--- loncom/Attic/lcuseradd 2000/10/29 22:38:21 1.4 +++ loncom/Attic/lcuseradd 2000/10/29 23:14:16 1.7 @@ -20,6 +20,19 @@ use strict; # Second line is PASSWORD # Third line is PASSWORD +# Valid passwords must consist of the +# ascii characters within the inclusive +# range of 0x20 (32) to 0x7E (126). +# These characters are: +# SPACE and +# !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO +# PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ + +# Valid user names must consist of ascii +# characters that are alphabetical characters +# (A-Z,a-z), numeric (0-9), or the underscore +# mark (_). (Essentially, the perl regex \w). + # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD] # Yes, but be very careful here (don't pass shell commands) # and this is only supported to allow perl-system calls. @@ -65,7 +78,7 @@ unless (&try_to_lock("/tmp/lock_lcpasswd # Gather input. Should be 3 values (user name, password 1, password 2). my @input; -if (@ARGV==1) { +if (@ARGV==3) { @input=@ARGV; } elsif (@ARGV) { @@ -75,7 +88,7 @@ elsif (@ARGV) { } else { @input=<>; - if (@input!=1) { + if (@input!=3) { print("Error. Three lines should be entered into standard input.\n") unless $noprint; unlink('/tmp/lock_lcpasswd'); exit 3; @@ -86,23 +99,104 @@ else { my ($username,$password1,$password2)=@input; $username=~/^(\w+)$/; my $safeusername=$1; -$password1=~/^(\w+)$/; -my $password1=$1; -$password2=~/^(\w+)$/; -my $safepassword2=$1; + +# Only add user if we can create a brand new home directory (/home/username). +if (-e "/home/$safeusername") { + print "Error. User already exists.\n" unless $noprint; + unlink('/tmp/lock_lcpasswd'); + exit 8; +} + +# Only add user if the two password arguments match. +if ($password1 ne $password2) { + print "Error. Password mismatch.\n" unless $noprint; + unlink('/tmp/lock_lcpasswd'); + exit 7; +} &enable_root_capability; # Add user entry to /etc/passwd and /etc/groups in such # a way that www is a member of the user-specific group -# This command 'should' make the user be a member of just - -if (system('/usr/sbin/useradd','-c','LON-CAPA user','-G','www',$safeusername)) { - print "Error. Something went wrong with the addition of user \"$safeusername\".\n"; +if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) { + print "Error. Something went wrong with the addition of user \"$safeusername\".\n" unless $noprint; unlink('/tmp/lock_lcpasswd'); exit 5; } -# Set password with lcpasswd (which creates smbpasswd entry). +# Make www a member of that user group. +if (system('/usr/sbin/usermod','-G',$safeusername,'www')) { + print "Error. Could not make www a member of the group \"$safeusername\".\n" unless $noprint; + unlink('/tmp/lock_lcpasswd'); + exit 6; +} + +# Set password with lcpasswd-style algorithm (which creates smbpasswd entry). +# I cannot place a direct shell call to lcpasswd since I have to allow +# for crazy characters in the password, and the setuid environment of perl +# requires me to make everything safe. + + + +# ----------------------------------------------------------- have setuid script run as root +sub enable_root_capability { + if ($wwwid==$>) { + ($<,$>)=($>,$<); + ($(,$))=($),$(); + } + else { + # root capability is already enabled + } + return $>; +} + +# ----------------------------------------------------------- have setuid script run as www +sub disable_root_capability { + if ($wwwid==$<) { + ($<,$>)=($>,$<); + ($(,$))=($),$(); + } + else { + # root capability is already disabled + } +} + +# ----------------------------------- make sure that another lcpasswd process isn't running +sub try_to_lock { + my ($lockfile)=@_; + my $currentpid; + my $lastpid; + # Do not manipulate lock file as root + if ($>==0) { + return 0; + } + # Try to generate lock file. + # Wait 3 seconds. If same process id is in + # lock file, then assume lock file is stale, and + # go ahead. If process id's fluctuate, try + # for a maximum of 10 times. + for (0..10) { + if (-e $lockfile) { + open(LOCK,"<$lockfile"); + $currentpid=; + close LOCK; + if ($currentpid==$lastpid) { + last; + } + sleep 3; + $lastpid=$currentpid; + } + else { + last; + } + if ($_==10) { + return 0; + } + } + open(LOCK,">$lockfile"); + print LOCK $$; + close LOCK; + return 1; +}