loncom/lcuseradd - diff

Return to lcuseradd CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/Attic/lcuseradd between versions 1.2 and 1.14

-version 1.2, 2000/10/29 22:07:20
+version 1.14, 2000/10/30 03:37:51
  Line 3
  # lcuseradd
  #
  # Scott Harrison
- # October 27, 2000
+ # SH: October 27, 2000
+ # SH: October 29, 2000
  use strict;
- Line 18  use strict;
+ Line 19  use strict;
  # Standard input usage
  # First line is USERNAME
  # Second line is PASSWORD
+ # Third line is PASSWORD
- # Command-line arguments [USERNAME] [PASSWORD]
+ # Valid passwords must consist of the
+ # ascii characters within the inclusive
+ # range of 0x20 (32) to 0x7E (126).
+ # These characters are:
+ # SPACE and
+ # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
+ # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
+ # Valid user names must consist of ascii
+ # characters that are alphabetical characters
+ # (A-Z,a-z), numeric (0-9), or the underscore
+ # mark (_). (Essentially, the perl regex \w).
+ # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
  # Yes, but be very careful here (don't pass shell commands)
  # and this is only supported to allow perl-system calls.
+ # Usage within code
+ #
+ # $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
+ # print "uh-oh" if $exitcode;
+ # These are the exit codes.
+ # ( (0,"ok"),
+ # (1,"User ID mismatch.  This program must be run as user 'www'"),
+ # (2,"Error. This program needs 3 command-line arguments (username, password 1, password 2)."),
+ # (3,"Error. Three lines should be entered into standard input."),
+ # (4,"Error. Too many other simultaneous password change requests being made."),
+ # (5,"Error. User $username does not exist."),
+ # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
+ # (7,"Error. Root was not successfully enabled.),
+ # (8,"Error. Cannot open /etc/passwd."),
+ # (9,"Error. The user name specified has invalid characters."),
+ # (10,"Error. A password entry had an invalid character."),
+ # (11,"Error. User already exists.),
+ # (12,"Error. Something went wrong with the addition of user \"$safeusername\"."),
+ # (13,"Error. Password mismatch."),
  # Security
  $ENV{'PATH'}=""; # Nullify path information.
  $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
- # Add user entry to /etc/passwd and /etc/groups.
+ # Do not print error messages if there are command-line arguments
+ my $noprint=0;
+ if (@ARGV) {
+     $noprint=1;
+ }
+ # Read in /etc/passwd, and make sure this process is running from user=www
+ open (IN, "</etc/passwd");
+ my @lines=<IN>;
+ close IN;
+ my $wwwid;
+ for my $l (@lines) {
+     chop $l;
+     my @F=split(/\:/,$l);
+     if ($F[0] eq 'www') {$wwwid=$F[2];}
+ }
+ if ($wwwid!=$<) {
+     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
+     exit 1;
+ }
+ &disable_root_capability;
+ # Handle case of another lcpasswd process
+ unless (&try_to_lock("/tmp/lock_lcpasswd")) {
+     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
+     exit 4;
+ }
+ # Gather input.  Should be 3 values (user name, password 1, password 2).
+ my @input;
+ if (@ARGV==3) {
+     @input=@ARGV;
+ }
+ elsif (@ARGV) {
+     print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 2;
+ }
+ else {
+     @input=<>;
+     if (@input!=3) {
+ 	print("Error. Three lines should be entered into standard input.\n") unless $noprint;
+ 	unlink('/tmp/lock_lcpasswd');
+ 	exit 3;
+     }
+     map {chop} @input;
+ }
+ my ($username,$password1,$password2)=@input;
+ $username=~/^(\w+)$/;
+ my $safeusername=$1;
+ if ($username ne $safeusername) {
+     print "Error. The user name specified has invalid characters.\n";
+     unlink('/tmp/lock_lcpasswd');
+     exit 9;
+ }
+ my $pbad=0;
+ map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password1));
+ map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password2));
+ if ($pbad) {
+     print "Error. A password entry had an invalid character.\n";
+     unlink('/tmp/lock_lcpasswd');
+     exit 10;
+ }
+ # Only add user if we can create a brand new home directory (/home/username).
+ if (-e "/home/$safeusername") {
+     print "Error. User already exists.\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 11;
+ }
+ # Only add user if the two password arguments match.
+ if ($password1 ne $password2) {
+     print "Error. Password mismatch.\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 13;
+ }
+ &enable_root_capability;
+ # Add user entry to /etc/passwd and /etc/groups in such
+ # a way that www is a member of the user-specific group
+ if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
+     print "Error.  Something went wrong with the addition of user \"$safeusername\".\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 12;
+ }
+ # Make www a member of that user group.
+ if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
+     print "Error. Could not make www a member of the group \"$safeusername\".\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 6;
+ }
+ # Set password with lcpasswd-style algorithm (which creates smbpasswd entry).
+ # I cannot place a direct shell call to lcpasswd since I have to allow
+ # for crazy characters in the password, and the setuid environment of perl
+ # requires me to make everything safe.
+ # Grab the line corresponding to username
+ open (IN, "</etc/passwd");
+ @lines=<IN>;
+ close IN;
+ my ($userid,$useroldcryptpwd);
+ my @F; my @U;
+ for my $l (@lines) {
+     chop $l;
+     @F=split(/\:/,$l);
+     if ($F[0] eq $username) {($userid,$useroldcryptpwd)=($F[2],$F[1]); @U=@F;}
+ }
+ # Verify existence of user
+ if (!defined($userid)) {
+     print "Error. User $username does not exist.\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 5;
+ }
+ # Construct new password entry (random salt)
+ my $newcryptpwd=crypt($password1,(join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]));
+ $U[1]=$newcryptpwd;
+ my $userline=join(':',@U);
+ my $rootid=&enable_root_capability;
+ if ($rootid!=0) {
+     print "Error.  Root was not successfully enabled.\n" unless $noprint;
+     unlink('/tmp/lock_lcpasswd');
+     exit 7;
+ }
+ open PASSWORDFILE, '>/etc/passwd' or (print("Error.  Cannot open /etc/passwd.\n") && unlink('/tmp/lock_lcpasswd') && exit(8));
+ for my $l (@lines) {
+     @F=split(/\:/,$l);
+     if ($F[0] eq $username) {print PASSWORDFILE "$userline\n";}
+     else {print PASSWORDFILE "$l\n";}
+ }
+ close PASSWORDFILE;
+ ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid environment
+ unless (-e '/etc/smbpasswd') {
+     open (OUT,'>/etc/smbpasswd'); close OUT;
+ }
+ my $smbexist=0;
+ open (IN, '</etc/smbpasswd');
+ my @lines=<IN>;
+ close IN;
+ for my $l (@lines) {
+     chop $l;
+     my @F=split(/\:/,$l);
+     if ($F[0] eq $username) {$smbexist=1;}
+ }
+ unless ($smbexist) {
+     open(OUT,'>>/etc/smbpasswd');
+     print OUT join(':',($safeusername,$userid,'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,'/bin/bash')) . "\n";
+     close OUT;
+ }
+ open(OUT,"|/usr/bin/smbpasswd -s $safeusername>/dev/null");
+ print OUT $password1; print OUT "\n";
+ print OUT $password1; print OUT "\n";
+ close OUT;
+ $<=$wwwid; # unfool the program
+ # Make final modifications to the user directory.
+ # Add a public_html file with a stand-in index.html file.
+ system('/bin/chmod','-R','0660',"/home/$safeusername");
+ system('/bin/chmod','0770',"/home/$safeusername");
+ mkdir "/home/$safeusername/public_html",0770;
+ open OUT,">/home/$safeusername/public_html/index.html";
+ print OUT<<END;
+ <HTML>
+ <HEAD>
+ <TITLE>$safeusername</TITLE>
+ </HEAD>
+ <BODY>
+ <H1>$safeusername</H1>
+ <P>
+ Learning Online Network
+ </P>
+ <P>
+ This area provides for:
+ </P>
+ <UL>
+ <LI>resource construction
+ <LI>resource publication
+ <LI>record-keeping
+ </UL>
+ </BODY>
+ </HTML>
+ END
+ close OUT;
+ system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
+ system('/bin/chmod','-R','0660',"/home/$safeusername");
+ system('/bin/chmod','0770',"/home/$safeusername");
+ system('/bin/chmod','0770',"/home/$safeusername/public_html");
+ &disable_root_capability;
+ unlink('/tmp/lock_lcpasswd');
+ exit 0;
- # Set password with lcpasswd (which creates smbpasswd entry).
+ # ----------------------------------------------------------- have setuid script run as root
+ sub enable_root_capability {
+     if ($wwwid==$>) {
+ 	($<,$>)=($>,$<);
+ 	($(,$))=($),$();
+     }
+     else {
+ 	# root capability is already enabled
+     }
+     return $>;
+ }
- # www becomes member of this user group
+ # ----------------------------------------------------------- have setuid script run as www
+ sub disable_root_capability {
+     if ($wwwid==$<) {
+ 	($<,$>)=($>,$<);
+ 	($(,$))=($),$();
+     }
+     else {
+ 	# root capability is already disabled
+     }
+ }
+ # ----------------------------------- make sure that another lcpasswd process isn't running
+ sub try_to_lock {
+     my ($lockfile)=@_;
+     my $currentpid;
+     my $lastpid;
+     # Do not manipulate lock file as root
+     if ($>==0) {
+ 	return 0;
+     }
+     # Try to generate lock file.
+     # Wait 3 seconds.  If same process id is in
+     # lock file, then assume lock file is stale, and
+     # go ahead.  If process id's fluctuate, try
+     # for a maximum of 10 times.
+     for (0..10) {
+ 	if (-e $lockfile) {
+ 	    open(LOCK,"<$lockfile");
+ 	    $currentpid=<LOCK>;
+ 	    close LOCK;
+ 	    if ($currentpid==$lastpid) {
+ 		last;
+ 	    }
+ 	    sleep 3;
+ 	    $lastpid=$currentpid;
+ 	}
+ 	else {
+ 	    last;
+ 	}
+ 	if ($_==10) {
+ 	    return 0;
+ 	}
+     }
+     open(LOCK,">$lockfile");
+     print LOCK $$;
+     close LOCK;
+     return 1;
+ }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.2
changed lines
	Added in v.1.14