Annotation of loncom/lcuseradd, revision 1.24

1.1       harris41    1: #!/usr/bin/perl
1.16      harris41    2: 
                      3: # The Learning Online Network with CAPA
1.1       harris41    4: #
1.16      harris41    5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
                      6: #             with adding a user with filesystem privileges (e.g. author)
1.1       harris41    7: #
1.16      harris41    8: # YEAR=2000
                      9: # 10/27,10/29,10/30 Scott Harrison
1.15      harris41   10: # YEAR=2001
1.16      harris41   11: # 10/21,11/13,11/15 Scott Harrison
1.20      foxr       12: # YEAR=2002
                     13: #   May 19, 2002 Ron Fox
                     14: #      - Removed creation of the pulic_html directory.  This directory
                     15: #        can now be added in two ways:
                     16: #        o The user can add it themselves if they want some local web
                     17: #          space which may or may not contain construction items.
                     18: #        o LonCapa will add it if/when the user is granted an Author
                     19: #          role.
1.16      harris41   20: #
1.24    ! www        21: # $Id: lcuseradd,v 1.23 2002/09/19 02:02:59 foxr Exp $
1.16      harris41   22: ###
1.15      harris41   23: 
                     24: ###############################################################################
                     25: ##                                                                           ##
                     26: ## ORGANIZATION OF THIS PERL SCRIPT                                          ##
                     27: ##                                                                           ##
                     28: ## 1. Description of script                                                  ##
                     29: ## 2. Invoking script (standard input)                                       ##
                     30: ## 3. Example usage inside another piece of code                             ##
                     31: ## 4. Description of functions                                               ##
                     32: ## 5. Exit codes                                                             ##
                     33: ## 6. Initializations                                                        ##
                     34: ## 7. Make sure this process is running from user=www                        ##
                     35: ## 8. Start running script with www permissions                              ##
                     36: ## 9. Handle case of another lcpasswd process (locking)                      ##
                     37: ## 10. Error-check input, need 3 values (user name, password 1, password 2)  ##
                     38: ## 11. Start running script with root permissions                            ##
                     39: ## 12. Add user and make www a member of the user-specific group             ##
                     40: ## 13. Set password                                                          ##
                     41: ## 14. Make final modifications to the user directory                        ##
                     42: ## 15. Exit script (unlock)                                                  ##
                     43: ##                                                                           ##
                     44: ###############################################################################
1.1       harris41   45: 
                     46: use strict;
                     47: 
1.15      harris41   48: # ------------------------------------------------------- Description of script
                     49: #
1.1       harris41   50: # This script is a setuid script that should
1.20      foxr       51: # be run by user 'www'.  It creates a /home/USERNAME directory.
1.15      harris41   52: # It adds a user to the unix system.
1.2       harris41   53: # Passwords are set with lcpasswd.
                     54: # www becomes a member of this user group.
1.1       harris41   55: 
1.15      harris41   56: # -------------- Invoking script (standard input versus command-line arguments)
                     57: #
                     58: # Standard input (STDIN) usage
1.1       harris41   59: # First line is USERNAME
                     60: # Second line is PASSWORD
1.3       harris41   61: # Third line is PASSWORD
1.15      harris41   62: #
                     63: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
                     64: # Yes, but be very careful here (don't pass shell commands)
                     65: # and this is only supported to allow perl-system calls.
                     66: #
1.7       harris41   67: # Valid passwords must consist of the
                     68: # ascii characters within the inclusive
                     69: # range of 0x20 (32) to 0x7E (126).
                     70: # These characters are:
                     71: # SPACE and
                     72: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
                     73: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15      harris41   74: #
1.7       harris41   75: # Valid user names must consist of ascii
                     76: # characters that are alphabetical characters
                     77: # (A-Z,a-z), numeric (0-9), or the underscore
                     78: # mark (_). (Essentially, the perl regex \w).
1.15      harris41   79: # User names must begin with an alphabetical character
                     80: # (A-Z,a-z).
1.7       harris41   81: 
1.15      harris41   82: # ---------------------------------- Example usage inside another piece of code
1.4       harris41   83: # Usage within code
                     84: #
1.15      harris41   85: # $exitcode=
                     86: #      system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4       harris41   87: # print "uh-oh" if $exitcode;
                     88: 
1.15      harris41   89: # ---------------------------------------------------- Description of functions
                     90: # enable_root_capability() : have setuid script run as root
                     91: # disable_root_capability() : have setuid script run as www
                     92: # try_to_lock() : make sure that another lcpasswd process isn't running
                     93: 
                     94: # ------------------------------------------------------------------ Exit codes
1.4       harris41   95: # These are the exit codes.
