Annotation of loncom/lcuseradd, revision 1.22
1.1 harris41 1: #!/usr/bin/perl
1.16 harris41 2:
3: # The Learning Online Network with CAPA
1.1 harris41 4: #
1.16 harris41 5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
6: # with adding a user with filesystem privileges (e.g. author)
1.1 harris41 7: #
1.16 harris41 8: # YEAR=2000
9: # 10/27,10/29,10/30 Scott Harrison
1.15 harris41 10: # YEAR=2001
1.16 harris41 11: # 10/21,11/13,11/15 Scott Harrison
1.20 foxr 12: # YEAR=2002
13: # May 19, 2002 Ron Fox
14: # - Removed creation of the pulic_html directory. This directory
15: # can now be added in two ways:
16: # o The user can add it themselves if they want some local web
17: # space which may or may not contain construction items.
18: # o LonCapa will add it if/when the user is granted an Author
19: # role.
1.16 harris41 20: #
1.22 ! foxr 21: # $Id: lcuseradd,v 1.21 2002/05/03 03:43:54 foxr Exp $
1.16 harris41 22: ###
1.15 harris41 23:
24: ###############################################################################
25: ## ##
26: ## ORGANIZATION OF THIS PERL SCRIPT ##
27: ## ##
28: ## 1. Description of script ##
29: ## 2. Invoking script (standard input) ##
30: ## 3. Example usage inside another piece of code ##
31: ## 4. Description of functions ##
32: ## 5. Exit codes ##
33: ## 6. Initializations ##
34: ## 7. Make sure this process is running from user=www ##
35: ## 8. Start running script with www permissions ##
36: ## 9. Handle case of another lcpasswd process (locking) ##
37: ## 10. Error-check input, need 3 values (user name, password 1, password 2) ##
38: ## 11. Start running script with root permissions ##
39: ## 12. Add user and make www a member of the user-specific group ##
40: ## 13. Set password ##
41: ## 14. Make final modifications to the user directory ##
42: ## 15. Exit script (unlock) ##
43: ## ##
44: ###############################################################################
1.1 harris41 45:
46: use strict;
47:
1.15 harris41 48: # ------------------------------------------------------- Description of script
49: #
1.1 harris41 50: # This script is a setuid script that should
1.20 foxr 51: # be run by user 'www'. It creates a /home/USERNAME directory.
1.15 harris41 52: # It adds a user to the unix system.
1.2 harris41 53: # Passwords are set with lcpasswd.
54: # www becomes a member of this user group.
1.1 harris41 55:
1.15 harris41 56: # -------------- Invoking script (standard input versus command-line arguments)
57: #
58: # Standard input (STDIN) usage
1.1 harris41 59: # First line is USERNAME
60: # Second line is PASSWORD
1.3 harris41 61: # Third line is PASSWORD
1.15 harris41 62: #
63: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
64: # Yes, but be very careful here (don't pass shell commands)
65: # and this is only supported to allow perl-system calls.
66: #
1.7 harris41 67: # Valid passwords must consist of the
68: # ascii characters within the inclusive
69: # range of 0x20 (32) to 0x7E (126).
70: # These characters are:
71: # SPACE and
72: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
73: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15 harris41 74: #
1.7 harris41 75: # Valid user names must consist of ascii
76: # characters that are alphabetical characters
77: # (A-Z,a-z), numeric (0-9), or the underscore
78: # mark (_). (Essentially, the perl regex \w).
1.15 harris41 79: # User names must begin with an alphabetical character
80: # (A-Z,a-z).
1.7 harris41 81:
1.15 harris41 82: # ---------------------------------- Example usage inside another piece of code
1.4 harris41 83: # Usage within code
84: #
1.15 harris41 85: # $exitcode=
86: # system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4 harris41 87: # print "uh-oh" if $exitcode;
88:
1.15 harris41 89: # ---------------------------------------------------- Description of functions
90: # enable_root_capability() : have setuid script run as root
91: # disable_root_capability() : have setuid script run as www
92: # try_to_lock() : make sure that another lcpasswd process isn't running
93:
94: # ------------------------------------------------------------------ Exit codes
1.4 harris41 95: # These are the exit codes.
1.13 harris41 96: # ( (0,"ok"),
97: # (1,"User ID mismatch. This program must be run as user 'www'"),
1.15 harris41 98: # (2,"Error. This program needs 3 command-line arguments (username, ".
99: # "password 1, password 2)."),
1.13 harris41 100: # (3,"Error. Three lines should be entered into standard input."),
1.15 harris41 101: # (4,"Error. Too many other simultaneous password change requests being ".
102: # "made."),
1.13 harris41 103: # (5,"Error. User $username does not exist."),
104: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
105: # (7,"Error. Root was not successfully enabled.),
1.15 harris41 106: # (8,"Error. Cannot set password."),
1.13 harris41 107: # (9,"Error. The user name specified has invalid characters."),
108: # (10,"Error. A password entry had an invalid character."),
109: # (11,"Error. User already exists.),
1.15 harris41 110: # (12,"Error. Something went wrong with the addition of user ".
111: # "\"$safeusername\"."),
1.13 harris41 112: # (13,"Error. Password mismatch."),
1.4 harris41 113:
1.15 harris41 114: # ------------------------------------------------------------- Initializations
1.1 harris41 115: # Security
1.15 harris41 116: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
117: # information
1.16 harris41 118: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
1.2 harris41 119:
1.15 harris41 120: # Do not print error messages.
121: my $noprint=1;
122:
123: # ----------------------------- Make sure this process is running from user=www
124: my $wwwid=getpwnam('www');
125: &disable_root_capability;
126: if ($wwwid!=$>) {
127: print("User ID mismatch. This program must be run as user 'www'\n")
128: unless $noprint;
1.4 harris41 129: exit 1;
130: }
1.15 harris41 131:
132: # ----------------------------------- Start running script with www permissions
1.4 harris41 133: &disable_root_capability;
134:
1.15 harris41 135: # --------------------------- Handle case of another lcpasswd process (locking)
1.4 harris41 136: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15 harris41 137: print "Error. Too many other simultaneous password change requests being ".
138: "made.\n" unless $noprint;
1.4 harris41 139: exit 4;
140: }
141:
1.15 harris41 142: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4 harris41 143: my @input;
1.5 harris41 144: if (@ARGV==3) {
1.4 harris41 145: @input=@ARGV;
146: }
147: elsif (@ARGV) {
1.15 harris41 148: print("Error. This program needs 3 command-line arguments (username, ".
149: "password 1, password 2).\n") unless $noprint;
1.4 harris41 150: unlink('/tmp/lock_lcpasswd');
151: exit 2;
152: }
153: else {
154: @input=<>;
1.5 harris41 155: if (@input!=3) {
1.15 harris41 156: print("Error. Three lines should be entered into standard input.\n")
157: unless $noprint;
1.4 harris41 158: unlink('/tmp/lock_lcpasswd');
159: exit 3;
160: }
1.19 harris41 161: foreach (@input) {chomp;}
1.4 harris41 162: }
163:
164: my ($username,$password1,$password2)=@input;
1.22 ! foxr 165: print "Username = ".$username unless $noprint;
1.4 harris41 166: $username=~/^(\w+)$/;
1.22 ! foxr 167: print "Username after substitution - ".$username unless $noprint;
1.4 harris41 168: my $safeusername=$1;
1.22 ! foxr 169: print "Safe username = $safeusername" unless $noprint;
! 170:
1.15 harris41 171: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
1.22 ! foxr 172: print "Error. The user name specified $username $safeusername has invalid characters.\n"
1.15 harris41 173: unless $noprint;
1.8 harris41 174: unlink('/tmp/lock_lcpasswd');
175: exit 9;
176: }
177: my $pbad=0;
1.19 harris41 178: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
179: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
1.8 harris41 180: if ($pbad) {
181: print "Error. A password entry had an invalid character.\n";
182: unlink('/tmp/lock_lcpasswd');
183: exit 10;
184: }
1.5 harris41 185:
1.15 harris41 186: # -- Only add user if we can create a brand new home directory (/home/username)
1.7 harris41 187: if (-e "/home/$safeusername") {
188: print "Error. User already exists.\n" unless $noprint;
189: unlink('/tmp/lock_lcpasswd');
1.13 harris41 190: exit 11;
1.7 harris41 191: }
192:
1.15 harris41 193: # -- Only add user if the two password arguments match.
1.5 harris41 194: if ($password1 ne $password2) {
1.6 harris41 195: print "Error. Password mismatch.\n" unless $noprint;
1.5 harris41 196: unlink('/tmp/lock_lcpasswd');
1.13 harris41 197: exit 13;
1.5 harris41 198: }
1.4 harris41 199:
1.15 harris41 200: # ---------------------------------- Start running script with root permissions
1.4 harris41 201: &enable_root_capability;
202:
1.15 harris41 203: # ------------------- Add user and make www a member of the user-specific group
204: # -- Add user
1.5 harris41 205: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
1.15 harris41 206: print "Error. Something went wrong with the addition of user ".
207: "\"$safeusername\".\n" unless $noprint;
1.4 harris41 208: unlink('/tmp/lock_lcpasswd');
1.13 harris41 209: exit 12;
1.4 harris41 210: }
1.7 harris41 211:
212: # Make www a member of that user group.
1.17 harris41 213: my $groups=`/usr/bin/groups www` or exit(6);
214: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
215: my @grouplist=split(/\s+/,$groups);
216: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
217: my $gl=join(',',(@ugrouplist,$safeusername));
218: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
1.15 harris41 219: print "Error. Could not make www a member of the group ".
220: "\"$safeusername\".\n" unless $noprint;
1.5 harris41 221: unlink('/tmp/lock_lcpasswd');
222: exit 6;
223: }
224:
1.15 harris41 225: # ---------------------------------------------------------------- Set password
226: # Set password with lcpasswd (which creates smbpasswd entry).
1.2 harris41 227:
1.15 harris41 228: unlink('/tmp/lock_lcpasswd');
229: &disable_root_capability;
1.16 harris41 230: ($>,$<)=($wwwid,$wwwid);
231: open OUT,"|/home/httpd/perl/lcpasswd";
1.15 harris41 232: print OUT $safeusername;
233: print OUT "\n";
234: print OUT $password1;
235: print OUT "\n";
236: print OUT $password1;
237: print OUT "\n";
238: close OUT;
239: if ($?) {
240: exit 8;
1.8 harris41 241: }
1.18 harris41 242: ($>,$<)=($wwwid,0);
1.15 harris41 243: &enable_root_capability;
1.8 harris41 244:
1.20 foxr 245: # -- Don't add public_html... that can be added either by the user
246: # or by lchtmldir when the user is granted an authorship role.
247:
1.15 harris41 248: # ------------------------------ Make final modifications to the user directory
249: # -- Add a public_html file with a stand-in index.html file
1.8 harris41 250:
1.21 foxr 251: system('/bin/chmod','-R','0660',"/home/$safeusername");
252: system('/bin/chmod','0710',"/home/$safeusername");
253: mkdir "/home/$safeusername/public_html",0755;
254: system('/bin/chmod','02770',"/home/$safeusername/public_html");
255: open OUT,">/home/$safeusername/public_html/index.html";
256: print OUT<<END;
257: <html>
258: <head>
259: <title>$safeusername</title>
260: </head>
261: <body>
262: <h1>$safeusername</h1>
263: <p>
264: Learning Online Network
265: </p>
266: <p>
267: This area provides for:
268: </p>
269: <ul>
270: <li>resource construction</li>
271: <li>resource publication</li>
272: <li>record-keeping</li>
273: </ul>
274: </body>
275: </html>
276: END
277: close OUT;
1.20 foxr 278:
1.11 harris41 279: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.15 harris41 280:
281: # -------------------------------------------------------- Exit script
1.8 harris41 282: &disable_root_capability;
283: exit 0;
1.1 harris41 284:
1.15 harris41 285: # ---------------------------------------------- Have setuid script run as root
1.5 harris41 286: sub enable_root_capability {
287: if ($wwwid==$>) {
288: ($<,$>)=($>,$<);
289: ($(,$))=($),$();
290: }
291: else {
292: # root capability is already enabled
293: }
294: return $>;
295: }
296:
1.15 harris41 297: # ----------------------------------------------- Have setuid script run as www
1.5 harris41 298: sub disable_root_capability {
299: if ($wwwid==$<) {
300: ($<,$>)=($>,$<);
301: ($(,$))=($),$();
302: }
303: else {
304: # root capability is already disabled
305: }
306: }
307:
1.15 harris41 308: # ----------------------- Make sure that another lcpasswd process isn't running
1.5 harris41 309: sub try_to_lock {
310: my ($lockfile)=@_;
311: my $currentpid;
312: my $lastpid;
313: # Do not manipulate lock file as root
314: if ($>==0) {
315: return 0;
316: }
317: # Try to generate lock file.
318: # Wait 3 seconds. If same process id is in
319: # lock file, then assume lock file is stale, and
320: # go ahead. If process id's fluctuate, try
321: # for a maximum of 10 times.
322: for (0..10) {
323: if (-e $lockfile) {
324: open(LOCK,"<$lockfile");
325: $currentpid=<LOCK>;
326: close LOCK;
327: if ($currentpid==$lastpid) {
328: last;
329: }
330: sleep 3;
331: $lastpid=$currentpid;
332: }
333: else {
334: last;
335: }
336: if ($_==10) {
337: return 0;
338: }
339: }
340: open(LOCK,">$lockfile");
341: print LOCK $$;
342: close LOCK;
343: return 1;
344: }
1.16 harris41 345:
346: =head1 NAME
347:
348: lcuseradd - LON-CAPA setuid script to coordinate all actions
349: with adding a user with filesystem privileges (e.g. author)
350:
351: =head1 DESCRIPTION
352:
353: lcuseradd - LON-CAPA setuid script to coordinate all actions
354: with adding a user with filesystem privileges (e.g. author)
355:
356: =head1 README
357:
358: lcuseradd - LON-CAPA setuid script to coordinate all actions
359: with adding a user with filesystem privileges (e.g. author)
360:
361: =head1 PREREQUISITES
362:
363: =head1 COREQUISITES
364:
365: =pod OSNAMES
366:
367: linux
368:
369: =pod SCRIPT CATEGORIES
370:
371: LONCAPA/Administrative
372:
373: =cut
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuseradd CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom