Return to lchtmldir CVS log

Up to [LON-CAPA] / loncom

More correct first file in construction space.

    1: #!/usr/bin/perl
    2: 
    3: # The Learning Online Network with CAPA
    4: #
    5: # Copyright Michigan State University Board of Trustees
    6: #
    7: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    8: #
    9: # LON-CAPA is free software; you can redistribute it and/or modify
   10: # it under the terms of the GNU General Public License as published by
   11: # the Free Software Foundation; either version 2 of the License, or
   12: # (at your option) any later version.
   13: #
   14: # LON-CAPA is distributed in the hope that it will be useful,
   15: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   16: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   17: # GNU General Public License for more details.
   18: #
   19: # You should have received a copy of the GNU General Public License
   20: # along with LON-CAPA; if not, write to the Free Software
   21: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   22: #
   23: # /home/httpd/html/adm/gpl.txt
   24: #
   25: # http://www.lon-capa.org/
   26: #
   27: #  lchtmldir - LONC-CAPA setuid script to:
   28: #              o If necessary, add a public_html directory 
   29: #                to the specified user home directory.
   30: #              o Set the permissions according to the authentication type.
   31: #
   32: #  Motivations:
   33: #     Originally, account creation would create a public_html
   34: #     directory for unix authorized people only.  It is possible to have
   35: #     Kerberos, internal and locally authorized 'users' which may be authors
   36: #     and hence need a properly owned an protected public_html directory
   37: #     to serve as their construction space.
   38: #
   39: #  Author:
   40: #    Ron Fox
   41: #    NSCL
   42: #    Michigan State University8
   43: #    East Lansing, MI 48824-1321
   44: 
   45: #   General flow of control:
   46: #   1. Validate process state (must be run as www).
   47: #   2. Validate parameters:  Need two parameters:
   48: #         o Homedir  - Home diretory of user 
   49: #         o Username - Name of the user.
   50: #         o AuthMode - Authentication mode, can be:
   51: #                      - unix
   52: #                      - internal
   53: #                      - krb4
   54: #                      - localauth
   55: #  3. Untaint the usename and home directory
   56: #
   57: #  4. As root if necessary, create $Homedir/public_html
   58: #  5. Set ownership/permissions according to authentication mode (AuthMode)
   59: #       - unix - ~owner:www/2775
   60: #       - krb4 - ~owner:www/2775
   61: #       - internal - www:www/2775
   62: #       - local    - www:www/2775
   63: #
   64: 
   65: #
   66: #   Take a few precautions to be sure that we're not vulnerable to trojan
   67: #   horses and other fine issues:
   68: #
   69: use strict; 
   70: 
   71: $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl';
   72: delete @ENV{qw{IFS CDPATH ENV BASH_ENV}};
   73: 
   74: my $DEBUG = 0;                         # .nonzero -> Debug printing enabled.
   75: 
   76: 
   77: # If the UID of the running process is not www exit with error.
   78: 
   79: if ($DEBUG) {
   80:     print("Checking uid...\n");
   81: }
   82: my $wwwid = getpwnam('www');
   83: &DisableRoot;
   84: if($wwwid != $>) {
   85:     if ($DEBUG) {
   86: 	print("User ID incorrect.  This program must be run as user 'www'\n");
   87:     }
   88:     exit 1;			# Exit with error status.
   89: }
   90: 
   91: # There must be three 'command line' parameters.  The first
   92: # is the home directory of the user.
   93: # The second is the name of the user.  This is only referenced
   94: # in code branches dealing with unix mode authentication.
   95: # The last is the authentication mode which must be one of unix, internal
   96: # krb4 or localauth.
   97: #   If there is an error in the argument count or countents, we exit with an
   98: # error.
   99: 
  100: if ($DEBUG) {
  101:     print("Checking parameters: \n");
  102: }
  103: if(@ARGV != 3) {
  104:     if($DEBUG) {
  105: 	print("Error: lchtmldir need 3 parameters \n");
  106:     }
  107:     exit 2;
  108: }
  109: my ($dir,$username,$authentication) = @ARGV;
  110: 
  111: if($DEBUG) {
  112:     print ("Directory = $dir \n");
  113:     print ("User      = $username \n");
  114:     print ("Authmode  = $authentication \n");
  115: 
  116: }
  117: 
  118: if( $authentication ne "unix:"     &&
  119:     $authentication ne "internal:" &&
  120:     $authentication !~ /^krb(4|5):(.*)/ &&
  121:     $authentication ne "localauth:") {
  122:     if($DEBUG) {
  123: 	print("Invalid authentication parameter: ".$authentication."\n");
  124: 	print("Should be one of: unix, internal, krb4, localauth\n");
  125:     }
  126:     exit 3;
  127: }
  128: 
  129: # Untaint the username.
  130: 
  131: my $match = $username =~ /^(\w+)$/;
  132: my $patt  = $1;
  133:  
  134: if($DEBUG) {
  135:    print("Username word match flag = ".$match."\n");
  136:     print("Match value = ".$patt."\n");
  137: }
  138: 
  139: my $safeuser = $patt;
  140: if($DEBUG) {
  141:     print("Save username = $safeuser \n");
  142: }
  143: if(($username ne $safeuser) or ($safeuser!~/^[A-za-z]/)) {
  144:     if($DEBUG) {
  145: 	print("User name $username had illegal characters\n");
  146:     }
  147:     exit 4;
  148: }
  149: 
  150: #untaint the base directory require that the dir contain only 
  151: # alphas, / numbers or underscores, and end in /$safeuser
  152: 
  153: $dir =~ /(^([\w\/]+))/;
  154: 
  155: my $dirtry1 = $1;
  156: 
  157: $dir =~ /$\/$safeuser/;
  158: my $dirtry2 = $1;
  159: 
  160: if(($dirtry1 ne $dir) or ($dirtry2 ne $dir)) {
  161:     if ($DEBUG) {
  162: 	print("Directory $dir is not a valid home for $safeuser\n");
  163:     }
  164:     exit 5;
  165: }
  166: 
  167: 
  168: # As root, create the directory.
  169: 
  170: my $fulldir = $dirtry1."/public_html";
  171: if($DEBUG) {
  172:     print("Full directory path is: $fulldir \n");
  173: }
  174: if(!( -e $dirtry1)) {
  175:     if($DEBUG) {
  176: 	print("User's home directory $dirtry1 does not exist\n");
  177:     }
  178:     if ($authentication eq "unix:") {
  179:         exit 6;
  180:     }
  181: }
  182: &EnableRoot;
  183: 
  184: &System("/bin/mkdir -p $fulldir")   unless (-e $fulldir);
  185:     unless(-e $fulldir."/index.html") {
  186: 	open OUT,">".$fulldir."/index.html";
  187: 	print OUT<<END;
  188: 	<html>
  189: 	<head>
  190: 	<title>$safeuser</title>
  191:         </head>
  192:         <body bgcolor="#ccffdd">
  193:         <h1>$safeuser Construction Space</h1>
  194:           <h2>
  195:             The Learning<i>Online</i> Network with Computer-Assisted Personalized Approach
  196:           </h2>
  197:           <p>
  198: This is your construction space within LON-CAPA, where you would construct resources which are meant to be
  199: used across courses and institutions.
  200:           </p>
  201:           <p>
  202: Material within this area can only be seen and edited by $safeuser and designated co-authors. To make
  203: it available to students and other instructors, the material needs to be published.
  204:           </p>
  205:         </body>
  206:        </html>
  207: END
  208:     close OUT;
  209:     }
  210: &System("/bin/chmod  02775  $fulldir");
  211: &System("/bin/chmod  0775  $fulldir"."/index.html");
  212: 
  213: 
  214: # Based on the authentiation mode, set the ownership of the directory.
  215: 
  216: if($authentication eq "unix:") {	# Unix mode authentication...
  217:     &System("/bin/chown -R   $username".":".$username." ".$fulldir);
  218:     &JoinGroup($username);
  219: } else {
  220:     # Internal, Kerberos, and Local authentication are for users
  221:     # who do not have unix accounts on the system.  Therefore we
  222:     # will give ownership of their public_html directories to www:www
  223:     &System("/bin/chown -R www:www  ".$fulldir);
  224: }
  225: &DisableRoot;
  226: 
  227: exit 0;
  228: 
  229: #----------------------------------------------------------------------
  230: #
  231: #  Local utility procedures.
  232: #  These include:
  233: #     EnableRoot - Start running as root.
  234: #     DisableRoot- Stop running as root.
  235: #     JoinGroup  - Join www to the specified group.
  236: 
  237: # Turn on as root:
  238: 
  239: sub EnableRoot {
  240:     if ($wwwid==$>) {
  241:         print ("EnableRoot $< $>\n");
  242: 	($<,$>)=($>,$<);
  243: 	($(,$))=($),$();
  244:     }
  245:     else {
  246: 	# root capability is already enabled
  247:     }
  248:     if($DEBUG) {
  249: 	print("Enable Root - id =  $> $<\n");
  250:     }
  251:     return $>;  
  252: }
  253: 
  254: sub DisableRoot {
  255:     if ($wwwid==$<) {
  256: 	($<,$>)=($>,$<);
  257: 	($(,$))=($),$();
  258:     }
  259:     else {
  260: 	# root capability is already disabled
  261:     }
  262:     if($DEBUG) {
  263: 	print("Disable root: id = ".$>."\n");
  264:     }
  265: }
  266: 
  267: sub JoinGroup {
  268:     my $usergroup = shift;
  269: 
  270:     my $groups = `/usr/bin/groups www`;
  271:     chomp $groups; $groups=~s/^\S+\s+\:\s+//;
  272:     my @grouplist=split(/\s+/,$groups);
  273:     my @ugrouplist=grep {!/www|$usergroup/} @grouplist;
  274:     my $gl=join(',',(@ugrouplist,$usergroup));
  275:     if (&System('/usr/sbin/usermod','-G',$gl,'www')) {
  276: 	if($DEBUG) {
  277: 	    print "Error. Could not make www a member of the group ".
  278: 		"\"$usergroup\".\n";
  279: 	}
  280: 	exit 6;
  281:     }
  282:     
  283: }
  284: 
  285: 
  286: 
  287: sub System {
  288:     my $command = shift;
  289:     if($DEBUG) {
  290: 	print("system: $command \n");
  291:     }
  292:     system($command);
  293: }
  294: 
  295: 
  296: 
  297: