--- loncom/Attic/lcuseradd 2005/01/26 12:13:58 1.34 +++ loncom/Attic/lcuseradd 2005/06/21 10:58:38 1.37 @@ -6,7 +6,7 @@ # with adding a user with filesystem privileges (e.g. author) # # -# $Id: lcuseradd,v 1.34 2005/01/26 12:13:58 foxr Exp $ +# $Id: lcuseradd,v 1.37 2005/06/21 10:58:38 foxr Exp $ ### ############################################################################### @@ -32,6 +32,8 @@ ############################################################################### use strict; +use File::Find; + # ------------------------------------------------------- Description of script # @@ -247,10 +249,36 @@ my $status = system('/usr/sbin/useradd', if ($status) { print "Error. Something went wrong with the addition of user ". "\"$safeusername\".\n" unless $noprint; - print "Final status of useradd = $status"; + print "Final status of useradd = $status\n"; unlink('/tmp/lock_lcpasswd'); &Exit(12); } +my ($dmy1, $dmy2, $uid, $gid) = getpwnam($safeusername); +my ($group) = getgrgid($gid); +if (! $group) { + print "Error. The primary group of user \"$safeusername\" could not be". + "determined.\n" unless $noprint; + system("/usr/sbin/userdel -r $safeusername"); + unlink('/tmp/lock_lcpasswd'); + &Exit(12); +} +if ($group != $safeusername) { + $status = system("/usr/sbin/groupadd -g $uid $safeusername"); + if (! $status) { + $status = system("/usr/sbin/usermod -g $uid $safeusername"); + if ($status) { + system("/usr/sbin/groupdel $safeusername"); + } + } + if ($status) { + print "Error. Something went wrong with the addition of user ". + "\"$safeusername\".\n" unless $noprint; + system("/usr/sbin/userdel -r $safeusername"); + unlink('/tmp/lock_lcpasswd'); + &Exit(12); + } +} + print "Done adding user\n" unless $noprint; # Make www a member of that user group. my $groups=`/usr/bin/groups www` or &Exit(6); @@ -300,7 +328,6 @@ if ($?) { system('/bin/chmod','-R','0660',"/home/$safeusername"); system('/bin/chmod','0710',"/home/$safeusername"); mkdir "/home/$safeusername/public_html",0755; -system('/bin/chmod','02770',"/home/$safeusername/public_html"); open OUT,">/home/$safeusername/public_html/index.html"; print OUT< @@ -314,13 +341,14 @@ print OUT< END close OUT; -system('/bin/chmod','0660', "/home/$safeusername/public_html/index.html"); + # # In order to allow the loncapa daemons appropriate access # to public_html, Top level and public_html directories should # be owned by safeusername:safeusername as should the smaple index.html.. print "lcuseradd ownership\n" unless $noprint; system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername"); # First set std ownership on everything. +&set_public_html_permissions("/home/$safeusername/public_html"); # system('/bin/chown',"$safeusername:www","/home/$safeusername"); # Now adust top level... # system('/bin/chown','-R',"$safeusername:www","/home/$safeusername/public_html"); # And web dir. # ---------------------------------------------------- Gracefull Apache Restart @@ -329,7 +357,8 @@ if (-e '/var/run/httpd.pid') { open(PID,'/var/run/httpd.pid'); my $pid=; close(PID); - my ($safepid)= $pid=~ /(\D+)/; + my $pid=~ /(\D+)/; + my $safepid = $1; if ($pid) { system('kill','-USR1',"$safepid"); } @@ -396,6 +425,53 @@ sub try_to_lock { close LOCK; return 1; } +# Called by File::Find::find for each file examined. +# +# Untaint the file and, if it is a directory, +# chmod it to 02770 +# +sub set_permission { + $File::Find::name =~ /^(.*)$/; + my $safe_name = $1; # Untainted filename... + + print "$safe_name" unless $noprint; + if(-d $safe_name) { + print " - directory" unless $noprint; + chmod(02770, $safe_name); + } + print "\n" unless $noprint; + +} +# +# Set up the correct permissions for all files in the +# user's public htmldir. We just do a chmod -R 0660 ... for +# the ordinary files. The we use File::Find +# to pop through the directory tree changing directories only +# to 02770: +# +sub set_public_html_permissions { + my ($topdir) = @_; + + # Set the top level dir permissions (I'm not sure if find + # will enumerate it specifically), correctly and all + # files and dirs to the 'ordinary' file permissions: + + system("chmod -R 0660 $topdir"); + chmod(02770, $topdir); + + # Now use find to locate all directories under $topdir + # and set their modes to 02770... + # + print "Find file\n " unless $noprint; + File::Find::find({"untaint" => 1, + "untaint_pattern" => qr(/^(.*)$/), + "untaint_skip" => 1, + "no_chdir" => 1, + "wanted" => \&set_permission }, "$topdir"); + + +} + #-------------------------- Exit... # # Write the file if the error_file is defined. Regardless @@ -404,6 +480,10 @@ sub try_to_lock { sub Exit { my ($code) = @_; # Status code. + # TODO: Ensure the error file is owned/deletable by www:www: + + &disable_root_capability(); # We run unprivileged to write the error file. + print "Exiting with status $code error file is $error_file\n" unless $noprint; if($error_file) { open(FH, ">$error_file");