#! /bin/bash
install_dir = '/opt/yubilock/'
logging_dir = '/var/log/yubilock/'
script_dir = " $( dirname $( readlink -f $0 ) ) "
# exit when any command fails
set -e
# Make sure running as root
if [ ` id -u` -ne 0 ] ; then
echo 'Please run as root'
exit 1
fi
# Ask for user parameters
echo "This installer is meant to install the yubilock service for one user. Please specifiy for wich user you want to install xscreensaver-yubilock"
read -p 'Username: ' username
userid = ` id -u " $username " 2>/dev/null` || ( echo " $username is not a user on this system " && exit 1 )
[ " $userid " -lt 1000 ] && echo " User $username seems to be a systemuser (uid: $userid ). Please specify a normal user. " && exit 1
echo " Allowed yubikey serials can be set systemwide in ${ install_dir } config.ini, or per user in \$HOME/.yubilock. Do you wish to add one or more for $username now? "
read -p "Add Yubikey serial? (Y/n) " add_serial
[ -z " $add_serial " ] && add_serial = 'yes' # if no input, assume yes
case ${ add_serial : 0 : 1 } in
y| Y| 1 )
add_serial = 'yes' ; ;
* )
add_serial = 'no' ; ;
esac
if [ " $add_serial " = 'yes' ] ; then
if ! ykman -v >/dev/null 2>& 1 ; then
echo "yubikey-manager doesn't seem to be installed. Do you want to install it? ('no' means you'll have to add your yubikey serial manually later)"
read -p "Install yubikey-manager? (Y/n) " install_ykman
[ -z " $install_ykman " ] && install_ykman = 'yes' # if no input, assume yes
case ${ install_ykman : 0 : 1 } in
y| Y| 1 )
apt-get install -y yubikey-manager; ;
* )
break 3; ;
esac
fi
echo "Please make sure your yubikey(s) are plugged in. Then press any key to continue"
read -n 1 -s -r
serials = ` ykman list | sed -e 's#.*:\ \(\)#\1#' | tr '\n' ',' ` # List all keys, get the serials, and comma separate them
serials = " ${ serials %? } " # Remove trailing comma
echo " The following serial(s) will be added to your config file: $serials "
fi
echo "Do you want the daemon to be started by systemd? (you'll have to start it manually every login session if you choose no)"
read -p "Use Systemd? (Y/n) " use_systemd
[ -z " $use_systemd " ] && use_systemd = 'yes' # if no input, assume yes
case ${ use_systemd : 0 : 1 } in
y| Y| 1 )
use_systemd = 'yes' ; ;
* )
use_systemd = 'no' ; ;
esac
echo "== Making sure python3 and virtualenv are installed =="
python3 --version || apt-get install -y python3
python3 -m venv -h >/dev/null 2>& 1 || apt-get install -y python3-venv
echo "== Create yubilock group =="
addgroup --system yubilock
echo " == Add $username to yubilock group == "
usermod -a -G yubilock " $username "
echo "== Create virualenv =="
[ -f " $install_dir /venv/bin/activate " ] || python3 -m venv " $install_dir /venv "
. " $install_dir /venv/bin/activate "
pip install setuptools wheel
pip install -r " $script_dir /requirements.txt "
echo "== Copy over application files =="
cp " $script_dir /bin/xscreensaver_yubilock.py " " $install_dir "
cp " $script_dir /bin/uninstall.sh " " $install_dir "
cp " $script_dir /bin/kill_screensaver_graphic_program.sh " " $install_dir "
cp " $script_dir /bin/config_system.ini " " $install_dir /config.ini "
chown -R root:yubilock " $install_dir "
chmod 771 " $install_dir "
# Add yubikey serials to config
if [ -n " $serials " ] ; then
homedir = ` eval echo ~" $username " `
echo " Homedir: $homedir "
[ -f " $homedir /.yubilock " ] || ( cp " $script_dir /bin/config_user.ini " " $homedir /.yubilock " && chown " $username : $username " " $homedir /.yubilock " )
sed -i " s+^yubikey_serial.*+yubikey_serial\ =\ $serials +g " " $homedir /.yubilock "
echo " Add yubikey serial(s) to $homedir /.yubilock "
fi
echo "== Create logging directory =="
mkdir -p " $logging_dir "
chown --from= root:root root:yubilock " $logging_dir "
chmod 775 " $logging_dir "
sed -i " s+^logfile\ =.*+logfile\ =\ ${ logging_dir } daemon.log+g " " $install_dir /config.ini "
echo "== Fix udev usb rights for yubilock group =="
cp " $script_dir /debian/91-usbftdi.rules " '/etc/udev/rules.d/'
chown root:root '/etc/udev/rules.d/91-usbftdi.rules'
udevadm control --reload-rules
if [ " $use_systemd " = 'yes' ] ; then
echo "== Enable as systemd service =="
mkdir -p " /home/ $username /.config/systemd/user "
cp " $script_dir /debian/yubilock.service " " /home/ $username /.config/systemd/user "
sed -i " s+^ExecStart=.*+ExecStart= ${ install_dir } venv/bin/python ${ install_dir } xscreensaver_yubilock.py -v+g " " /home/ $username /.config/systemd/user/yubilock.service "
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user enable yubilock.service'
# su is used for systemctl user units because systemctl matches executing uid to unit owner uid. See:
# https://unix.stackexchange.com/questions/483948/inspect-unit-status-for-user-units-with-systemctl-as-root/485063#485063
else
# Make sure service is removed if previously installed
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user stop yubilock.service >/dev/null 2>&1'
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user disable yubilock.service >/dev/null 2>&1'
rm " /home/ $username /.config/systemd/user/yubilock.service " >/dev/null 2>& 1
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user reset-failed'
fi
echo "== xscreensaver-yubilock is installed! =="
echo " == to enable yubilock, please restart your device ==
exit 0
# Due to loginctl not updating user groups, the user has to restart before the service can be started.
if [ " $use_systemd " = 'yes' ] ; then
echo "Do you wish to start the daemon now? WARNING: If the specified yubikey is not plugged in, your machine will lock. Alternatively, you can start the service using 'sudo systemctl start yubilock.service' or wait for next login."
read -p "Start daemon? (y/N) " start_daemon
[ -z " $start_daemon " ] && start_daemon = 'no' # if no input, assume no
case ${ start_daemon : 0 : 1 } in
n| N| 0 )
; ;
* )
su " $username " -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user start yubilock.service' ; ;
esac
fi
exit 0
#(Uninstall script)