die "Need username and user to share!\n" if ( !@share_with or !@users ); die "Group: '$options{group}' does not exist! (typo?)\n" if !defined getgrnam( $options{group} ); # getgrnam returns ($name, $passwd, $gid, $members) # i.e $group_details[0] is $name etc. etc. my @group_details = getgrnam( $options{group} ); # Check they are members for my $user (@users, @share_with) { # A user, by default is a member of their own group next if $group_details[0] eq $user; die "Username: '$user' is not a valid user!\n" if !defined getpwnam($user); die "User '$user' is not a member of the '$options{group}' group\n" if not $group_details[3] =~ m{$user}; } die "Refusing to create a dovecot share with the share group set to" . " 'root' (gid: $group_details[2])!\n" if $group_details[2] == 0; $share_group = $group_details[2]; } #----------------------------------------------------------------------------- # Here we start the actual share creation, checking home basename and groups #----------------------------------------------------------------------------- my @homes; # Use --home or default to /home my $homebase = $options{home} || '/home'; print BOLD GREEN, "Home basename is '$homebase'\n", RESET if $options{verbose}; if (@users) { die "Need users to share with!\n" if !@share_with; for my $u (@share_with) { die "Can not share with '$u': User '$u' does not exist! (typo?)\n" if !defined getpwnam($u); } die "Need to set group for shares! Please provide --group e.g." . " --group=sharedmail\n" if !$options{group}; @homes = map { $homebase . "/" . clean_user($_) } @users; # Clear the previous run of same number in memory from %SAVE delete $SAVE->{run}{$run}; find( \%find_options, @homes ); # this populates %SAVE if it's not # retreived above # We only want to use these Maildirs if passed if (@maildir) { for my $maildir (@maildir) { die "Maildir Directory: '$maildir' doesn't exist!\n" if -d !$maildir; create_share($maildir); } exit 0; } # $SAVE has been populated by File::Find for my $dir ( keys %{ $SAVE->{run}{$run}{directory} } ) { create_share( $SAVE->{run}{$run}{directory}{$dir}{dir}{name} ); } } #----------------------------------------------------------------------------- # Here we are printing to STDOUT, everything in the History file #----------------------------------------------------------------------------- if ( $options{History} ) { my $SAVE = retrieve($SAVED) if -e $SAVED or die "History file: '$SAVED' does not exist\n" . "Has $PROGNAME been run before?\n"; local $Data::Dumper::Varname = 'Dovecot-share History:'; local $Data::Dumper::Sortkeys = 1; print Dumper($SAVE), "\n"; exit 0; } #----------------------------------------------------------------------------- # Here we are restoring from the history file on the file system #----------------------------------------------------------------------------- if ( defined $options{restore} ) { # restore:s sets an empty string ''. my $SAVE = retrieve($SAVED) # so if no run passed, we restore if -e $SAVED # last run or die "History file: '$SAVED' does not exist\n" . "Has $PROGNAME been run before?\n"; my $restore; if ( $options{restore} =~ m{\d+} ) { $restore = $options{restore}; print "Restoring run: '$restore'\n"; } else { # Would use one of the various Date::* modules from # the CPAN here, but don't want to use any non-core # modules my @runs; for my $run_num ( keys %{ $SAVE->{run} } ) { push @runs, ( [ $run_num, $SAVE->{run}{$run_num}{restore_check_date} ] ); } my @elapsed_time; my %run_with; for my $time (@runs) { my $difference = $NOW - $time->[1]; # restore_check_date above $run_with{ $time->[0] } = $difference; # Save, to find run below push @elapsed_time, $difference; } my $last_run = min @elapsed_time; # Closest run to $NOW for my $to_restore ( keys %run_with ) { $restore = $to_restore if $run_with{$to_restore} == $last_run; # Find the run key } my $seconds = $last_run % 60; $last_run = ( $last_run - $seconds ) / 60; my $minutes = $last_run % 60; $last_run = ( $last_run - $minutes ) / 60; my $hours = $last_run % 24; $last_run = ( $last_run - $hours ) / 24; my $days = $last_run % 7; my $weeks = ( $last_run - $days ) / 7; print "Restoring the most recent run (run '$restore'), which was:\n" . " $weeks week/s, $days day/s, $hours hour/s," . " $minutes minute/s and $seconds second/s ago.