Merge branch 'feature/56040_rewrite_desktop_toggle_writable_to_support_language_variability' into 'master'

Rewrite desktop_toggle_writable to support language variability

See merge request os2borgerpc/os2borgerpc-scripts!216

Author: Andreas Poulsen

os2borgerpc/sikkerhed/desktop_toggle_writable.sh

@@ -11,43 +11,57 @@ set -x
 # Why not use a .config/autostart file? Because the user isn't allowed to chown to root
 # ...even if they are the current owner.
 
+# chattr on DESKTOP is to prevent mv'ing DESKTOP to another name, and then creating a new one
+# which they DO have write permissions to
+# Another option considered was chowning /home/user itself (not recursively),
+# but then login didn't work. (maybe due to .xauthority?)
+
 if get_os2borgerpc_config os2_product | grep --quiet kiosk; then
   echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine."
   exit 1
 fi
 
-USER="user"
-DESKTOP="Skrivebord"
+USERNAME="user"
+# Determine the name of the user desktop directory. This is done via xdg-user-dir,
+# which checks the /home/user/.config/user-dirs.dirs file. To ensure this file exists,
+# we run xdg-user-dirs-update, which generates it based on the environment variable
+# LANG. This variable is empty in lightdm so we first export it
+# based on the value stored in /etc/default/locale
+export "$(grep LANG= /etc/default/locale)"
+runuser -u $USERNAME xdg-user-dirs-update
+DESKTOP=$(basename "$(runuser -u $USERNAME xdg-user-dir DESKTOP)")
 USER_CLEANUP=/usr/share/os2borgerpc/bin/user-cleanup.bash
-SET_USER_DESKTOP_MUTABLE="chattr -i /home/$USER/$DESKTOP"
-SET_USER_DESKTOP_ROOT_OWNED="chown -R root:user /home/$USER/$DESKTOP"
-# This is to prevent mv'ing Skrivebord to another name, and then creating a new one
-# which they DO have write permissions to
-# Another option considered was chowning /home/user itself (not recursively),
-# but then login didn't work. (maybe due to .xauthority?)
-SET_USER_DESKTOP_IMMUTABLE="chattr +i /home/$USER/$DESKTOP"
+COMMENT="# Make the desktop read only to user"
 
 ACTIVATE=$1
 
 make_desktop_writable() {
-	sed -i "\@$SET_USER_DESKTOP_MUTABLE@d" $USER_CLEANUP
-	sed -i "\@$SET_USER_DESKTOP_ROOT_OWNED@d" $USER_CLEANUP
-	sed -i "\@$SET_USER_DESKTOP_IMMUTABLE@d" $USER_CLEANUP
-	chattr -i /home/$USER/$DESKTOP
+	# All of the matched lines are deleted. This function thus serves to undo write access removal
+	# shellcheck disable=SC2016
+	sed --in-place --expression "/chattr [-+]i/d" --expression "/chown -R root:/d" \
+		  --expression "/$COMMENT/d" --expression '/runuser/d' --expression '/export/d' $USER_CLEANUP
+	chattr -i "$DESKTOP"
 }
 
-# Make sure that /home/.skjult/Skrivebord exists as otherwise this script will not work correctly
-mkdir --parents /home/.skjult/Skrivebord
+# Make sure that DESKTOP dir exists under .skjult as otherwise this script will not work correctly
+mkdir --parents "/home/.skjult/$(basename "$DESKTOP")"
 
-# Undo write access removal.
-# We always do this to prevent adding the same lines multiple times (idempotency)
+# Undo write access removal - always do this to prevent adding the same lines multiple times (idempotency)
 make_desktop_writable
 
 if [ "$ACTIVATE" = 'True' ]; then
-	# Temporarily set it mutable before copying new files in, as otherwise that will fail
-	sed -i "/USERNAME=\"user\"/a $SET_USER_DESKTOP_MUTABLE" $USER_CLEANUP
+	# Prepend temporarily setting DESKTOP mutable before copying new files in, as otherwise that will fail
+	# We first determine the name of the user desktop directory as before
+	sed -i "/USERNAME=\"$USERNAME\"/a \
+export \$(grep LANG= \/etc\/default\/locale)\n\
+runuser -u $USERNAME xdg-user-dirs-update\n\
+DESKTOP=\$(runuser -u $USERNAME xdg-user-dir DESKTOP)\n\
+chattr -i \$DESKTOP" $USER_CLEANUP
+
+	# Append setting the more restrictive permissions
 	cat <<- EOF >> $USER_CLEANUP
-		$SET_USER_DESKTOP_ROOT_OWNED
-		$SET_USER_DESKTOP_IMMUTABLE
+		$COMMENT
+		chown -R root:\$USERNAME \$DESKTOP
+		chattr +i \$DESKTOP
 	EOF
 fi