#!/bin/sh
#
# nessus-adduser
#
# Written by Renaud Deraison <deraison@cvs.nessus.org>
#
# This script is distributed under the Gnu General Public License (GPL)
#

prefix=/usr/local
exec_prefix=${prefix}
bindir=${exec_prefix}/bin
sbindir=${exec_prefix}/sbin
libexecdir=${exec_prefix}/libexec
datadir=${prefix}/share
sysconfdir=/etc
sharedstatedir=${prefix}/com
localstatedir=/var
libdir=${exec_prefix}/lib
includedir=${prefix}/include
oldincludedir=/usr/include
infodir=${prefix}/info
mandir=${prefix}/man

nessusd=${exec_prefix}/sbin/nessusd
nessusd_users=/etc/nessus/nessusd.users

# check whether we have echo -n, depending
# on the current shell, used
case `echo -n` in
\-n)	Xn=   ; Xc='\c' ;;
*)	Xn=-n ; Xc=
esac

# make sure that we are root, if there is no id command,
# you loose, anyway
case `id` in uid=0*) ;; *)
    echo "only root should use nessus-adduser"
    exit 1
esac

# path to a temporary directory
test -z "$TMPDIR" && {
  	if [ -d /var/tmp ];
	then
	  echo "Using /var/tmp as a temporary file holder"
	  TMPDIR=/var/tmp
	else
	  echo "Your \$TMPDIR variable is not set ! "
	  echo $Xn "Enter the location to a place where I could place temporary files : [$HOME] $Xc"
	  read TMPDIR
	  test -z "$TMPDIR"  && TMPDIR=$HOME
	fi  
}


# Here we go
echo
echo "Add a new nessusd user"
echo "----------------------"
echo
echo
echo $Xn "Login : $Xc"
read login

echo $Xn "Authentication method (cipher/plaintext) [cipher] : $Xc"
read auth

case $auth in
''|c*) 
    auth="cipher"
    askPasswd="One time password :"
    sayPasswd="One time password :"
    echo  
    echo "Source restriction"
    echo "------------------"

    echo

    echo "You can, if you will, configure this account so that it can only"
    echo "be used from a given host or subnet. For instance, you may want"
    echo "$login to be able to connect to this nessusd server only from"
    echo "his work machine".

    echo 


    echo "Please enter the host (or subnet) $login is allowed to connect from. "
    echo "A blank entry will allow him to connect from anywhere"

    echo
    echo "The entry format must be an IP address followed by an optional netmask."
    echo "Hostnames are *not* accepted"
    echo
    echo "Examples of valid entries :"
    echo "   192.168.1.5"
    echo "   192.168.1.0/24"
    echo "   192.168.1.0/255.255.255.0"
    echo
    echo "Invalid entry :"
    echo "   prof.fr.nessus.org"
    echo
    echo $Xn "Source host or network [anywhere] : $Xc"
    read src

    test "$src" = "anywhere" && src=""
    echo
    ;;
*)  auth=plaintext
    askPasswd="Login password :"
    sayPasswd="Password          :"
esac

ok="n"
while test "$ok" = "n";
do
 echo $Xn "$askPasswd $Xc"
 read password
 if test -z "$password"; then
   echo "Your password can not be empty."
 else
   ok="y"
fi
done

echo 
echo "User rules"
echo "----------"

echo "nessusd has a rules system which allows you to restrict the hosts"
echo "that $login has the right to test. For instance, you may want"
echo "him to be able to scan his own host only."
echo
echo "Please see the nessus-adduser(8) man page for the rules syntax"

echo
echo "Enter the rules for this user, and hit ctrl-D once you are done : "

# we do not leave any temporary files, hanging around
# so we trap the exit
trap "rm -f $TMPDIR/adduser.$$ $TMPDIR/rules.$$;
      echo; echo INTERRUPT; echo;
      trap 0;
      exit 0" 0

echo "(the user can have an empty rules set)"
cat > $TMPDIR/rules.$$ || {
  	echo "Error - could not write $TMPDIR/rules.$$"
	exit 1
}

echo 
echo
echo "Login             : $login"
case $auth in
cipher)
    echo $Xn "Auth. method      : $auth$Xc"
    echo $Xn ", can connect from $Xc"
    if [ -z "$src" ];
    then
	echo "anywhere"
	src="0/0"
    else
	echo "$src"
    fi
    ;;
*)  
    echo "Auth. method      : $auth"
esac
echo "$sayPasswd"         $password
echo "Rules             : "

cat $TMPDIR/rules.$$

echo
echo
echo $Xn "Is that ok ? (y/n) [y] $Xc"
read ok

# check for answer, default is Yes, abort on other reply
case $ok in ''|[Yy]*);; *) 
    rm -f $TMPDIR/rules.$$
    trap 0
    echo Aborted
    exit 0
esac

# add the user rules in our rules files. 
#
# The users file must end with the default user '*', so we add
# our data at the TOP of the file

if [ "$auth" = "cipher" ];
then echo "$login:" > $TMPDIR/adduser.$$
else 
	echo "$login:$password" > $TMPDIR/adduser.$$
	grep "force_pubkey_auth *= *yes" /etc/nessus/nessusd.conf 2>&1 > /dev/null && echo "Set force_pubkey_auth to 'no' in /etc/nessus/nessusd.conf to allow unciphered logins"
fi

cat $TMPDIR/rules.$$ >> $TMPDIR/adduser.$$
if [ -f $nessusd_users ];
then
 cat $nessusd_users >> $TMPDIR/adduser.$$
else
 #
 # Default user
 #
 echo "*:" >> $TMPDIR/adduser.$$
 echo "default reject" >> $TMPDIR/adduser.$$
fi

cat $TMPDIR/adduser.$$ > $nessusd_users
chmod 0600 $nessusd_users


# reset trap, clean up
trap 0
rm $TMPDIR/rules.$$
rm $TMPDIR/adduser.$$


if [ "$auth" = "cipher" ];
then
 $nessusd -P "$login@$src","$password"
fi

# HUP nessusd
test -f /var/nessus/nessusd.pid && (
    pid=`cat /var/nessus/nessusd.pid`
    set -x
    kill -1 $pid 2>/dev/null
)
 
echo "user added."