\n"; } for my $dir ( keys %{ $SAVE->{run}{$restore}{directory} } ) { if ( $SAVE->{run}{$restore}{directory}{$dir}{dir}{name} ) { print BOLD GREEN, "***** DRY RUN *****\n", RESET; print BOLD GREEN, "Restoring $SAVE->{run}{$restore}{directory}{$dir}{dir}{name}" . " with uid:" . " '$SAVE->{run}{$restore}{directory}{$dir}{uid}', " . "gid '$SAVE->{run}{$restore}{directory}{$dir}{gid}', " . "and mode '$SAVE->{run}{$restore}{directory}{$dir}{mode}'\n", RESET if $options{verbose}; restore_emails_and_dirs( $SAVE->{run}{$restore}{directory}{$dir}{uid}, $SAVE->{run}{$restore}{directory}{$dir}{gid}, $SAVE->{run}{$restore}{directory}{$dir}{dir}{name}, $SAVE->{run}{$restore}{directory}{$dir}{mode} ); } for my $file ( keys %{ $SAVE->{run}{$restore}{directory}{$dir}{dir}{file} } ) { if ( $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file} {name} ) { print BOLD GREEN, "Restoring $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file}{name}" . " with uid:" . " '$SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file}{uid}', " . "gid '$SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file}{gid}', " . "and mode '$SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file}{mode}'\n", RESET if $options{verbose}; restore_emails_and_dirs( $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file} {uid}, $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file} {gid}, $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file} {name}, $SAVE->{run}{$restore}{directory}{$dir}{dir}{file}{$file} {mode} ); } } } exit 0; } #----------------------------------------------------------------------------- # Here we are removing the history file on the file system #----------------------------------------------------------------------------- if ( $options{clean} ) { print "Are you sure you want to remove file: '$SAVED' ? [y/n (Enter to cancel)] "; chomp( my $answer = ); if ( $answer eq 'y' ) { unlink($SAVED) or die "Failed to delete '$SAVED': $!\n"; print "Deleted $SAVED\n"; exit 0; } else { print "Done.\n"; exit 0; } } #----------------------------------------------------------------------------- # clean_user($username) # # Untaint a username, and check it's valid #----------------------------------------------------------------------------- sub clean_user { my $unclean_user = shift; if ( $unclean_user =~ qr{^([-+@\w.]+)$} ) { my $clean = $1; return $clean; } else { die "Username: '$unclean_user' invalid!\n"; } return; } #----------------------------------------------------------------------------- # clean_dir($dir) # # Untaint a directory #----------------------------------------------------------------------------- sub clean_dir { my $unclean_dir = shift; my ($clean_dir) = $unclean_dir =~ /^([-+@\w.\/\s&!\.]+)$/; return $clean_dir; } #----------------------------------------------------------------------------- # clean_file($dir) # # Untaint a file #----------------------------------------------------------------------------- sub clean_file { my $unclean_file = shift; my ($clean_file) = $unclean_file =~ /^([-+@\w.\/\s,&!\.:=_]+)$/; return $clean_file; } #----------------------------------------------------------------------------- # split_args(@args_to_split) # # Split up our commandline args - ghenry,john,james etc. #----------------------------------------------------------------------------- sub split_args { my @to_split = @_; my @split = split( /,/, join( ',', @to_split ) ); return @split; } #----------------------------------------------------------------------------- # restore_emails_and_dirs($uid, $group, $to_change, $mode) # # Function for restoring changes made during dovecot shares #----------------------------------------------------------------------------- sub restore_emails_and_dirs { my $uid = shift; my $group = shift; my $to_change = shift; my $mode = shift; return if $options{'dry-run'}; chown $uid, $group, $to_change or warn "Couldn't change ownership of '$to_change': $!\n"; chmod oct($mode), $to_change or warn "Couldn't change permissions of '$to_change': $!