feat: add osh-remove-empty-folders.sh

bin/admin/install

@@ -382,7 +382,9 @@ if [ "$nothing" = 0 ]; then
                     continue
                 fi
                 action_detail "... we will overwrite $destfile"
-            elif [ "$(basename "$file")" = "osh-encrypt-rsync.conf.dist" ] || [ "$(basename "$file")" = "osh-backup-acl-keys.conf.dist" ]; then
+            elif [ "$(basename "$file")" = "osh-encrypt-rsync.conf.dist"        ] || \
+                 [ "$(basename "$file")" = "osh-backup-acl-keys.conf.dist"      ] || \
+                 [ "$(basename "$file")" = "osh-remove-empty-folders.conf.dist" ]; then
                 # special case for those files: if we have the $file.d dir available, don't do anything
                 if [ -d "$destfile".d ]; then
                     action_detail "... won't copy file to $destfile as we have $destfile.d"
@@ -420,7 +422,7 @@ if [ "$nothing" = 0 ]; then
         done
     done
 
-    for base in osh-encrypt-rsync.conf osh-backup-acl-keys.conf; do
+    for base in osh-encrypt-rsync.conf osh-backup-acl-keys.conf osh-remove-empty-folders.conf; do
         if [ -f "$BASTION_ETC_DIR/$base" ]; then
             chmod 0600 "$BASTION_ETC_DIR/$base"
         fi

bin/cron/osh-remove-empty-folders.sh

@@ -0,0 +1,73 @@
+#! /usr/bin/env bash
+# vim: set filetype=sh ts=4 sw=4 sts=4 et:
+#
+# This scripts removes the empty folders that may pile up in each users' home
+# directory, under the ttyrec/ folder. As every server they connect to has its
+# own folder there (1 IP = 1 folder), and as ttyrecs are rotated and moved out by
+# the `osh-encrypt-rsync.pl` script, we might end up with a lot of empty
+# subfolders there. This is especially true for users that tend to connect to
+# a lot of different servers (maybe to never connect there again) over the course of time.
+
+basedir=$(readlink -f "$(dirname "$0")"/../..)
+# shellcheck source=lib/shell/functions.inc
+. "$basedir"/lib/shell/functions.inc
+
+trap "_err 'Unexpected termination!'" EXIT
+
+# setting default values
+LOGFILE=""
+LOG_FACILITY="local6"
+ENABLED=1
+MTIME_DAYS=1
+
+# building config files list
+config_list=''
+if [ -f "$BASTION_ETC_DIR/osh-remove-empty-folders.conf" ]; then
+    config_list="$BASTION_ETC_DIR/osh-remove-empty-folders.conf"
+fi
+if [ -d "$BASTION_ETC_DIR/osh-remove-empty-folders.conf.d" ]; then
+    config_list="$config_list $(find "$BASTION_ETC_DIR/osh-remove-empty-folders.conf.d" -mindepth 1 -maxdepth 1 -type f -name "*.conf" | sort)"
+fi
+
+if [ -z "$config_list" ]; then
+    exit_fail "No configuration loaded, aborting"
+fi
+
+# load the config files only if they're owned by root:root and mode is o-rwx
+for file in $config_list; do
+    if check_secure "$file"; then
+        # shellcheck source=etc/bastion/osh-remove-empty-folders.conf.dist
+        . "$file"
+    else
+        exit_fail "Configuration file not secure ($file), aborting."
+    fi
+done
+
+# shellcheck disable=SC2153
+if [ -n "$LOGFILE" ] ; then
+    exec &>> >(tee -a "$LOGFILE")
+fi
+
+if [ "$ENABLED" != 1 ]; then
+    exit_success "Script is disabled"
+fi
+
+# first, we list all the directories to get a count
+_log "Counting the number of directories before the cleanup..."
+nbdirs_before=$(find /home/ -mindepth 3 -maxdepth 3 -type d -mtime +$MTIME_DAYS -regextype egrep -regex '^/home/[^/]+/ttyrec/[0-9.]+$' -print | wc -l)
+
+_log "We have $nbdirs_before directories, removing empty ones..."
+# then we pass them all through rmdir, it'll just fail on non-empty ones.
+# this is (way) faster than trying to be smart and listing each and every directory's contents first.
+find /home/ -mindepth 3 -maxdepth 3 -type d -mtime +$MTIME_DAYS -regextype egrep -regex '^/home/[^/]+/ttyrec/[0-9.]+$' -print0 | xargs -r0 rmdir -- 2>/dev/null
+
+# finally, see how many directories remain
+_log "Counting the number of directories after the cleanup..."
+nbdirs_after=$(find /home/ -mindepth 3 -maxdepth 3 -type d -mtime +$MTIME_DAYS -regextype egrep -regex '^/home/[^/]+/ttyrec/[0-9.]+$' -print | wc -l)
+
+_log "Finally deleted $((nbdirs_before - nbdirs_after)) directories in this run"
+
+# note that there is a slight TOCTTOU in the counting, as some external process might actually *add*
+# directories so our count might be slightly wrong, but as this is just for logging sake, this is not an issue
+
+exit_success "Done"

etc/bastion/osh-remove-empty-folders.conf.dist

@@ -0,0 +1,51 @@
+###########################################################################
+## Config for /opt/bastion/bin/cron/osh-remove-empty-folders.sh, the script
+## responsible for getting rid of empty folders in the ttyrec/ folder of
+## every user (located in their home). This is mainly useful on bastions
+## were some type of users (or robots) might connect to a very high number
+## of always-changing IPs, hence having folders piling up in their ttyrec/
+## folder, as each IP has its own folder. Of course, this script will only
+## remove empty folders, and never remove a single actual file.
+##
+## Any file in /etc/bastion/osh-remove-empty-folders.conf.d will also be
+## sourced, in alphabetical order, and take precedence over any
+## option specified in this file.
+##
+## Please ensure this file is only readable by root.
+##
+## As it'll be sourced, THIS FILE MUST BE A VALID SHELL SCRIPT.
+###########################################################################
+#
+# > Logging
+# >> These options configure the way the script logs its actions
+#
+# LOGFILE (string, path to a file)
+#    DESC: File where the logs will be written to (don't forget to configure ``logrotate``!).
+#          Note that using this configuration option, the script will directly write to the file, without using syslog.
+#          If empty, won't log directly to any file.
+# DEFAULT: ""
+LOGFILE=""
+#
+# LOG_FACILITY (string)
+#    DESC: The syslog facility to use for logging the script output.
+#          If set to the empty string, we'll not log through syslog at all.
+#          If this configuration option is missing from your config file altogether,
+#          the default value will be used (local6), which means that we'll log to syslog.
+# DEFAULT: "local6"
+LOG_FACILITY="local6"
+#
+# > Script options
+# >> These options govern the behavior of the script
+#
+# ENABLED (0 or 1)
+#    DESC: If set to 1, the script is enabled and will attempt to garbage-collect empty directories located
+#          in /home/*/ttyrec. If set to anything else, the script is considered disabled and will not run.
+# DEFAULT: 1
+ENABLED=1
+#
+# MTIME_DAYS (int, >= 0)
+#    DESC: The amount of days the empty folder must have been empty before considering a removal. You probably
+#            don't need to change the default value, unless you want to ensure that a given folder has not been
+#            used since some time before removing it (this has no impact as folders are re-created as needed).
+# DEFAULT: 1
+MTIME_DAYS=1

etc/cron.d/osh-remove-empty-folders.dist

@@ -0,0 +1,3 @@
+# remove empty directories in /home/*/ttyrec/ so that we don't end up with hundreds of thousands of directories
+# a weekly run is way enough
+%RANDOM1%0:59% %RANDOM2%4:7% * * 1 root /opt/bastion/bin/cron/osh-remove-empty-folders.sh >/dev/null

tests/functional/tests.d/200-scripts.sh

@@ -90,6 +90,13 @@ testsuite_scripts()
     nocontain "ERROR:"
     nocontain "Unexpected termination"
 
+    # ttyrec subfolders cleanup
+    success ttyrec_cleanup $r0 /opt/bastion/bin/cron/osh-remove-empty-folders.sh
+    contain "Done"
+    nocontain "WARN:"
+    nocontain "ERROR:"
+    nocontain "Unexpected termination"
+
     # create and account and connect one to have a ttyrec file
 
     grant accountCreate