|
version 1.2, 2000/10/29 22:07:20
|
version 1.5, 2000/10/29 22:50:56
|
|
Line 18 use strict;
|
Line 18 use strict;
|
| # Standard input usage |
# Standard input usage |
| # First line is USERNAME |
# First line is USERNAME |
| # Second line is PASSWORD |
# Second line is PASSWORD |
| |
# Third line is PASSWORD |
| |
|
| # Command-line arguments [USERNAME] [PASSWORD] |
# Command-line arguments [USERNAME] [PASSWORD] [PASSWORD] |
| # Yes, but be very careful here (don't pass shell commands) |
# Yes, but be very careful here (don't pass shell commands) |
| # and this is only supported to allow perl-system calls. |
# and this is only supported to allow perl-system calls. |
| |
|
| |
# Usage within code |
| |
# |
| |
# $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256; |
| |
# print "uh-oh" if $exitcode; |
| |
|
| |
# These are the exit codes. |
| |
|
| # Security |
# Security |
| $ENV{'PATH'}=""; # Nullify path information. |
$ENV{'PATH'}=""; # Nullify path information. |
| $ENV{'BASH_ENV'}=""; # Nullify shell environment information. |
$ENV{'BASH_ENV'}=""; # Nullify shell environment information. |
| |
|
| # Add user entry to /etc/passwd and /etc/groups. |
# Do not print error messages if there are command-line arguments |
| |
my $noprint=0; |
| # Set password with lcpasswd (which creates smbpasswd entry). |
if (@ARGV) { |
| |
$noprint=1; |
| # www becomes member of this user group |
} |
| |
|
| |
# Read in /etc/passwd, and make sure this process is running from user=www |
| |
open (IN, "</etc/passwd"); |
| |
my @lines=<IN>; |
| |
close IN; |
| |
my $wwwid; |
| |
for my $l (@lines) { |
| |
chop $l; |
| |
my @F=split(/\:/,$l); |
| |
if ($F[0] eq 'www') {$wwwid=$F[2];} |
| |
} |
| |
if ($wwwid!=$<) { |
| |
print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint; |
| |
exit 1; |
| |
} |
| |
&disable_root_capability; |
| |
|
| |
# Handle case of another lcpasswd process |
| |
unless (&try_to_lock("/tmp/lock_lcpasswd")) { |
| |
print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint; |
| |
exit 4; |
| |
} |
| |
|
| |
# Gather input. Should be 3 values (user name, password 1, password 2). |
| |
my @input; |
| |
if (@ARGV==3) { |
| |
@input=@ARGV; |
| |
} |
| |
elsif (@ARGV) { |
| |
print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint; |
| |
unlink('/tmp/lock_lcpasswd'); |
| |
exit 2; |
| |
} |
| |
else { |
| |
@input=<>; |
| |
if (@input!=3) { |
| |
print("Error. Three lines should be entered into standard input.\n") unless $noprint; |
| |
unlink('/tmp/lock_lcpasswd'); |
| |
exit 3; |
| |
} |
| |
map {chop} @input; |
| |
} |
| |
|
| |
my ($username,$password1,$password2)=@input; |
| |
$username=~/^(\w+)$/; |
| |
my $safeusername=$1; |
| |
|
| |
if ($password1 ne $password2) { |
| |
print "Error. Password mismatch.\n"; |
| |
unlink('/tmp/lock_lcpasswd'); |
| |
exit 7; |
| |
} |
| |
|
| |
&enable_root_capability; |
| |
|
| |
# Add user entry to /etc/passwd and /etc/groups in such |
| |
# a way that www is a member of the user-specific group |
| |
|
| |
if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) { |
| |
print "Error. Something went wrong with the addition of user \"$safeusername\".\n"; |
| |
unlink('/tmp/lock_lcpasswd'); |
| |
exit 5; |
| |
} |
| |
if (system('/usr/sbin/usermod','-G',$safeusername,'www')) { |
| |
print "Error. Could not make www a member of the group \"$safeusername\".\n"; |
| |
unlink('/tmp/lock_lcpasswd'); |
| |
exit 6; |
| |
} |
| |
|
| |
# Set password with lcpasswd-style algorithm (which creates smbpasswd entry). |
| |
# I cannot place a direct shell call to lcpasswd since I have to allow |
| |
# for crazy characters in the password, and the setuid environment of perl |
| |
# requires me to make everything safe. |
| |
|
| |
|
| |
|
| |
# ----------------------------------------------------------- have setuid script run as root |
| |
sub enable_root_capability { |
| |
if ($wwwid==$>) { |
| |
($<,$>)=($>,$<); |
| |
($(,$))=($),$(); |
| |
} |
| |
else { |
| |
# root capability is already enabled |
| |
} |
| |
return $>; |
| |
} |
| |
|
| |
# ----------------------------------------------------------- have setuid script run as www |
| |
sub disable_root_capability { |
| |
if ($wwwid==$<) { |
| |
($<,$>)=($>,$<); |
| |
($(,$))=($),$(); |
| |
} |
| |
else { |
| |
# root capability is already disabled |
| |
} |
| |
} |
| |
|
| |
# ----------------------------------- make sure that another lcpasswd process isn't running |
| |
sub try_to_lock { |
| |
my ($lockfile)=@_; |
| |
my $currentpid; |
| |
my $lastpid; |
| |
# Do not manipulate lock file as root |
| |
if ($>==0) { |
| |
return 0; |
| |
} |
| |
# Try to generate lock file. |
| |
# Wait 3 seconds. If same process id is in |
| |
# lock file, then assume lock file is stale, and |
| |
# go ahead. If process id's fluctuate, try |
| |
# for a maximum of 10 times. |
| |
for (0..10) { |
| |
if (-e $lockfile) { |
| |
open(LOCK,"<$lockfile"); |
| |
$currentpid=<LOCK>; |
| |
close LOCK; |
| |
if ($currentpid==$lastpid) { |
| |
last; |
| |
} |
| |
sleep 3; |
| |
$lastpid=$currentpid; |
| |
} |
| |
else { |
| |
last; |
| |
} |
| |
if ($_==10) { |
| |
return 0; |
| |
} |
| |
} |
| |
open(LOCK,">$lockfile"); |
| |
print LOCK $$; |
| |
close LOCK; |
| |
return 1; |
| |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuseradd CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom