Annotation of loncom/lcuseradd, revision 1.19

1.1       harris41    1: #!/usr/bin/perl
1.16      harris41    2: 
                      3: # The Learning Online Network with CAPA
1.1       harris41    4: #
1.16      harris41    5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
                      6: #             with adding a user with filesystem privileges (e.g. author)
1.1       harris41    7: #
1.16      harris41    8: # YEAR=2000
                      9: # 10/27,10/29,10/30 Scott Harrison
1.15      harris41   10: # YEAR=2001
1.16      harris41   11: # 10/21,11/13,11/15 Scott Harrison
                     12: #
1.19    ! harris41   13: # $Id: lcuseradd,v 1.18 2001/11/16 06:18:35 harris41 Exp $
1.16      harris41   14: ###
1.15      harris41   15: 
                     16: ###############################################################################
                     17: ##                                                                           ##
                     18: ## ORGANIZATION OF THIS PERL SCRIPT                                          ##
                     19: ##                                                                           ##
                     20: ## 1. Description of script                                                  ##
                     21: ## 2. Invoking script (standard input)                                       ##
                     22: ## 3. Example usage inside another piece of code                             ##
                     23: ## 4. Description of functions                                               ##
                     24: ## 5. Exit codes                                                             ##
                     25: ## 6. Initializations                                                        ##
                     26: ## 7. Make sure this process is running from user=www                        ##
                     27: ## 8. Start running script with www permissions                              ##
                     28: ## 9. Handle case of another lcpasswd process (locking)                      ##
                     29: ## 10. Error-check input, need 3 values (user name, password 1, password 2)  ##
                     30: ## 11. Start running script with root permissions                            ##
                     31: ## 12. Add user and make www a member of the user-specific group             ##
                     32: ## 13. Set password                                                          ##
                     33: ## 14. Make final modifications to the user directory                        ##
                     34: ## 15. Exit script (unlock)                                                  ##
                     35: ##                                                                           ##
                     36: ###############################################################################
1.1       harris41   37: 
                     38: use strict;
                     39: 
1.15      harris41   40: # ------------------------------------------------------- Description of script
                     41: #
1.1       harris41   42: # This script is a setuid script that should
                     43: # be run by user 'www'.  It creates a /home/USERNAME directory
                     44: # as well as a /home/USERNAME/public_html directory.
1.15      harris41   45: # It adds a user to the unix system.
1.2       harris41   46: # Passwords are set with lcpasswd.
                     47: # www becomes a member of this user group.
1.1       harris41   48: 
1.15      harris41   49: # -------------- Invoking script (standard input versus command-line arguments)
                     50: #
                     51: # Standard input (STDIN) usage
1.1       harris41   52: # First line is USERNAME
                     53: # Second line is PASSWORD
1.3       harris41   54: # Third line is PASSWORD
1.15      harris41   55: #
                     56: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
                     57: # Yes, but be very careful here (don't pass shell commands)
                     58: # and this is only supported to allow perl-system calls.
                     59: #
1.7       harris41   60: # Valid passwords must consist of the
                     61: # ascii characters within the inclusive
                     62: # range of 0x20 (32) to 0x7E (126).
                     63: # These characters are:
                     64: # SPACE and
                     65: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
                     66: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15      harris41   67: #
1.7       harris41   68: # Valid user names must consist of ascii
                     69: # characters that are alphabetical characters
                     70: # (A-Z,a-z), numeric (0-9), or the underscore
                     71: # mark (_). (Essentially, the perl regex \w).
1.15      harris41   72: # User names must begin with an alphabetical character
                     73: # (A-Z,a-z).
1.7       harris41   74: 
1.15      harris41   75: # ---------------------------------- Example usage inside another piece of code
1.4       harris41   76: # Usage within code
                     77: #
1.15      harris41   78: # $exitcode=
                     79: #      system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4       harris41   80: # print "uh-oh" if $exitcode;
                     81: 
1.15      harris41   82: # ---------------------------------------------------- Description of functions
                     83: # enable_root_capability() : have setuid script run as root
                     84: # disable_root_capability() : have setuid script run as www
                     85: # try_to_lock() : make sure that another lcpasswd process isn't running
                     86: 
                     87: # ------------------------------------------------------------------ Exit codes
1.4       harris41   88: # These are the exit codes.
1.13      harris41   89: # ( (0,"ok"),
                     90: # (1,"User ID mismatch.  This program must be run as user 'www'"),
1.15      harris41   91: # (2,"Error. This program needs 3 command-line arguments (username, ".
                     92: #    "password 1, password 2)."),
1.13      harris41   93: # (3,"Error. Three lines should be entered into standard input."),
1.15      harris41   94: # (4,"Error. Too many other simultaneous password change requests being ".
                     95: #    "made."),
1.13      harris41   96: # (5,"Error. User $username does not exist."),
                     97: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
                     98: # (7,"Error. Root was not successfully enabled.),
1.15      harris41   99: # (8,"Error. Cannot set password."),
1.13      harris41  100: # (9,"Error. The user name specified has invalid characters."),
                    101: # (10,"Error. A password entry had an invalid character."),
                    102: # (11,"Error. User already exists.),
1.15      harris41  103: # (12,"Error. Something went wrong with the addition of user ".
