#!/bin/sh

# "mkwebonly.sh"
# script to setup user for Web/ftp-only access
# This should only be run once per user!

if [ $# -lt 1 ]; then
	echo "Usage: mkwebonly.sh USERNAME"
	exit 1
fi

# FTPSHELL is the shell to give the user: this should be in /etc/shells so
# they can FTP
FTPSHELL=/bin/false

# Default group for these people, for creating new accounts
# (would be nicer to check for existence of group with same name as user)
DEFAULTGROUP=webusers

WHICH_USER=$1

# Get their current home dir, strip "./." off the end if present
HOMEDIR=`grep "^${WHICH_USER}\:" /etc/passwd | awk 'BEGIN {FS=":"} {print $6}' | sed 's:\.\/\.$::' `

if [ -z "${HOMEDIR}" ]; then
	# User does not exist yet
	echo "There is no user $WHICH_USER yet"
	echo -n "What is the user's name (return to end): "
	read NAME
	if [ -z "${NAME}" ]; then
		echo "Aborting..."
		exit 0
	fi
	echo "Creating account for user $WHICH_USER (${NAME})"
	HOMEDIR=/home/${WHICH_USER}
	OK="no"
	/usr/sbin/useradd -g webusers -d "${HOMEDIR}" -s ${FTPSHELL} -m -c "${NAME}" ${WHICH_USER} && OK="yes"
	if [ "${OK}" = "no" ]; then
		echo "Error creating account for ${WHICH_USER}"
		exit 1
	fi
	echo "Set the password for $WHICH_USER"
	PASSWDCHG="no"
	while [ "${PASSWDCHG}" = "no" ]; do
		/usr/bin/passwd "${WHICH_USER}" && PASSWDCHG="yes"
	done 
	# Remove the dot files
	for DOTFILE in 	.Xdefaults .bash_logout .bash_profile .bashrc .screenrc ; do
		if [ -f "${HOMEDIR}/${DOTFILE}" ]; then
			rm -f ${HOMEDIR}/${DOTFILE}
		fi
	done
fi
#exit

USERID=`id --user $WHICH_USER`
if [ "${USERID}" = "0" ]; then
	echo "Root-equiv user, will not change!"
	exit 1
fi

PRIMARYGROUP=`id --group $WHICH_USER`
NOWGROUPS=`id --groups $WHICH_USER | sed 's: :,:g'| sed "s:${PRIMARYGROUP},::" `

# add the chroot-ftp group
# You should have a line in /etc/ftpaccess like 
# guestgroup chrootftp
# so that wu_ftpd knows to chroot() these users
if [ -z "${NOWGROUPS}" ]; then
	NEWGROUPS="chrootftp"
else
	NEWGROUPS="${NOWGROUPS},chrootftp"
fi
/usr/sbin/usermod -G ${NEWGROUPS} $WHICH_USER

# open up the perms for Web publishing
chmod 711 $HOMEDIR
# make it sticky so they can't muck with the chroot stuff
chmod +t $HOMEDIR
# copy the chroot info
for dir in bin lib etc ; do
	cp --preserve --recursive /home/ftp/${dir} $HOMEDIR
done
# add their username/id to the passwd file
chmod +w ${HOMEDIR}/etc/passwd
echo "${WHICH_USER}:x:${USERID}:${PRIMARYGROUP}:FTP user:${HOMEDIR}:/dev/null" >> ${HOMEDIR}/etc/passwd
chmod -w ${HOMEDIR}/etc/passwd

# make the htdocs dir
mkdir ${HOMEDIR}/htdocs
chown $WHICH_USER ${HOMEDIR}/htdocs
chgrp $PRIMARYGROUP ${HOMEDIR}/htdocs
chmod 755 ${HOMEDIR}/htdocs

# fix their real home dir for chroot()
# note the subdir is just "." so Apache's UserDir works as expected
/usr/sbin/usermod -d "${HOMEDIR}/./." $WHICH_USER

# Give 'em a bogus shell
/usr/sbin/usermod -s $FTPSHELL $WHICH_USER

echo "All done"