\n"; return; } #----------------------------------------------------------------------------- # emails_and_dirs # # Callback for File::Find when creating dovecot shares #----------------------------------------------------------------------------- sub emails_and_dirs { # Only files in Maildir return if $File::Find::name !~ m{Maildir}; # No dovecot system files return if $File::Find::name =~ m{subscriptions|dovecot|public|control|index}; # No symlinks return if -l $File::Find::name; # Record permissions we have found right away my ( $mode, $uid, $gid ) = ( stat($File::Find::name) )[ 2, 4, 5 ]; $mode = sprintf "%04o", S_IMODE($mode); save_previous( $run, $File::Find::name, $mode, $uid, $gid ); return; } #----------------------------------------------------------------------------- # create_share($maildir) # # Main function for creating dovecot shares #----------------------------------------------------------------------------- sub create_share { my $dir = shift; # untaint $dir $dir =~ /^([-+@\w.\/\s&!\.\{\}#]+)$/; $dir = $1; # Grabbing the new, cur and tmp folders here push @change_perms_on, $dir; # We don't want to add a dovecot-shared to new, cur or tmp dirs return if $dir =~ m{(new|cur|tmp)$}; if ( ( -e $dir . $SHARED ) && !$options{override} ) { print BOLD GREEN, "***** DRY RUN *****\n", RESET if $options{'dry-run'}; print RED, "Directory: $dir already shared (try --override)," . " skipping!\n", RESET; } else { # Check for dirs to skip straight away if (@skip) { for my $skip (@skip) { return if $dir =~ m{$skip$}; } } print BOLD GREEN, "***** DRY RUN *****\n", RESET if $options{'dry-run'}; for my $u (@share_with) { print GREEN, "Sharing Maildir: $dir with user: '$u'\n", RESET; } return if $options{'dry-run'}; # Save to filesystem before we do anything, so we can # do a --restore in case we mess up. $SAVE is setup in # emails_and_dirs() nstore( $SAVE, $SAVED ) or die "Can't save history: $!\n"; # More untainting my $dovecot_file = clean_dir( $dir . $SHARED ); # Remove dovecot-shared, only if --override is set, as we enter # this branch if dovecot-shared exists if ( -e $dovecot_file ) { unlink $dovecot_file or die "Can't remove '$dovecot_file: $!\n"; } open my $DOVECOT_SHARED, ">>", $dovecot_file or die "Couldn't create $dovecot_file: $!\n"; close $DOVECOT_SHARED; if ( -e $dovecot_file && $options{verbose} ) { print "Created $dovecot_file\n"; } # pick off the owner of the dir and use that for all perm changes my $uid = ( stat($dir) )[4]; # untaint $uid $uid =~ /^([\d]+)$/; $uid = $1; # untaint $share_group $share_group =~ /^([\d]+)$/; $share_group = $1; # change perms on dirs and dovecot-shared for my $to_change ( $dir, $dovecot_file, @homes, @change_perms_on ) { change_perms( $uid, $to_change, $share_group ); } # change_perms on e-mails, so they can be read for my $dir ( keys %{ $SAVE->{run}{$run}{directory} } ) { for my $file ( keys %{ $SAVE->{run}{$run}{directory}{$dir}{dir}{file} } ) { change_perms( $uid, clean_file( $SAVE->{run}{$run}{directory}{$dir}{dir}{file}{$file} {name} ), $share_group ); } } # create the symlink for my $user (@share_with) { for my $orig_user (@users) { my $prefix = $options{prefix} || ucfirst($orig_user); # grab the maildir my ($orig_maildir) = $dir =~ m{Maildir/(.*)$}; $orig_maildir = '.TOP-INBOX' if !defined $orig_maildir; # biiiiggggg concatenation :-( my $symlink = clean_dir( $homebase . $user . '/Maildir/.' . $prefix . $orig_maildir ); next if -l $symlink; # Don't create same symlink symlink $dir, $symlink or warn "Couldn't create symlink in '" . $homebase . $user . "/Maildir/': $!\n"; if ( -l $symlink && $options{verbose} ) { print "Symlink at: '$symlink'\n"; } } } } return; } #----------------------------------------------------------------------------- # change_perms($uid, $to_change, $share_group) # # Function for changing File Permissions #----------------------------------------------------------------------------- sub change_perms { my $uid = shift; my $to_change = shift; my $share_group = shift; print "Changing ownership and permissions of: $to_change" . " to: 'rwxrws--- $uid $share_group'\n" if $options{verbose}; chown $uid, $share_group, $to_change or warn "Couldn't change ownership of '$to_change': $!