ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa47178ed1e1ddc6113ec190e91180f691e789b0
ServerUserCreate/bin/delete_user.sh
Clemens Schwaighofer fa47178ed1 Add central logging for all actions done 
log file "user_management.log"

Each line is
[YYYY-MM-DD HH:mm:ss] [script name] [TEST] ...

[TEST] is only set if we are in a test run

for create user, if info flag is set, we do not write a log
2024-12-09 11:37:37 +09:00

209 lines
5.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Delete user
# - Backup
# - delete user
# - delete home
# - remove ssh-keygen-created-pub files
# - remove ssh central auth data if exits
# - update user_list.txt and comment (#) line for this user
# - write delete log
# This will permaently remove the user
TEST=0; # do not run any actions
BACKUP=1;
while getopts ":tb" opt; do
case "${opt}" in
t) # var/log/secure*bz2
TEST=1;
;;
b) # nobackup
BACKUP=0;
;;
\?)
echo -e "\n Option does not exist: ${OPTARG}\n";
echo "Use -t for test";
echo "Use -g for actually creation run";
echo "Use -b to not make a backup of the home folder and public key"
exit 1;
;;
esac;
done;
shift "$((OPTIND-1))"
if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user";
exit;
else
echo "!!!! Script must be run as root user !!!!";
fi;
fi;
if [ $# -eq 0 ]; then
echo "Must give at least one user name";
exit;
fi;
# check tar, bzip2 is installed if backup = 1
host=$(hostname);
timestamp=$(date +%Y%m%d-%H%M%S);
# character to set getween info blocks
separator="#";
# base folder for all data
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
root_folder="${BASE_FOLDER}../";
backup_folder="${BASE_FOLDER}../backup/";
# SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
input_file='user_list.txt';
user_list_file="${root_folder}${input_file}";
# log file
HISTORY="${BASE_FOLDER}/../log/delete_user.log";
# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE='';
# shellcheck disable=SC2013
for cf in $(grep "^AuthorizedKeysFile" "/etc/ssh/sshd_config" | grep "%u"); do
if echo "$cf" | grep -q "%u"; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
exit;
fi;
fi;
done;
if [ ! -f "${user_list_file}" ]; then
echo "${input_file} is missing";
exit;
fi;
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix for testing
if [ ${TEST} -eq 1 ]; then
log_prefix="[TEST] ";
fi;
# write log not in info run
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
# used for test run only
overall_run_error=0;
# $1 ... $n
for username in "$@"; do
error=0;
# skip if there is an option hidden
# shellcheck disable=SC2154
if [[ ${_arg:0:1} = "-" ]]; then
continue;
fi;
# skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
write_log "[!] User ${username} is in the ignore user list" "1";
continue;
fi;
# user must exist in user_list.txt and /etc/passwd
# if missing in or another do not continue
if ! id "${username}" &>/dev/null; then
# not in passwd
write_log "[ERRPR] User ${username} does not exist in /etc/passwd" "1";
error=1;
fi;
user_list_entry=$(grep "${username}" "${user_list_file}");
if [ -z "${user_list_entry}" ]; then
write_log "[ERROR] User ${username} does not exist in user_list.txt file" "1";
error=1;
elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
write_log "[ERROR] User ${username} is flagged as deleted in user_list.txt file" "1";
error=1;
fi;
if [ $error -eq 1 ]; then
overall_run_error=1;
write_log "[*** ABORT RUN ***]" "1";
if [ ${TEST} -eq 0 ]; then
break;
fi;
fi;
write_log "=> Delete: ${username}" "1";
# ssh authorized file
SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
# make backup from /home
if [ ${BACKUP} -eq 1 ]; then
home_folder=$(getent passwd "${username}" | cut -d ":" -f 6);
backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
files_list="${home_folder}";
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
files_list="${files_list} ${SSH_AUTHORIZED_FILE}";
fi;
echo "[0] Backup ${files_list} to ${backup_file}";
if [ ${TEST} -eq 0 ]; then
tar cfjp "${backup_file}" "${files_list}";
else
echo "$> tar cfjp \"${backup_file}\" ${files_list};";
fi;
fi;
echo "[1] Remove user + home dir";
if [ ${TEST} -eq 0 ]; then
userdel -r "${username}"
else
echo "$> userdel -r ${username}";
fi;
# remove ssh files in pub
echo "[2] Remove SSH Public key";
# Note, we keep the public key in the -created-pub folder
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
if [ ${TEST} -eq 0 ]; then
chattr -i "${SSH_AUTHORIZED_FILE}";
rm "${SSH_AUTHORIZED_FILE}";
else
echo "$> chattr -i \"${SSH_AUTHORIZED_FILE}\";";
echo "$> rm \"${SSH_AUTHORIZED_FILE}\";"
fi;
else
# Not critical error
write_log "[?] Cannot find ${SSH_AUTHORIZED_FILE}" "1";
fi;
# Update user_list.txt file and add # for the line
echo "[3] Update user_list.txt file";
# eg n;foo -> #DELETED-YYYYMMDD_HHmmss:n;foo ...
delete_date=$(date +%Y%m%d_%H%M%S)
if [ ${TEST} -eq 0 ]; then
sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
else
# shellcheck disable=SC2028
echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
fi;
echo "$(date +"%F %T");${host};${username};${TEST}" >> "${HISTORY}";
done;
# MARK: TEST ERROR INFO
if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then
echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script";
fi;
# __END__
Reference in New Issue View Git Blame Copy Permalink