File:
[LON-CAPA] /
loncom /
Attic /
lcuseradd
Revision
1.24:
download - view:
text,
annotated -
select for diffs
Mon Dec 9 16:15:51 2002 UTC (21 years, 9 months ago) by
www
Branches:
MAIN
CVS tags:
HEAD
Checking in for TESTING only - move to lower version for 0.6 if not
sufficiently tested.
This sends USR1 to the Apache parent process on a server where a new
filesystem authenticated user is generated. The purpose is to re-init
the group associations.
1: #!/usr/bin/perl
2:
3: # The Learning Online Network with CAPA
4: #
5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
6: # with adding a user with filesystem privileges (e.g. author)
7: #
8: # YEAR=2000
9: # 10/27,10/29,10/30 Scott Harrison
10: # YEAR=2001
11: # 10/21,11/13,11/15 Scott Harrison
12: # YEAR=2002
13: # May 19, 2002 Ron Fox
14: # - Removed creation of the pulic_html directory. This directory
15: # can now be added in two ways:
16: # o The user can add it themselves if they want some local web
17: # space which may or may not contain construction items.
18: # o LonCapa will add it if/when the user is granted an Author
19: # role.
20: #
21: # $Id: lcuseradd,v 1.24 2002/12/09 16:15:51 www Exp $
22: ###
23:
24: ###############################################################################
25: ## ##
26: ## ORGANIZATION OF THIS PERL SCRIPT ##
27: ## ##
28: ## 1. Description of script ##
29: ## 2. Invoking script (standard input) ##
30: ## 3. Example usage inside another piece of code ##
31: ## 4. Description of functions ##
32: ## 5. Exit codes ##
33: ## 6. Initializations ##
34: ## 7. Make sure this process is running from user=www ##
35: ## 8. Start running script with www permissions ##
36: ## 9. Handle case of another lcpasswd process (locking) ##
37: ## 10. Error-check input, need 3 values (user name, password 1, password 2) ##
38: ## 11. Start running script with root permissions ##
39: ## 12. Add user and make www a member of the user-specific group ##
40: ## 13. Set password ##
41: ## 14. Make final modifications to the user directory ##
42: ## 15. Exit script (unlock) ##
43: ## ##
44: ###############################################################################
45:
46: use strict;
47:
48: # ------------------------------------------------------- Description of script
49: #
50: # This script is a setuid script that should
51: # be run by user 'www'. It creates a /home/USERNAME directory.
52: # It adds a user to the unix system.
53: # Passwords are set with lcpasswd.
54: # www becomes a member of this user group.
55:
56: # -------------- Invoking script (standard input versus command-line arguments)
57: #
58: # Standard input (STDIN) usage
59: # First line is USERNAME
60: # Second line is PASSWORD
61: # Third line is PASSWORD
62: #
63: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
64: # Yes, but be very careful here (don't pass shell commands)
65: # and this is only supported to allow perl-system calls.
66: #
67: # Valid passwords must consist of the
68: # ascii characters within the inclusive
69: # range of 0x20 (32) to 0x7E (126).
70: # These characters are:
71: # SPACE and
72: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
73: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
74: #
75: # Valid user names must consist of ascii
76: # characters that are alphabetical characters
77: # (A-Z,a-z), numeric (0-9), or the underscore
78: # mark (_). (Essentially, the perl regex \w).
79: # User names must begin with an alphabetical character
80: # (A-Z,a-z).
81:
82: # ---------------------------------- Example usage inside another piece of code
83: # Usage within code
84: #
85: # $exitcode=
86: # system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
87: # print "uh-oh" if $exitcode;
88:
89: # ---------------------------------------------------- Description of functions
90: # enable_root_capability() : have setuid script run as root
91: # disable_root_capability() : have setuid script run as www
92: # try_to_lock() : make sure that another lcpasswd process isn't running
93:
94: # ------------------------------------------------------------------ Exit codes
95: # These are the exit codes.
96: # ( (0,"ok"),
97: # (1,"User ID mismatch. This program must be run as user 'www'"),
98: # (2,"Error. This program needs 3 command-line arguments (username, ".
99: # "password 1, password 2)."),
100: # (3,"Error. Three lines should be entered into standard input."),
101: # (4,"Error. Too many other simultaneous password change requests being ".
102: # "made."),
103: # (5,"Error. User $username does not exist."),
104: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
105: # (7,"Error. Root was not successfully enabled.),
106: # (8,"Error. Cannot set password."),
107: # (9,"Error. The user name specified has invalid characters."),
108: # (10,"Error. A password entry had an invalid character."),
109: # (11,"Error. User already exists.),
110: # (12,"Error. Something went wrong with the addition of user ".
111: # "\"$safeusername\"."),
112: # (13,"Error. Password mismatch."),
113:
114: # ------------------------------------------------------------- Initializations
115: # Security
116: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
117: # information
118: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
119:
120: # Do not print error messages.
121: my $noprint=1;
122:
123: print "In lcuseradd\n" unless $noprint;
124:
125: # ----------------------------- Make sure this process is running from user=www
126: my $wwwid=getpwnam('www');
127: &disable_root_capability;
128: if ($wwwid!=$>) {
129: print("User ID mismatch. This program must be run as user 'www'\n")
130: unless $noprint;
131: exit 1;
132: }
133:
134: # ----------------------------------- Start running script with www permissions
135: &disable_root_capability;
136:
137: # --------------------------- Handle case of another lcpasswd process (locking)
138: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
139: print "Error. Too many other simultaneous password change requests being ".
140: "made.\n" unless $noprint;
141: exit 4;
142: }
143:
144: # ------- Error-check input, need 3 values (user name, password 1, password 2).
145: my @input;
146: if (@ARGV==3) {
147: @input=@ARGV;
148: }
149: elsif (@ARGV) {
150: print("Error. This program needs 3 command-line arguments (username, ".
151: "password 1, password 2).\n") unless $noprint;
152: unlink('/tmp/lock_lcpasswd');
153: exit 2;
154: }
155: else {
156: @input=<>;
157: if (@input!=3) {
158: print("Error. Three lines should be entered into standard input.\n")
159: unless $noprint;
160: unlink('/tmp/lock_lcpasswd');
161: exit 3;
162: }
163: foreach (@input) {chomp;}
164: }
165:
166: my ($username,$password1,$password2)=@input;
167: print "Username = ".$username."\n" unless $noprint;
168: $username=~/^(\w+)$/;
169: print "Username after substitution - ".$username unless $noprint;
170: my $safeusername=$1;
171: print "Safe username = $safeusername \n" unless $noprint;
172:
173: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
174: print "Error. The user name specified $username $safeusername has invalid characters.\n"
175: unless $noprint;
176: unlink('/tmp/lock_lcpasswd');
177: exit 9;
178: }
179: my $pbad=0;
180: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
181: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
182: if ($pbad) {
183: print "Error. A password entry had an invalid character.\n";
184: unlink('/tmp/lock_lcpasswd');
185: exit 10;
186: }
187:
188: # -- Only add user if we can create a brand new home directory (/home/username)
189: if (-e "/home/$safeusername") {
190: print "Error. User already exists.\n" unless $noprint;
191: unlink('/tmp/lock_lcpasswd');
192: exit 11;
193: }
194:
195: # -- Only add user if the two password arguments match.
196:
197: if ($password1 ne $password2) {
198: print "Error. Password mismatch.\n" unless $noprint;
199: unlink('/tmp/lock_lcpasswd');
200: exit 13;
201: }
202: print "enabling root\n" unless $noprint;
203: # ---------------------------------- Start running script with root permissions
204: &enable_root_capability;
205:
206: # ------------------- Add user and make www a member of the user-specific group
207: # -- Add user
208:
209: print "adding user: $safeusername \n" unless $noprint;
210: my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
211: if ($status) {
212: print "Error. Something went wrong with the addition of user ".
213: "\"$safeusername\".\n" unless $noprint;
214: print "Final status of useradd = $status";
215: unlink('/tmp/lock_lcpasswd');
216: exit 12;
217: }
218: print "Done adding user\n" unless $noprint;
219: # Make www a member of that user group.
220: my $groups=`/usr/bin/groups www` or exit(6);
221: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
222: my @grouplist=split(/\s+/,$groups);
223: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
224: my $gl=join(',',(@ugrouplist,$safeusername));
225: print "Putting user in its own group\n" unless $noprint;
226: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
227: print "Error. Could not make www a member of the group ".
228: "\"$safeusername\".\n" unless $noprint;
229: unlink('/tmp/lock_lcpasswd');
230: exit 6;
231: }
232:
233: # ---------------------------------------------------------------- Set password
234: # Set password with lcpasswd (which creates smbpasswd entry).
235:
236: unlink('/tmp/lock_lcpasswd');
237: &disable_root_capability;
238: ($>,$<)=($wwwid,$wwwid);
239: print "Opening lcpasswd pipeline\n" unless $noprint;
240: open OUT,"|/home/httpd/perl/lcpasswd";
241: print OUT $safeusername;
242: print OUT "\n";
243: print OUT $password1;
244: print OUT "\n";
245: print OUT $password1;
246: print OUT "\n";
247: close OUT;
248: if ($?) {
249: print "abnormal exit from close lcpasswd\n" unless $noprint;
250: exit 8;
251: }
252: ($>,$<)=($wwwid,0);
253: &enable_root_capability;
254:
255: # -- Don't add public_html... that can be added either by the user
256: # or by lchtmldir when the user is granted an authorship role.
257:
258: # ------------------------------ Make final modifications to the user directory
259: # -- Add a public_html file with a stand-in index.html file
260:
261: system('/bin/chmod','-R','0660',"/home/$safeusername");
262: system('/bin/chmod','0710',"/home/$safeusername");
263: mkdir "/home/$safeusername/public_html",0755;
264: system('/bin/chmod','02770',"/home/$safeusername/public_html");
265: open OUT,">/home/$safeusername/public_html/index.html";
266: print OUT<<END;
267: <html>
268: <head>
269: <title>$safeusername</title>
270: </head>
271: <body>
272: <h1>Construction Space</h1>
273: <h3>$safeusername</h3>
274: </body>
275: </html>
276: END
277: close OUT;
278:
279: print "lcuseradd ownership\n" unless $noprint;
280: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
281: # ---------------------------------------------------- Gracefull Apache Restart
282: if (-e '/var/run/httpd.pid') {
283: print "lcuseradd Apache restart\n" unless $noprint;
284: open(PID,'/var/run/httpd.pid');
285: my $pid=<PID>;
286: close(PID);
287: $pid=~s/\D+//g;
288: if ($pid) {
289: system('kill','-USR1',"$pid");
290: }
291: }
292: # -------------------------------------------------------- Exit script
293: print "lcuseradd exiting\n" unless $noprint;
294: &disable_root_capability;
295: exit 0;
296:
297: # ---------------------------------------------- Have setuid script run as root
298: sub enable_root_capability {
299: if ($wwwid==$>) {
300: ($<,$>)=($>,0);
301: ($(,$))=($),0);
302: }
303: else {
304: # root capability is already enabled
305: }
306: return $>;
307: }
308:
309: # ----------------------------------------------- Have setuid script run as www
310: sub disable_root_capability {
311: if ($wwwid==$<) {
312: ($<,$>)=($>,$<);
313: ($(,$))=($),$();
314: }
315: else {
316: # root capability is already disabled
317: }
318: }
319:
320: # ----------------------- Make sure that another lcpasswd process isn't running
321: sub try_to_lock {
322: my ($lockfile)=@_;
323: my $currentpid;
324: my $lastpid;
325: # Do not manipulate lock file as root
326: if ($>==0) {
327: return 0;
328: }
329: # Try to generate lock file.
330: # Wait 3 seconds. If same process id is in
331: # lock file, then assume lock file is stale, and
332: # go ahead. If process id's fluctuate, try
333: # for a maximum of 10 times.
334: for (0..10) {
335: if (-e $lockfile) {
336: open(LOCK,"<$lockfile");
337: $currentpid=<LOCK>;
338: close LOCK;
339: if ($currentpid==$lastpid) {
340: last;
341: }
342: sleep 3;
343: $lastpid=$currentpid;
344: }
345: else {
346: last;
347: }
348: if ($_==10) {
349: return 0;
350: }
351: }
352: open(LOCK,">$lockfile");
353: print LOCK $$;
354: close LOCK;
355: return 1;
356: }
357:
358: =head1 NAME
359:
360: lcuseradd - LON-CAPA setuid script to coordinate all actions
361: with adding a user with filesystem privileges (e.g. author)
362:
363: =head1 DESCRIPTION
364:
365: lcuseradd - LON-CAPA setuid script to coordinate all actions
366: with adding a user with filesystem privileges (e.g. author)
367:
368: =head1 README
369:
370: lcuseradd - LON-CAPA setuid script to coordinate all actions
371: with adding a user with filesystem privileges (e.g. author)
372:
373: =head1 PREREQUISITES
374:
375: =head1 COREQUISITES
376:
377: =pod OSNAMES
378:
379: linux
380:
381: =pod SCRIPT CATEGORIES
382:
383: LONCAPA/Administrative
384:
385: =cut
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>