--- loncom/Attic/lcuseradd 2004/08/06 10:29:37 1.28 +++ loncom/Attic/lcuseradd 2005/01/27 11:52:46 1.35 @@ -6,7 +6,7 @@ # with adding a user with filesystem privileges (e.g. author) # # -# $Id: lcuseradd,v 1.28 2004/08/06 10:29:37 foxr Exp $ +# $Id: lcuseradd,v 1.35 2005/01/27 11:52:46 foxr Exp $ ### ############################################################################### @@ -32,6 +32,8 @@ ############################################################################### use strict; +use File::Find; + # ------------------------------------------------------- Description of script # @@ -214,13 +216,20 @@ if($error_file) { } -# -- Only add user if we can create a brand new home directory (/home/username) -if (-e "/home/$safeusername") { - print "Error. User already exists.\n" unless $noprint; +# -- Only add the user if they are >not< in /etc/passwd. +# Used to look for the ability to create a new directory for the +# user, however that disallows authentication changes from i +# internal->fs.. so just check the passwd file instead. +# +my $not_found = system("cut -d: -f1 /etc/passwd | grep -q \"^$safeusername\$\" "); +if (!$not_found) { + print "Error user already exists\n" unless $noprint; unlink('/tmp/lock_lcpasswd'); &Exit(11); } + + # -- Only add user if the two password arguments match. if ($password1 ne $password2) { @@ -248,7 +257,7 @@ print "Done adding user\n" unless $nopri # Make www a member of that user group. my $groups=`/usr/bin/groups www` or &Exit(6); # untaint -my ($safegroups)=($groups=~/([\s\w]+)/); +my ($safegroups)=($groups=~/:\s*([\s\w]+)/); $groups=$safegroups; chomp $groups; $groups=~s/^\S+\s+\:\s+//; my @grouplist=split(/\s+/,$groups); @@ -293,7 +302,6 @@ if ($?) { system('/bin/chmod','-R','0660',"/home/$safeusername"); system('/bin/chmod','0710',"/home/$safeusername"); mkdir "/home/$safeusername/public_html",0755; -system('/bin/chmod','02770',"/home/$safeusername/public_html"); open OUT,">/home/$safeusername/public_html/index.html"; print OUT< @@ -308,15 +316,23 @@ print OUT<; close(PID); - my ($safepid)=($pid=~s/(\D+)//g); + my $pid=~ /(\D+)/; + my $safepid = $1; if ($pid) { system('kill','-USR1',"$safepid"); } @@ -383,6 +399,53 @@ sub try_to_lock { close LOCK; return 1; } +# Called by File::Find::find for each file examined. +# +# Untaint the file and, if it is a directory, +# chmod it to 02770 +# +sub set_permission { + $File::Find::name =~ /^(.*)$/; + my $safe_name = $1; # Untainted filename... + + print "$safe_name" unless $noprint; + if(-d $safe_name) { + print " - directory" unless $noprint; + chmod(02770, $safe_name); + } + print "\n" unless $noprint; + +} +# +# Set up the correct permissions for all files in the +# user's public htmldir. We just do a chmod -R 0660 ... for +# the ordinary files. The we use File::Find +# to pop through the directory tree changing directories only +# to 02770: +# +sub set_public_html_permissions { + my ($topdir) = @_; + + # Set the top level dir permissions (I'm not sure if find + # will enumerate it specifically), correctly and all + # files and dirs to the 'ordinary' file permissions: + + system("chmod -R 0660 $topdir"); + chmod(02770, $topdir); + + # Now use find to locate all directories under $topdir + # and set their modes to 02770... + # + print "Find file\n " unless $noprint; + File::Find::find({"untaint" => 1, + "untaint_pattern" => qr(/^(.*)$/), + "untaint_skip" => 1, + "no_chdir" => 1, + "wanted" => \&set_permission }, "$topdir"); + + +} + #-------------------------- Exit... # # Write the file if the error_file is defined. Regardless