loncom/lchtmldir - view

File: [LON-CAPA] / loncom / Attic / lchtmldir
Revision 1.4: download - view: text, annotated - select for diffs
Mon Nov 25 18:45:55 2002 UTC (21 years, 6 months ago) by matthew
Branches: MAIN
CVS tags: version_1_1_X, version_1_1_3, version_1_1_2, version_1_1_1, version_1_1_0, version_1_0_99_3, version_1_0_99_2, version_1_0_99_1, version_1_0_99, version_1_0_3, version_1_0_2, version_1_0_1, version_1_0_0, version_0_99_5, version_0_99_4, version_0_99_3, version_0_99_2, version_0_99_1, version_0_99_0, version_0_6_2, version_0_6, conference_2003, HEAD

Allow creation of public_html directories for users who are not filesystem
authenticated.  Implement changing ownership of directories to www:www for
kerberos and local authentication as well as internal authentication.

1: #!/usr/bin/perl 2: 3: # The Learning Online Network with CAPA 4: # 5: # Copyright Michigan State University Board of Trustees 6: # 7: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 8: # 9: # LON-CAPA is free software; you can redistribute it and/or modify 10: # it under the terms of the GNU General Public License as published by 11: # the Free Software Foundation; either version 2 of the License, or 12: # (at your option) any later version. 13: # 14: # LON-CAPA is distributed in the hope that it will be useful, 15: # but WITHOUT ANY WARRANTY; without even the implied warranty of 16: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17: # GNU General Public License for more details. 18: # 19: # You should have received a copy of the GNU General Public License 20: # along with LON-CAPA; if not, write to the Free Software 21: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22: # 23: # /home/httpd/html/adm/gpl.txt 24: # 25: # http://www.lon-capa.org/ 26: # 27: # lchtmldir - LONC-CAPA setuid script to: 28: # o If necessary, add a public_html directory 29: # to the specified user home directory. 30: # o Set the permissions according to the authentication type. 31: # 32: # Motivations: 33: # Originally, account creation would create a public_html 34: # directory for unix authorized people only. It is possible to have 35: # Kerberos, internal and locally authorized 'users' which may be authors 36: # and hence need a properly owned an protected public_html directory 37: # to serve as their construction space. 38: # 39: # Author: 40: # Ron Fox 41: # NSCL 42: # Michigan State University8 43: # East Lansing, MI 48824-1321 44: 45: # General flow of control: 46: # 1. Validate process state (must be run as www). 47: # 2. Validate parameters: Need two parameters: 48: # o Homedir - Home diretory of user 49: # o Username - Name of the user. 50: # o AuthMode - Authentication mode, can be: 51: # - unix 52: # - internal 53: # - krb4 54: # - localauth 55: # 3. Untaint the usename and home directory 56: # 57: # 4. As root if necessary, create $Homedir/public_html 58: # 5. Set ownership/permissions according to authentication mode (AuthMode) 59: # - unix - ~owner:www/2775 60: # - krb4 - ~owner:www/2775 61: # - internal - www:www/2775 62: # - local - www:www/2775 63: # 64: 65: # 66: # Take a few precautions to be sure that we're not vulnerable to trojan 67: # horses and other fine issues: 68: # 69: use strict; 70: 71: $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; 72: delete @ENV{qw{IFS CDPATH ENV BASH_ENV}}; 73: 74: my $DEBUG = 0; # .nonzero -> Debug printing enabled. 75: 76: 77: # If the UID of the running process is not www exit with error. 78: 79: if ($DEBUG) { 80: print("Checking uid...\n"); 81: } 82: my $wwwid = getpwnam('www'); 83: &DisableRoot; 84: if($wwwid != $>) { 85: if ($DEBUG) { 86: print("User ID incorrect. This program must be run as user 'www'\n"); 87: } 88: exit 1; # Exit with error status. 89: } 90: 91: # There must be three 'command line' parameters. The first 92: # is the home directory of the user. 93: # The second is the name of the user. This is only referenced 94: # in code branches dealing with unix mode authentication. 95: # The last is the authentication mode which must be one of unix, internal 96: # krb4 or localauth. 97: # If there is an error in the argument count or countents, we exit with an 98: # error. 99: 100: if ($DEBUG) { 101: print("Checking parameters: \n"); 102: } 103: if(@ARGV != 3) { 104: if($DEBUG) { 105: print("Error: lchtmldir need 3 parameters \n"); 106: } 107: exit 2; 108: } 109: my ($dir,$username,$authentication) = @ARGV; 110: 111: if($DEBUG) { 112: print ("Directory = $dir \n"); 113: print ("User = $username \n"); 114: print ("Authmode = $authentication \n"); 115: 116: } 117: 118: if( $authentication ne "unix:" && 119: $authentication ne "internal:" && 120: $authentication !