--- loncom/Attic/lcuseradd	2004/08/05 20:47:27	1.27
+++ loncom/Attic/lcuseradd	2005/07/29 17:33:18	1.38
@@ -6,7 +6,7 @@
 #             with adding a user with filesystem privileges (e.g. author)
 #
 #
-# $Id: lcuseradd,v 1.27 2004/08/05 20:47:27 albertel Exp $
+# $Id: lcuseradd,v 1.38 2005/07/29 17:33:18 raeburn Exp $
 ###
 
 ###############################################################################
@@ -32,6 +32,8 @@
 ###############################################################################
 
 use strict;
+use File::Find;
+
 
 # ------------------------------------------------------- Description of script
 #
@@ -107,7 +109,8 @@ use strict;
 # (12,"Error. Something went wrong with the addition of user ".
 #     "\"$safeusername\"."),
 # (13,"Error. Password mismatch."),
-# (14, "Error filename is invalid")
+# (14, "Error filename is invalid"),
+# (15, "Error. Could not add home directory.")
 
 # ------------------------------------------------------------- Initializations
 # Security
@@ -147,14 +150,12 @@ unless (&try_to_lock("/tmp/lock_lcpasswd
 my @input;
 if (@ARGV>=3) {
     @input=@ARGV;
-}
-elsif (@ARGV) {
+} elsif (@ARGV) {
     print("Error. This program needs at least 3 command-line arguments (username, ".
 	  "password 1, password 2 [errorfile]).\n") unless $noprint;
     unlink('/tmp/lock_lcpasswd');
     &Exit(2);
-}
-else {
+} else {
     @input=<>;
     if (@input < 3) {
 	print("Error. At least three lines should be entered into standard input.\n")
@@ -208,8 +209,7 @@ if($error_file) {
 	    Exit(14);
 	}
 
-    } 
-    else {
+    } else {
 	$error_file="";
 	print "Invalid error filename\n" unless $noprint;
 	Exit(14);
@@ -217,13 +217,20 @@ if($error_file) {
 }
 
 
-# -- Only add user if we can create a brand new home directory (/home/username)
-if (-e "/home/$safeusername") {
-    print "Error. User already exists.\n" unless $noprint;
+# -- Only add the user if they are >not< in /etc/passwd.
+#    Used to look for the ability to create a new directory for the
+#    user, however that disallows authentication changes from i
+#    internal->fs.. so just check the passwd file instead.
+#
+my $not_found = system("cut -d: -f1 /etc/passwd | grep -q \"^$safeusername\$\" ");
+if (!$not_found) {
+    print "Error user already exists\n" unless $noprint;
     unlink('/tmp/lock_lcpasswd');
     &Exit(11);
 }
 
+
+
 # -- Only add user if the two password arguments match.
 
 if ($password1 ne $password2) {
@@ -235,29 +242,44 @@ print "enabling root\n" unless $noprint;
 # ---------------------------------- Start running script with root permissions
 &enable_root_capability;
 
-# ------------------- Add user and make www a member of the user-specific group
+# ------------------- Add group and user, and make www a member of the group
+# -- Add group
+
+print "adding group: $safeusername \n" unless $noprint;
+my $status = system('/usr/sbin/groupadd', $safeusername);
+if ($status) {
+    print "Error.  Something went wrong with the addition of group ".
+          "\"$safeusername\".\n" unless $noprint;
+    print "Final status of groupadd = $status\n";
+    unlink('/tmp/lock_lcpasswd');
+    &Exit(12);
+}
+my $gid = getgrnam($safeusername);
+                                                                                
 # -- Add user
 
 print "adding user: $safeusername \n" unless $noprint;
-my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
+my $status = system('/usr/sbin/useradd','-c','LON-CAPA user','-g',$gid,$safeusername);
 if ($status) {
     print "Error.  Something went wrong with the addition of user ".
 	  "\"$safeusername\".\n" unless $noprint;
-    print "Final status of useradd = $status";
+    system("/usr/sbin/groupdel $safeusername");
+    print "Final status of useradd = $status\n";
     unlink('/tmp/lock_lcpasswd');
     &Exit(12);
 }
+
 print "Done adding user\n" unless $noprint;
 # Make www a member of that user group.
 my $groups=`/usr/bin/groups www` or &Exit(6);
 # untaint
-my ($safegroups)=($groups=~/([\s\w]+)/);
+my ($safegroups)=($groups=~/:\s*([\s\w]+)/);
 $groups=$safegroups;
 chomp $groups; $groups=~s/^\S+\s+\:\s+//;
 my @grouplist=split(/\s+/,$groups);
 my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
 my $gl=join(',',(@ugrouplist,$safeusername));
-print "Putting user in its own group\n" unless $noprint;
+print "Putting www in user's group\n" unless $noprint;
 if (system('/usr/sbin/usermod','-G',$gl,'www')) {
     print "Error. Could not make www a member of the group ".
 	  "\"$safeusername\".\n" unless $noprint;
@@ -287,18 +309,26 @@ if ($?) {
 ($>,$<)=($wwwid,0);
 &enable_root_capability;
 
-# -- Don't add public_html... that can be added either by the user
-#    or by lchtmldir when the user is granted an authorship role.
+# Check if home directory exists for user
+# If not, create one.
+if (!-e "/home/$safeusername") {
+    if (!mkdir("/home/$safeusername",0710)) {
+        print "Error. Could not add home directory for ".
+          "\"$safeusername\".\n" unless $noprint;
+        unlink('/tmp/lock_lcpasswd');
+        &Exit(15);
+    }
+}
 
 # ------------------------------ Make final modifications to the user directory
 # -- Add a public_html file with a stand-in index.html file
 
- system('/bin/chmod','-R','0660',"/home/$safeusername");
-system('/bin/chmod','0710',"/home/$safeusername");
-mkdir "/home/$safeusername/public_html",0755;
-system('/bin/chmod','02770',"/home/$safeusername/public_html");
-open OUT,">/home/$safeusername/public_html/index.html";
-print OUT<<END;
+if (-d "/home/$safeusername") {
+    system('/bin/chmod','-R','0660',"/home/$safeusername");
+    system('/bin/chmod','0710',"/home/$safeusername");
+    mkdir "/home/$safeusername/public_html",0755;
+    open OUT,">/home/$safeusername/public_html/index.html";
+    print OUT<<END;
 <html>
 <head>
 <title>$safeusername</title>
@@ -310,16 +340,25 @@ print OUT<<END;
 </html>
 END
 close OUT;
+}
 
+#
+#   In order to allow the loncapa daemons appropriate access
+#   to public_html, Top level and public_html directories should
+#   be owned by safeusername:safeusername as should the smaple index.html..
 print "lcuseradd ownership\n" unless $noprint;
-system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
+system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername"); # First set std ownership on everything.
+&set_public_html_permissions("/home/$safeusername/public_html");
+#  system('/bin/chown',"$safeusername:www","/home/$safeusername");	# Now adust top level...
+#  system('/bin/chown','-R',"$safeusername:www","/home/$safeusername/public_html"); # And web dir.
 # ---------------------------------------------------- Gracefull Apache Restart
 if (-e '/var/run/httpd.pid') {
     print "lcuseradd Apache restart\n" unless $noprint;
     open(PID,'/var/run/httpd.pid');
     my $pid=<PID>;
     close(PID);
-    my ($safepid)=($pid=~s/(\D+)//g);
+    my  $pid=~ /(\D+)/;
+    my $safepid = $1;
     if ($pid) {
 	system('kill','-USR1',"$safepid");
     }
@@ -334,8 +373,7 @@ sub enable_root_capability {
     if ($wwwid==$>) {
 	($<,$>)=($>,0);
 	($(,$))=($),0);
-    }
-    else {
+    } else {
 	# root capability is already enabled
     }
     return $>;
@@ -346,8 +384,7 @@ sub disable_root_capability {
     if ($wwwid==$<) {
 	($<,$>)=($>,$<);
 	($(,$))=($),$();
-    }
-    else {
+    } else {
 	# root capability is already disabled
     }
 }
@@ -376,8 +413,7 @@ sub try_to_lock {
 	    }
 	    sleep 3;
 	    $lastpid=$currentpid;
-	}
-	else {
+	} else {
 	    last;
 	}
 	if ($_==10) {
@@ -389,6 +425,53 @@ sub try_to_lock {
     close LOCK;
     return 1;
 }
+#    Called by File::Find::find for each file examined.
+#
+#     Untaint the file and, if it is a directory,
+#     chmod it to 02770
+#
+sub set_permission {
+    $File::Find::name =~ /^(.*)$/;
+    my $safe_name = $1;		# Untainted filename...
+    
+    print "$safe_name" unless $noprint;
+    if(-d $safe_name) {
+	print " - directory" unless $noprint;
+	chmod(02770, $safe_name);
+    }
+    print "\n" unless $noprint;
+
+}
+#
+#    Set up the correct permissions for all files in the 
+#    user's public htmldir. We just do a chmod -R 0660 ... for
+#    the ordinary files.  The we use File::Find
+#    to pop through the directory tree changing directories only
+#    to 02770:
+#
+sub set_public_html_permissions {
+    my ($topdir) = @_;
+
+    #   Set the top level dir permissions (I'm not sure if find 
+    #   will enumerate it specifically), correctly and all
+    #   files and dirs to the 'ordinary' file permissions:
+
+    system("chmod -R 0660 $topdir");
+    chmod(02770, $topdir);
+
+    #  Now use find to locate all directories under $topdir
+    #  and set their modes to 02770...
+    #
+    print "Find file\n " unless $noprint;
+    File::Find::find({"untaint"         => 1,
+		      "untaint_pattern" => qr(/^(.*)$/),
+		      "untaint_skip"    => 1,
+		      "no_chdir"         => 1,
+		      "wanted"          => \&set_permission }, "$topdir");
+
+
+}
+
 #-------------------------- Exit...
 #
 #   Write the file if the error_file is defined.  Regardless
@@ -397,6 +480,10 @@ sub try_to_lock {
 sub Exit {
     my ($code) = @_;		# Status code.
 
+    # TODO: Ensure the error file is owned/deletable by www:www:
+
+    &disable_root_capability();	# We run unprivileged to write the error file.
+
     print "Exiting with status $code error file is $error_file\n" unless $noprint;
     if($error_file) {
 	open(FH, ">$error_file");