                    104: #     "\"$safeusername\"."),
1.13      harris41  105: # (13,"Error. Password mismatch."),
1.4       harris41  106: 
1.15      harris41  107: # ------------------------------------------------------------- Initializations
1.1       harris41  108: # Security
1.15      harris41  109: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                    110:                                                                 # information
1.16      harris41  111: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
1.2       harris41  112: 
1.15      harris41  113: # Do not print error messages.
                    114: my $noprint=1;
                    115: 
                    116: # ----------------------------- Make sure this process is running from user=www
                    117: my $wwwid=getpwnam('www');
                    118: &disable_root_capability;
                    119: if ($wwwid!=$>) {
                    120:     print("User ID mismatch.  This program must be run as user 'www'\n")
                    121: 	unless $noprint;
1.4       harris41  122:     exit 1;
                    123: }
1.15      harris41  124: 
                    125: # ----------------------------------- Start running script with www permissions
1.4       harris41  126: &disable_root_capability;
                    127: 
1.15      harris41  128: # --------------------------- Handle case of another lcpasswd process (locking)
1.4       harris41  129: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15      harris41  130:     print "Error. Too many other simultaneous password change requests being ".
                    131: 	"made.\n" unless $noprint;
1.4       harris41  132:     exit 4;
                    133: }
                    134: 
1.15      harris41  135: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4       harris41  136: my @input;
1.5       harris41  137: if (@ARGV==3) {
1.4       harris41  138:     @input=@ARGV;
                    139: }
                    140: elsif (@ARGV) {
1.15      harris41  141:     print("Error. This program needs 3 command-line arguments (username, ".
                    142: 	  "password 1, password 2).\n") unless $noprint;
1.4       harris41  143:     unlink('/tmp/lock_lcpasswd');
                    144:     exit 2;
                    145: }
                    146: else {
                    147:     @input=<>;
1.5       harris41  148:     if (@input!=3) {
1.15      harris41  149: 	print("Error. Three lines should be entered into standard input.\n")
                    150: 	    unless $noprint;
1.4       harris41  151: 	unlink('/tmp/lock_lcpasswd');
                    152: 	exit 3;
                    153:     }
1.19    ! harris41  154:     foreach (@input) {chomp;}
1.4       harris41  155: }
                    156: 
                    157: my ($username,$password1,$password2)=@input;
                    158: $username=~/^(\w+)$/;
                    159: my $safeusername=$1;
1.15      harris41  160: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
                    161:     print "Error. The user name specified has invalid characters.\n"
                    162: 	unless $noprint;
1.8       harris41  163:     unlink('/tmp/lock_lcpasswd');
                    164:     exit 9;
                    165: }
                    166: my $pbad=0;
1.19    ! harris41  167: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
        !           168: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
1.8       harris41  169: if ($pbad) {
                    170:     print "Error. A password entry had an invalid character.\n";
                    171:     unlink('/tmp/lock_lcpasswd');
                    172:     exit 10;
                    173: }
1.5       harris41  174: 
1.15      harris41  175: # -- Only add user if we can create a brand new home directory (/home/username)
1.7       harris41  176: if (-e "/home/$safeusername") {
                    177:     print "Error. User already exists.\n" unless $noprint;
                    178:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  179:     exit 11;
1.7       harris41  180: }
                    181: 
1.15      harris41  182: # -- Only add user if the two password arguments match.
1.5       harris41  183: if ($password1 ne $password2) {
1.6       harris41  184:     print "Error. Password mismatch.\n" unless $noprint;
1.5       harris41  185:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  186:     exit 13;
1.5       harris41  187: }
1.4       harris41  188: 
1.15      harris41  189: # ---------------------------------- Start running script with root permissions
1.4       harris41  190: &enable_root_capability;
                    191: 
1.15      harris41  192: # ------------------- Add user and make www a member of the user-specific group
                    193: # -- Add user
1.5       harris41  194: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
1.15      harris41  195:     print "Error.  Something went wrong with the addition of user ".
                    196: 	  "\"$safeusername\".\n" unless $noprint;
1.4       harris41  197:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  198:     exit 12;
1.4       harris41  199: }
1.7       harris41  200: 
                    201: # Make www a member of that user group.
1.17      harris41  202: my $groups=`/usr/bin/groups www` or exit(6);
                    203: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
                    204: my @grouplist=split(/\s+/,$groups);
                    205: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
                    206: my $gl=join(',',(@ugrouplist,$safeusername));
                    207: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
1.15      harris41  208:     print "Error. Could not make www a member of the group ".
                    209: 	  "\"$safeusername\".\n" unless $noprint;
1.5       harris41  210:     unlink('/tmp/lock_lcpasswd');
                    211:     exit 6;
                    212: }
                    213: 
1.15      harris41  214: # ---------------------------------------------------------------- Set password
                    215: # Set password with lcpasswd (which creates smbpasswd entry).
1.2       harris41  216: 
1.15      harris41  217: unlink('/tmp/lock_lcpasswd');
                    218: &disable_root_capability;
1.16      harris41  219: ($>,$<)=($wwwid,$wwwid);
                    220: open OUT,"|/home/httpd/perl/lcpasswd";
1.15      harris41  221: print OUT $safeusername;
                    222: print OUT "\n";
                    223: print OUT $password1;
                    224: print OUT "\n";
                    225: print OUT $password1;
                    226: print OUT "\n";
                    227: close OUT;
                    228: if ($?) {
                    229:     exit 8;
1.8       harris41  230: }
1.18      harris41  231: ($>,$<)=($wwwid,0);
1.15      harris41  232: &enable_root_capability;
1.8       harris41  233: 
1.15      harris41  234: # ------------------------------ Make final modifications to the user directory
                    235: # -- Add a public_html file with a stand-in index.html file
1.8       harris41  236: 
1.15      harris41  237: # system('/bin/chmod','-R','0660',"/home/$safeusername");
                    238: system('/bin/chmod','0710',"/home/$safeusername");
1.17      harris41  239: mkdir "/home/$safeusername/public_html",0755;
1.18      harris41  240: system('/bin/chmod','02770',"/home/$safeusername/public_html");
1.11      harris41  241: open OUT,">/home/$safeusername/public_html/index.html";
1.8       harris41  242: print OUT<<END;
1.15      harris41  243: <html>
                    244: <head>
                    245: <title>$safeusername</title>
                    246: </head>
                    247: <body>
                    248: <h1>$safeusername</h1>
                    249: <p>
1.8       harris41  250: Learning Online Network
1.15      harris41  251: </p>
                    252: <p>
1.8       harris41  253: This area provides for:
1.15      harris41  254: </p>
                    255: <ul>
                    256: <li>resource construction</li>
                    257: <li>resource publication</li>
                    258: <li>record-keeping</li>
1.17      harris41  259: </ul>
                    260: </body>
                    261: </html>
1.8       harris41  262: END
                    263: close OUT;
1.11      harris41  264: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.15      harris41  265: 
                    266: # -------------------------------------------------------- Exit script
1.8       harris41  267: &disable_root_capability;
                    268: exit 0;
1.1       harris41  269: 
1.15      harris41  270: # ---------------------------------------------- Have setuid script run as root
1.5       harris41  271: sub enable_root_capability {
                    272:     if ($wwwid==$>) {
                    273: 	($<,$>)=($>,$<);
                    274: 	($(,$))=($),$();
                    275:     }
                    276:     else {
                    277: 	# root capability is already enabled
                    278:     }
                    279:     return $>;
                    280: }
                    281: 
1.15      harris41  282: # ----------------------------------------------- Have setuid script run as www
1.5       harris41  283: sub disable_root_capability {
                    284:     if ($wwwid==$<) {
                    285: 	($<,$>)=($>,$<);
                    286: 	($(,$))=($),$();
                    287:     }
                    288:     else {
                    289: 	# root capability is already disabled
                    290:     }
                    291: }
                    292: 
1.15      harris41  293: # ----------------------- Make sure that another lcpasswd process isn't running
1.5       harris41  294: sub try_to_lock {
                    295:     my ($lockfile)=@_;
                    296:     my $currentpid;
                    297:     my $lastpid;
                    298:     # Do not manipulate lock file as root
                    299:     if ($>==0) {
                    300: 	return 0;
                    301:     }
                    302:     # Try to generate lock file.
                    303:     # Wait 3 seconds.  If same process id is in
                    304:     # lock file, then assume lock file is stale, and
                    305:     # go ahead.  If process id's fluctuate, try
                    306:     # for a maximum of 10 times.
                    307:     for (0..10) {
                    308: 	if (-e $lockfile) {
                    309: 	    open(LOCK,"<$lockfile");
                    310: 	    $currentpid=<LOCK>;
                    311: 	    close LOCK;
                    312: 	    if ($currentpid==$lastpid) {
                    313: 		last;
                    314: 	    }
                    315: 	    sleep 3;
                    316: 	    $lastpid=$currentpid;
                    317: 	}
                    318: 	else {
                    319: 	    last;
                    320: 	}
                    321: 	if ($_==10) {
                    322: 	    return 0;
                    323: 	}
                    324:     }
                    325:     open(LOCK,">$lockfile");
                    326:     print LOCK $$;
                    327:     close LOCK;
                    328:     return 1;
                    329: }
1.16      harris41  330: 
                    331: =head1 NAME
                    332: 
                    333: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    334:             with adding a user with filesystem privileges (e.g. author)
                    335: 
                    336: =head1 DESCRIPTION
                    337: 
                    338: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    339:             with adding a user with filesystem privileges (e.g. author)
                    340: 
                    341: =head1 README
                    342: 
                    343: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    344:             with adding a user with filesystem privileges (e.g. author)
                    345: 
                    346: =head1 PREREQUISITES
                    347: 
                    348: =head1 COREQUISITES
                    349: 
                    350: =pod OSNAMES
                    351: 
                    352: linux
                    353: 
                    354: =pod SCRIPT CATEGORIES
                    355: 
                    356: LONCAPA/Administrative
                    357: 
                    358: =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>