Add option -a, --attributes

Signed-off-by: Jari Aalto <jari.aalto@cante.net>

ChangeLog

@@ -2,14 +2,17 @@
 
 	* README.rst (REQUIREMENTS): List run time requirements.
 
-	* bin/restricted-shell-create.5.pod: Mention getopt(1)
+	* bin/restricted-shell-create.5.pod:
+	(OPTIONS): Add -a, --attributes to activate chattr(1).
+	(BUGS): Mention getopt(1)
 
 	* makefile.sh (Tmpfile, Atexit): New.
 	(Main): Add getopt(1) support. Use if available. Check syntax
 	of user supplied $RSHELL. Correct error "--chown is not in
-	format user:group".
+	format user:group". Add new option --attribute.
 	(CreateUser): Option --force now allows changing user's shell.
 	Add many more RSHELL cases to check.
+	(Chattr): Activate only on $OPT_CHATTR.
 
 2013-05-31 Fri  Jari Aalto  <jari.aalto@cante.net>
 

bin/restricted-shell-create.5.pod

@@ -44,7 +44,7 @@ restricted-shell-create - create a restricted shell environment using rbash
 
 =head1 SYNOPSIS
 
-  restricted-shell-create [options] <login name> [list of allowed commands]
+  restricted-shell-create [options] <login name> [list of commands]
 
 =head1 DESCRIPTION
 
@@ -83,6 +83,27 @@ A good article about overwiev to securing logins can be found at
 
 =over 4
 
+=item B<-a, --attributes>
+
+Use extended file system attributes provided by chattr(1) command to
+protect installed files better from user's modification attempts. If
+this options is used, make sure that following conditions are met:
+
+=over 2
+
+=item *
+
+(1) You're running at the host that physically has the home disk for
+the $USER. Using this option on a host that only has access to the
+/home share through networked file system, like NFS, will fail.
+
+=item *
+
+(2) the File System supports chattr(1) command. E.g. ext* file systems
+do, but others may not.
+
+=back
+
 =item B<-d, --homeroot>
 
 The absolute path of system home directory root. defaults to /home.

makefile.sh

@@ -53,6 +53,7 @@ unset USERGROUP
 unset HOMEDIR
 unset PASSWD
 unset OPT_RSHELL
+unset OPT_CHATTR
 unset test
 unset verbose
 unset initialize
@@ -342,20 +343,22 @@ IsMount ()
 
 Chattr ()
 {
-    return  # Disabled for now
+    [ "$OPT_CHATTR" ] || return 0
 
     if [ ! "$test" ]; then
 	mount=$(Run IsMount ":$HOMEROOT")
     fi
 
     if [ "$mount" ]; then
-	Warn "WARN: chattr(1) will fail. Can't change attributes on NFS mount"
+	Warn "WARN: chattr(1) will fail. Can't change" \
+	     "attributes on NFS mount"
 	Warn "WARN: run the command manually on the host of $HOMEROOT"
 	Warn "$mount"
     fi
 
     Echo "cd $HOMEDIR ; chattr" "$@"
     Run chattr "$@"
+    unset mount
 }
 
 Help ()
@@ -373,7 +376,7 @@ DESCRIPTION
         (/usr/bin:/usr/loca/bin) or listed with full path names.
 
 OPTIONS
-        See manual page for complete set of options. An exerpt:
+        See manual page for complete set of options. This is an exerpt only:
 
         -D, --debug
             Activate shell debug option.
@@ -418,8 +421,8 @@ Main ()
         tmpopt=$(getopt \
         --shell bash \
         --name "$0.Main($VERSION restricted-shell-create)" \
-        --long homeroot:,debug,force,group:,help,init,chown,passwd,shell,test,verbose,version \
-        --option "d:Dfg:hiops:tvV" -- "$@" \
+        --long attributes,homeroot:,debug,force,group:,help,init,chown,passwd,shell,test,verbose,version \
+        --option "ad:Dfg:hiops:tvV" -- "$@" \
 	)
 
         if [ "$?" != "0" ]; then
@@ -445,6 +448,9 @@ Main ()
     while :
     do
 	case "$1" in
+	    -a | --attributes)
+		OPT_CHATTR="opt-chattr"
+		;;
 	    -d | --homeroot)
 		shift
 		HOMEROOT="$1"
@@ -490,7 +496,7 @@ Main ()
 		;;
 	    -s | --shell)
 		shift
-		OPT_RSHELL="set-rshell"
+		OPT_RSHELL="opt-rshell"
 		RSHELL="$1"
 		DieIfOption $RSHELL "--shell looks like an option: $RSHELL"
 		shift
@@ -590,7 +596,7 @@ Main ()
 
     # Allow only appending to the .bash_history file
 
-    Run chattr -a .bash_history 2> /dev/null # Can't chown without this
+    Run Chattr -a .bash_history 2> /dev/null # Can't chown without this
     Run chown "$CHOWN" .bash_history
 
     # Allow appending to the file