1.13      harris41   96: # ( (0,"ok"),
                     97: # (1,"User ID mismatch.  This program must be run as user 'www'"),
1.15      harris41   98: # (2,"Error. This program needs 3 command-line arguments (username, ".
                     99: #    "password 1, password 2)."),
1.13      harris41  100: # (3,"Error. Three lines should be entered into standard input."),
1.15      harris41  101: # (4,"Error. Too many other simultaneous password change requests being ".
                    102: #    "made."),
1.13      harris41  103: # (5,"Error. User $username does not exist."),
                    104: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
                    105: # (7,"Error. Root was not successfully enabled.),
1.15      harris41  106: # (8,"Error. Cannot set password."),
1.13      harris41  107: # (9,"Error. The user name specified has invalid characters."),
                    108: # (10,"Error. A password entry had an invalid character."),
                    109: # (11,"Error. User already exists.),
1.15      harris41  110: # (12,"Error. Something went wrong with the addition of user ".
                    111: #     "\"$safeusername\"."),
1.13      harris41  112: # (13,"Error. Password mismatch."),
1.4       harris41  113: 
1.15      harris41  114: # ------------------------------------------------------------- Initializations
1.1       harris41  115: # Security
1.15      harris41  116: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                    117:                                                                 # information
1.16      harris41  118: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
1.2       harris41  119: 
1.15      harris41  120: # Do not print error messages.
                    121: my $noprint=1;
                    122: 
1.23      foxr      123: print "In lcuseradd\n" unless $noprint;
                    124: 
1.15      harris41  125: # ----------------------------- Make sure this process is running from user=www
                    126: my $wwwid=getpwnam('www');
                    127: &disable_root_capability;
                    128: if ($wwwid!=$>) {
                    129:     print("User ID mismatch.  This program must be run as user 'www'\n")
                    130: 	unless $noprint;
1.4       harris41  131:     exit 1;
                    132: }
1.15      harris41  133: 
                    134: # ----------------------------------- Start running script with www permissions
1.4       harris41  135: &disable_root_capability;
                    136: 
1.15      harris41  137: # --------------------------- Handle case of another lcpasswd process (locking)
1.4       harris41  138: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15      harris41  139:     print "Error. Too many other simultaneous password change requests being ".
                    140: 	"made.\n" unless $noprint;
1.4       harris41  141:     exit 4;
                    142: }
                    143: 
1.15      harris41  144: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4       harris41  145: my @input;
1.5       harris41  146: if (@ARGV==3) {
1.4       harris41  147:     @input=@ARGV;
                    148: }
                    149: elsif (@ARGV) {
1.15      harris41  150:     print("Error. This program needs 3 command-line arguments (username, ".
                    151: 	  "password 1, password 2).\n") unless $noprint;
1.4       harris41  152:     unlink('/tmp/lock_lcpasswd');
                    153:     exit 2;
                    154: }
                    155: else {
                    156:     @input=<>;
1.5       harris41  157:     if (@input!=3) {
1.15      harris41  158: 	print("Error. Three lines should be entered into standard input.\n")
                    159: 	    unless $noprint;
1.4       harris41  160: 	unlink('/tmp/lock_lcpasswd');
                    161: 	exit 3;
                    162:     }
1.19      harris41  163:     foreach (@input) {chomp;}
1.4       harris41  164: }
                    165: 
                    166: my ($username,$password1,$password2)=@input;
1.23      foxr      167: print "Username = ".$username."\n" unless $noprint;
1.4       harris41  168: $username=~/^(\w+)$/;
1.22      foxr      169: print "Username after substitution - ".$username unless $noprint;
1.4       harris41  170: my $safeusername=$1;
1.23      foxr      171: print "Safe username = $safeusername \n" unless $noprint;
1.22      foxr      172: 
1.15      harris41  173: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
1.22      foxr      174:     print "Error. The user name specified $username $safeusername  has invalid characters.\n"
1.15      harris41  175: 	unless $noprint;
1.8       harris41  176:     unlink('/tmp/lock_lcpasswd');
                    177:     exit 9;
                    178: }
                    179: my $pbad=0;
1.19      harris41  180: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
                    181: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
1.8       harris41  182: if ($pbad) {
                    183:     print "Error. A password entry had an invalid character.\n";
                    184:     unlink('/tmp/lock_lcpasswd');
                    185:     exit 10;
                    186: }
1.5       harris41  187: 
1.15      harris41  188: # -- Only add user if we can create a brand new home directory (/home/username)
1.7       harris41  189: if (-e "/home/$safeusername") {
                    190:     print "Error. User already exists.\n" unless $noprint;
                    191:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  192:     exit 11;
1.7       harris41  193: }
                    194: 
1.15      harris41  195: # -- Only add user if the two password arguments match.
1.23      foxr      196: 
1.5       harris41  197: if ($password1 ne $password2) {
1.6       harris41  198:     print "Error. Password mismatch.\n" unless $noprint;
1.5       harris41  199:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  200:     exit 13;
1.5       harris41  201: }
1.23      foxr      202: print "enabling root\n" unless $noprint;
1.15      harris41  203: # ---------------------------------- Start running script with root permissions
1.4       harris41  204: &enable_root_capability;
                    205: 
1.15      harris41  206: # ------------------- Add user and make www a member of the user-specific group
                    207: # -- Add user
1.23      foxr      208: 
                    209: print "adding user: $safeusername \n" unless $noprint;
                    210: my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
                    211: if ($status) {
1.15      harris41  212:     print "Error.  Something went wrong with the addition of user ".
                    213: 	  "\"$safeusername\".\n" unless $noprint;
1.23      foxr      214:     print "Final status of useradd = $status";
1.4       harris41  215:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  216:     exit 12;
1.4       harris41  217: }
1.23      foxr      218: print "Done adding user\n" unless $noprint;
1.7       harris41  219: # Make www a member of that user group.
1.17      harris41  220: my $groups=`/usr/bin/groups www` or exit(6);
                    221: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
                    222: my @grouplist=split(/\s+/,$groups);
                    223: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
                    224: my $gl=join(',',(@ugrouplist,$safeusername));
1.23      foxr      225: print "Putting user in its own group\n" unless $noprint;
1.17      harris41  226: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
1.15      harris41  227:     print "Error. Could not make www a member of the group ".
                    228: 	  "\"$safeusername\".\n" unless $noprint;
1.5       harris41  229:     unlink('/tmp/lock_lcpasswd');
                    230:     exit 6;
                    231: }
                    232: 
1.15      harris41  233: # ---------------------------------------------------------------- Set password
                    234: # Set password with lcpasswd (which creates smbpasswd entry).
1.2       harris41  235: 
1.15      harris41  236: unlink('/tmp/lock_lcpasswd');
                    237: &disable_root_capability;
1.16      harris41  238: ($>,$<)=($wwwid,$wwwid);
1.23      foxr      239: print "Opening lcpasswd pipeline\n" unless $noprint;
1.16      harris41  240: open OUT,"|/home/httpd/perl/lcpasswd";
1.15      harris41  241: print OUT $safeusername;
                    242: print OUT "\n";
                    243: print OUT $password1;
                    244: print OUT "\n";
                    245: print OUT $password1;
                    246: print OUT "\n";
                    247: close OUT;
                    248: if ($?) {
1.23      foxr      249:     print "abnormal exit from close lcpasswd\n" unless $noprint;
1.15      harris41  250:     exit 8;
1.8       harris41  251: }
1.18      harris41  252: ($>,$<)=($wwwid,0);
1.15      harris41  253: &enable_root_capability;
1.8       harris41  254: 
1.20      foxr      255: # -- Don't add public_html... that can be added either by the user
                    256: #    or by lchtmldir when the user is granted an authorship role.
                    257: 
1.15      harris41  258: # ------------------------------ Make final modifications to the user directory
                    259: # -- Add a public_html file with a stand-in index.html file
1.8       harris41  260: 
1.21      foxr      261:  system('/bin/chmod','-R','0660',"/home/$safeusername");
                    262: system('/bin/chmod','0710',"/home/$safeusername");
                    263: mkdir "/home/$safeusername/public_html",0755;
                    264: system('/bin/chmod','02770',"/home/$safeusername/public_html");
                    265: open OUT,">/home/$safeusername/public_html/index.html";
                    266: print OUT<<END;
                    267: <html>
                    268: <head>
                    269: <title>$safeusername</title>
                    270: </head>
                    271: <body>
1.24    ! www       272: <h1>Construction Space</h1>
        !           273: <h3>$safeusername</h3>
1.21      foxr      274: </body>
                    275: </html>
                    276: END
                    277: close OUT;
1.20      foxr      278: 
1.24    ! www       279: print "lcuseradd ownership\n" unless $noprint;
1.11      harris41  280: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.24    ! www       281: # ---------------------------------------------------- Gracefull Apache Restart
        !           282: if (-e '/var/run/httpd.pid') {
        !           283:     print "lcuseradd Apache restart\n" unless $noprint;
        !           284:     open(PID,'/var/run/httpd.pid');
        !           285:     my $pid=<PID>;
        !           286:     close(PID);
        !           287:     $pid=~s/\D+//g;
        !           288:     if ($pid) {
        !           289: 	system('kill','-USR1',"$pid");
        !           290:     }
        !           291: }
1.15      harris41  292: # -------------------------------------------------------- Exit script
1.24    ! www       293: print "lcuseradd exiting\n" unless $noprint;
1.8       harris41  294: &disable_root_capability;
                    295: exit 0;
1.1       harris41  296: 
1.15      harris41  297: # ---------------------------------------------- Have setuid script run as root
1.5       harris41  298: sub enable_root_capability {
                    299:     if ($wwwid==$>) {
1.23      foxr      300: 	($<,$>)=($>,0);
                    301: 	($(,$))=($),0);
1.5       harris41  302:     }
                    303:     else {
                    304: 	# root capability is already enabled
                    305:     }
                    306:     return $>;
                    307: }
                    308: 
1.15      harris41  309: # ----------------------------------------------- Have setuid script run as www
1.5       harris41  310: sub disable_root_capability {
                    311:     if ($wwwid==$<) {
                    312: 	($<,$>)=($>,$<);
                    313: 	($(,$))=($),$();
                    314:     }
                    315:     else {
                    316: 	# root capability is already disabled
                    317:     }
                    318: }
                    319: 
1.15      harris41  320: # ----------------------- Make sure that another lcpasswd process isn't running
1.5       harris41  321: sub try_to_lock {
                    322:     my ($lockfile)=@_;
                    323:     my $currentpid;
                    324:     my $lastpid;
                    325:     # Do not manipulate lock file as root
                    326:     if ($>==0) {
                    327: 	return 0;
                    328:     }
                    329:     # Try to generate lock file.
                    330:     # Wait 3 seconds.  If same process id is in
                    331:     # lock file, then assume lock file is stale, and
                    332:     # go ahead.  If process id's fluctuate, try
                    333:     # for a maximum of 10 times.
                    334:     for (0..10) {
                    335: 	if (-e $lockfile) {
                    336: 	    open(LOCK,"<$lockfile");
                    337: 	    $currentpid=<LOCK>;
                    338: 	    close LOCK;
                    339: 	    if ($currentpid==$lastpid) {
                    340: 		last;
                    341: 	    }
                    342: 	    sleep 3;
                    343: 	    $lastpid=$currentpid;
                    344: 	}
                    345: 	else {
                    346: 	    last;
                    347: 	}
                    348: 	if ($_==10) {
                    349: 	    return 0;
                    350: 	}
                    351:     }
                    352:     open(LOCK,">$lockfile");
                    353:     print LOCK $$;
                    354:     close LOCK;
                    355:     return 1;
                    356: }
1.16      harris41  357: 
                    358: =head1 NAME
                    359: 
                    360: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    361:             with adding a user with filesystem privileges (e.g. author)
                    362: 
                    363: =head1 DESCRIPTION
                    364: 
                    365: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    366:             with adding a user with filesystem privileges (e.g. author)
                    367: 
                    368: =head1 README
                    369: 
                    370: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    371:             with adding a user with filesystem privileges (e.g. author)
                    372: 
                    373: =head1 PREREQUISITES
                    374: 
                    375: =head1 COREQUISITES
                    376: 
                    377: =pod OSNAMES
                    378: 
                    379: linux
                    380: 
                    381: =pod SCRIPT CATEGORIES
                    382: 
                    383: LONCAPA/Administrative
                    384: 
                    385: =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>