~ /^krb(4|5):(.*)/ && 121: $authentication ne "localauth:") { 122: if($DEBUG) { 123: print("Invalid authentication parameter: ".$authentication."\n"); 124: print("Should be one of: unix, internal, krb4, localauth\n"); 125: } 126: exit 3; 127: } 128: 129: # Untaint the username. 130: 131: my $match = $username =~ /^(\w+)$/; 132: my $patt = $1; 133: 134: if($DEBUG) { 135: print("Username word match flag = ".$match."\n"); 136: print("Match value = ".$patt."\n"); 137: } 138: 139: my $safeuser = $patt; 140: if($DEBUG) { 141: print("Save username = $safeuser \n"); 142: } 143: if(($username ne $safeuser) or ($safeuser!~/^[A-za-z]/)) { 144: if($DEBUG) { 145: print("User name $username had illegal characters\n"); 146: } 147: exit 4; 148: } 149: 150: #untaint the base directory require that the dir contain only 151: # alphas, / numbers or underscores, and end in /$safeuser 152: 153: $dir =~ /(^([\w\/]+))/; 154: 155: my $dirtry1 = $1; 156: 157: $dir =~ /$\/$safeuser/; 158: my $dirtry2 = $1; 159: 160: if(($dirtry1 ne $dir) or ($dirtry2 ne $dir)) { 161: if ($DEBUG) { 162: print("Directory $dir is not a valid home for $safeuser\n"); 163: } 164: exit 5; 165: } 166: 167: 168: # As root, create the directory. 169: 170: my $fulldir = $dirtry1."/public_html"; 171: if($DEBUG) { 172: print("Full directory path is: $fulldir \n"); 173: } 174: if(!( -e $dirtry1)) { 175: if($DEBUG) { 176: print("User's home directory $dirtry1 does not exist\n"); 177: } 178: if ($authentication eq "unix:") { 179: exit 6; 180: } 181: } 182: &EnableRoot; 183: 184: &System("/bin/mkdir -p $fulldir") unless (-e $fulldir); 185: unless(-e $fulldir."/index.html") { 186: open OUT,">".$fulldir."/index.html"; 187: print OUT<<END; 188: <html> 189: <head> 190: <title>$safeuser</title> 191: </head> 192: <body> 193: <h1>$safeuser</h1> 194: <p> 195: Learning Online Network 196: </p> 197: <p> 198: This area provides for: 199: </p> 200: <ul> 201: <li>resource construction</li> 202: <li>resource publication</li> 203: <li>record-keeping</li> 204: </ul> 205: </body> 206: </html> 207: END 208: close OUT; 209: } 210: &System("/bin/chmod 02775 $fulldir"); 211: &System("/bin/chmod 0775 $fulldir"."/index.html"); 212: 213: 214: # Based on the authentiation mode, set the ownership of the directory. 215: 216: if($authentication eq "unix:") { # Unix mode authentication... 217: &System("/bin/chown -R $username".":".$username." ".$fulldir); 218: &JoinGroup($username); 219: } else { 220: # Internal, Kerberos, and Local authentication are for users 221: # who do not have unix accounts on the system. Therefore we 222: # will give ownership of their public_html directories to www:www 223: &System("/bin/chown -R www:www ".$fulldir); 224: } 225: &DisableRoot; 226: 227: exit 0; 228: 229: #---------------------------------------------------------------------- 230: # 231: # Local utility procedures. 232: # These include: 233: # EnableRoot - Start running as root. 234: # DisableRoot- Stop running as root. 235: # JoinGroup - Join www to the specified group. 236: 237: # Turn on as root: 238: 239: sub EnableRoot { 240: if ($wwwid==$>) { 241: print ("EnableRoot $< $>\n"); 242: ($<,$>)=($>,$<); 243: ($(,$))=($),$(); 244: } 245: else { 246: # root capability is already enabled 247: } 248: if($DEBUG) { 249: print("Enable Root - id = $> $<\n"); 250: } 251: return $>; 252: } 253: 254: sub DisableRoot { 255: if ($wwwid==$<) { 256: ($<,$>)=($>,$<); 257: ($(,$))=($),$(); 258: } 259: else { 260: # root capability is already disabled 261: } 262: if($DEBUG) { 263: print("Disable root: id = ".$>."\n"); 264: } 265: } 266: 267: sub JoinGroup { 268: my $usergroup = shift; 269: 270: my $groups = `/usr/bin/groups www`; 271: chomp $groups; $groups=~s/^\S+\s+\:\s+//; 272: my @grouplist=split(/\s+/,$groups); 273: my @ugrouplist=grep {!/www|$usergroup/} @grouplist; 274: my $gl=join(',',(@ugrouplist,$usergroup)); 275: if (&System('/usr/sbin/usermod','-G',$gl,'www')) { 276: if($DEBUG) { 277: print "Error. Could not make www a member of the group ". 278: "\"$usergroup\".\n"; 279: } 280: exit 6; 281: } 282: 283: } 284: 285: 286: 287: sub System { 288: my $command = shift; 289: if($DEBUG) { 290: print("system: $command \n"); 291: } 292: system($command); 293: } 294: 295: 296: 297:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.