\n"; # can use 02770 here without oct, but keeps similarity between # command line chmod chmod oct(2770), $to_change or warn "Couldn't change permissions of '$to_change': $!\n"; return; } #----------------------------------------------------------------------------- # save_previous($run, $dir_or_file, $mode, $uid, $gid) # # Function for saving File Permissions etc. before making changes for the # Dovecot Shares #----------------------------------------------------------------------------- sub save_previous { my $run = shift; my $dir_or_file = shift; my $mode = shift; my $uid = shift; my $gid = shift; # Setup our dates $SAVE->{run}{$run}{run_date} = $HUMAN_RUN_DATE; $SAVE->{run}{$run}{restore_check_date} = $NOW; if ( -d $dir_or_file ) { ++$dir_num; $SAVE->{run}{$run}{directory}{$dir_num}{dir}{name} = $dir_or_file; $SAVE->{run}{$run}{directory}{$dir_num}{mode} = $mode; $SAVE->{run}{$run}{directory}{$dir_num}{uid} = $uid; $SAVE->{run}{$run}{directory}{$dir_num}{gid} = $gid; } elsif ( -f $dir_or_file ) { ++$file_num; for my $dir ( keys %{ $SAVE->{run}{$run}{directory} } ) { if ( $dir_or_file =~ $SAVE->{run}{$run}{directory}{$dir}{dir}{name} ) { $SAVE->{run}{$run}{directory}{$dir}{dir}{file}{$file_num} {name} = $dir_or_file; $SAVE->{run}{$run}{directory}{$dir}{dir}{file}{$file_num} {mode} = $mode; $SAVE->{run}{$run}{directory}{$dir}{dir}{file}{$file_num}{uid} = $uid; $SAVE->{run}{$run}{directory}{$dir}{dir}{file}{$file_num}{gid} = $gid; } } } else { return; } } # {{{ Documentation __END__ =pod =head1 NAME create_dovecot_shares - Create Dovecot shares and put symlinks into user Maildirs =head1 VERSION This document describes create_dovecot_shares version 1.06 =head1 SYNOPSIS [root@suretec home]$ create_dovecot_shares [OPTIONS] INPUT OPTIONS: --username Username/Usernames you want to share the Maildir of, comma seperated --group Group for Maildir share ownership --dry-run Doesn't make any changes, just shows what would happen --share-with List of users to share with (creates symlinks in their Maildir), comma seperated --maildir List of Maildirs to share, or all found in home directory if not specified, comma seperated. --home Where the home directories are, for use in a hosted environment. Defaults to /home is not specified --override Overrides all existing shares (dovecot-shared file and perms) if found --skip Skips existing share with same name if found, comma seperated --prefix Prefix for shares. Default is username.INBOX etc. --restore Restore to before changes. Takes a run number, e.g. 5 runs back OUTPUT OPTIONS: --History Prints Summary of last Create Share runs (we keep 10.) --clean Removes the dovecot_shares.hist file from F --Version Print program version --verbose Print in fine detail what is happening --help List this help --man List the full create_dovecot_shares manpage EXAMPLES: [root@suretec home]$ create_dovecot_shares --username=ghenry --group=support --skip=/home/ghenry/Maildir,/home/ghenry/Maildir/.Sent --share-with=john,admin --dry-run [root@suretec home]$ create_dovecot_shares --username=ghenry,john,jack --group=accounts --share-with=philip --override [root@suretec home]$ create_dovecot_shares --username=ghenry --share-with=john --group=accounts --home=/var/hosted/home --prefix=OFFICE [root@suretec home]$ create_dovecot_shares --username=ghenry --group=accounts --maildir=/home/john/Maildir/.Sent,/home/john/Maildir/.Drafts [root@suretec home]$ create_dovecot_shares --restore 5 [root@suretec home]$ create_dovecot_shares --History =head1 DESCRIPTION Creating lots of F files, changing permissions and creating symlinks is a pain, especially when dealing with more than a handle of users. C helps. It modifies users home directories and Maildirs (permissions) for sharing via Dovecot, and creates symlinks into the Maildir you want the shares accessed from. There's even a C option, to roll back any changes you made with a history of 10 runs. See L<"SYNOPSIS"> for examples. Must be root. =head1 README Creating lots of F files for the Dovecot IMAP Server, changing permissions and creating symlinks is a pain, especially when dealing with more than a handle of users. create_dovecot_shares helps =head1 CONFIGURATION AND ENVIRONMENT This script requires no configuration files or environment variables. 