File:
[LON-CAPA] /
loncom /
lcuserdel
Revision
1.9:
download - view:
text,
annotated -
select for diffs
Sun Oct 29 22:38:21 2000 UTC (23 years, 10 months ago) by
harris41
Branches:
MAIN
CVS tags:
HEAD
fixing up exit code documentation for lcpasswd and lcuserdel. lcuseradd
useradd system call syntax still incorrect here. I'm putting in more
of the setuid handling code. -Scott
1: #!/usr/bin/perl
2: #
3: # lcuserdel
4: #
5: # Scott Harrison
6: # SH: October 27, 2000
7: # SH: October 28, 2000
8: # SH: October 29, 2000
9:
10: use strict;
11:
12: # This script is a setuid script (chmod 6755) that should
13: # be run by user 'www'. It DOES NOT delete directories.
14: # All it does is remove a user's entries from
15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
16: # It also disables user directory access by making the directory
17: # to be owned by user=www (as opposed to the former "username").
18: # This command only returns an error if it is
19: # invoked incorrectly (by passing bad command-line arguments, etc).
20:
21: # This script works under the same process control mechanism
22: # as lcuseradd and lcpasswd, to make sure that only one of these
23: # processes is running at any one time on the system.
24:
25: # Standard input usage
26: # First line is USERNAME
27:
28: # Command-line arguments [USERNAME]
29: # Yes, but be very careful here (don't pass shell commands)
30: # and this is only supported to allow perl-system calls.
31:
32: # Usage within code
33: #
34: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
35: # print "uh-oh" if $exitcode;
36:
37: # These are the exit codes.
38: # ( (0,"ok"),
39: # (1,"User ID mismatch. This program must be run as user 'www'"),
40: # (2,"Error. Too many other simultaneous password change requests being made."),
41: # (3,"Error. Only one line should be entered into standard input."),
42: # (4,"Error. This program needs just 1 command-line argument (username).") )
43:
44: # Security
45: $ENV{'PATH'}=""; # Nullify path information.
46: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
47:
48: # Do not print error messages if there are command-line arguments
49: my $noprint=0;
50: if (@ARGV) {
51: $noprint=1;
52: }
53:
54: # Read in /etc/passwd, and make sure this process is running from user=www
55: open (IN, "</etc/passwd");
56: my @lines=<IN>;
57: close IN;
58: my $wwwid;
59: for my $l (@lines) {
60: chop $l;
61: my @F=split(/\:/,$l);
62: if ($F[0] eq 'www') {$wwwid=$F[2];}
63: }
64: if ($wwwid!=$<) {
65: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
66: exit 1;
67: }
68: &disable_root_capability;
69:
70: # Handle case of another lcpasswd process
71: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
72: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
73: exit 4;
74: }
75:
76: # Gather input. Should only be 1 value (user name).
77: my @input;
78: if (@ARGV==1) {
79: @input=@ARGV;
80: }
81: elsif (@ARGV) {
82: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
83: unlink('/tmp/lock_lcpasswd');
84: exit 2;
85: }
86: else {
87: @input=<>;
88: if (@input!=1) {
89: print("Error. Only one line should be entered into standard input.\n") unless $noprint;
90: unlink('/tmp/lock_lcpasswd');
91: exit 3;
92: }
93: map {chop} @input;
94: }
95:
96: my ($username)=@input;
97: $username=~/^(\w+)$/;
98: my $safeusername=$1;
99:
100: &enable_root_capability;
101:
102: # By using the system userdel command:
103: # Remove entry from /etc/passwd if it exists
104: # Remove entry from /etc/groups if it exists
105: # I surround with groupdel command to make absolutely sure the group definition disappears.
106: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
107: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
108: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
109:
110: # Remove entry from /etc/smbpasswd if it exists
111: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
112: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
113:
114: if ($oldsmbpasswd ne $newsmbpasswd) {
115: open OUT,">/etc/smbpasswd";
116: print OUT $newsmbpasswd;
117: close OUT;
118: }
119:
120: # Change ownership on directory from username:username to www:www
121: # This prevents subsequently added users from having access.
122:
123: system('/bin/chown','-R','www:www',"/home/$safeusername");
124:
125: &disable_root_capability;
126: unlink("/tmp/lock_lcpasswd");
127: exit 0;
128:
129: # ----------------------------------------------------------- have setuid script run as root
130: sub enable_root_capability {
131: if ($wwwid==$>) {
132: ($<,$>)=($>,$<);
133: ($(,$))=($),$();
134: }
135: else {
136: # root capability is already enabled
137: }
138: return $>;
139: }
140:
141: # ----------------------------------------------------------- have setuid script run as www
142: sub disable_root_capability {
143: if ($wwwid==$<) {
144: ($<,$>)=($>,$<);
145: ($(,$))=($),$();
146: }
147: else {
148: # root capability is already disabled
149: }
150: }
151:
152: # ----------------------------------- make sure that another lcpasswd process isn't running
153: sub try_to_lock {
154: my ($lockfile)=@_;
155: my $currentpid;
156: my $lastpid;
157: # Do not manipulate lock file as root
158: if ($>==0) {
159: return 0;
160: }
161: # Try to generate lock file.
162: # Wait 3 seconds. If same process id is in
163: # lock file, then assume lock file is stale, and
164: # go ahead. If process id's fluctuate, try
165: # for a maximum of 10 times.
166: for (0..10) {
167: if (-e $lockfile) {
168: open(LOCK,"<$lockfile");
169: $currentpid=<LOCK>;
170: close LOCK;
171: if ($currentpid==$lastpid) {
172: last;
173: }
174: sleep 3;
175: $lastpid=$currentpid;
176: }
177: else {
178: last;
179: }
180: if ($_==10) {
181: return 0;
182: }
183: }
184: open(LOCK,">$lockfile");
185: print LOCK $$;
186: close LOCK;
187: return 1;
188: }
189:
190:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>