#!/bin/ksh

# From: fish@daacdev1.stx.com ("John R. Vanderpool")
# Date: Fri, 1 Dec 1995 11:34:47 -0500 (EST)

#	lkuser - lock user account
#
# 24-oct-1995 jrv change >| to > for cron for csh, add $hostname to *.lock filenames
#  1-mar-1995 jrv use su and crontab to manipulate user's cron file
# 16-feb-1995 jrv initial release (John_Vanderpool@gsfc.nasa.gov)
#
# NOTE: irix and hpux only ones supported for now (only ones i have to test on)
#
# NOTE: this does not deal with YP/NIS
#
# NOTE: saw a neat trick in Bruce Hunter's Open System's Today column once that
#	put the date acct was locked and the user's previous shell field into
#	the locked passwd field (this is not implemented in this version).
#
# STUPID: hpux 8.05 doesn't grok ~${user} correctly
#
# ENHANCEMENTS NEEDED:
#	-f forwarding_email_addr flag
#	-q (quiet) flag
#	-u (unlock) flag

#
#	pre-initialization
#
${SHDEBUG:-}            # export SHDEBUG="set -x" externally, else this is a nop

self=`basename $0`
usage="usage: $self username"
hostname=`hostname`

#
#	initialization
#
passwdfile=/etc/passwd			# passwd file
log_priority=local7.info		# syslog facility

#
#	argument parsing/checking
#
user=${1:-}

if [ "$user" = "" ]; then
  echo $usage
  exit 1
fi

#
#	sanity checks
#
if [ "$user" = "root" ]; then		# no-no for root
  echo "${self}: you don't want to do that!"
  exit 1
fi

grep "^${user}:" $passwdfile >/dev/null 2>&1
if [ $? != 0 ]; then			# no such user
  echo "no such user: $user"
  exit 2
fi

# STUPID: hpux 8.05 ksh doesn't grok ~${user} correctly, so use this method
userhome="`egrep ^$user\: $passwdfile | cut -f6 -d:`"	# login directory

#
#	critical files
#
grep "^${user}:" $passwdfile >|${userhome}/passwd.$hostname.lock

for file in .forward .rhosts
do
  if [ -f $userhome/$file ]; then
    echo "moving $file"
    mv ${userhome}/${file} ${userhome}/${file}.$hostname.lock
  fi
done

#
#	crontab
#
echo "checking crontab... \c"
cronlock=${userhome}/crontab.$hostname.lock
su $user -c "crontab -l > $cronlock; crontab -r"

if [ -s $cronlock ]; then
  echo "user's crontab moved to $cronlock."
else
  echo "user did not have a crontab."
  /bin/rm $cronlock
fi

#
#	active processes
#
ps -u $user >/dev/null 2>&1
if [ $? = 0 ]; then			# user has active processes
  echo "killing active processes"

  whence killuser >/dev/null 2>&1
  if [ $? = 0 ]; then			# system has killuser
    killuser -9 $user
  else					# system doesn't have killuser
    echo "killuser utility not found, you should get it"
  fi

fi

#
#	modify passwd file
#
echo "locking password and changing login shell"
case `uname` in

  IRIX ) 				# sgi/irix

    passmgmt -m -s /bin/false $user	# login shell field
    passwd -l $user			# password field
    ;;

  HP-UX )				# hp/ux

    echo "change passwd field to *LK*"
    echo "change login shell field to /bin/false to prevent ftp and bsd remote cmds"
    sleep 5
    vipw

    ;;

  * )					# default (not known)

    echo "${self}: `uname` not currently supported"
    exit 1
    ;;

esac

logger -p $log_priority -t $self "$user account locked"
echo