[BACK]Return to lcuseradd CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom
File:  [LON-CAPA] / loncom / Attic / lcuseradd
Revision 1.7: download - view: text, annotated - select for diffs
Sun Oct 29 23:14:16 2000 UTC (23 years, 7 months ago) by harris41
Branches: MAIN
CVS tags: HEAD
trying to add error-checking to make sure invalid characters are not in the
user name or passwords.  lcuseradd appears to be basically working, but I
still need to implement the addition of passwords.  I cannot do this with
a system call to lcpasswd due to the restrictions of perl setuid scripts.L

    1: #!/usr/bin/perl
    2: #
    3: # lcuseradd
    4: #
    5: # Scott Harrison
    6: # October 27, 2000
    7: 
    8: use strict;
    9: 
   10: # This script is a setuid script that should
   11: # be run by user 'www'.  It creates a /home/USERNAME directory
   12: # as well as a /home/USERNAME/public_html directory.
   13: # It adds user entries to
   14: # /etc/passwd and /etc/groups.
   15: # Passwords are set with lcpasswd.
   16: # www becomes a member of this user group.
   17: 
   18: # Standard input usage
   19: # First line is USERNAME
   20: # Second line is PASSWORD
   21: # Third line is PASSWORD
   22: 
   23: # Valid passwords must consist of the
   24: # ascii characters within the inclusive
   25: # range of 0x20 (32) to 0x7E (126).
   26: # These characters are:
   27: # SPACE and
   28: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
   29: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
   30: 
   31: # Valid user names must consist of ascii
   32: # characters that are alphabetical characters
   33: # (A-Z,a-z), numeric (0-9), or the underscore
   34: # mark (_). (Essentially, the perl regex \w).
   35: 
   36: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
   37: # Yes, but be very careful here (don't pass shell commands)
   38: # and this is only supported to allow perl-system calls.
   39: 
   40: # Usage within code
   41: #
   42: # $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
   43: # print "uh-oh" if $exitcode;
   44: 
   45: # These are the exit codes.
   46: 
   47: # Security
   48: $ENV{'PATH'}=""; # Nullify path information.
   49: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   50: 
   51: # Do not print error messages if there are command-line arguments
   52: my $noprint=0;
   53: if (@ARGV) {
   54:     $noprint=1;
   55: }
   56: 
   57: # Read in /etc/passwd, and make sure this process is running from user=www
   58: open (IN, "</etc/passwd");
   59: my @lines=<IN>;
   60: close IN;
   61: my $wwwid;
   62: for my $l (@lines) {
   63:     chop $l;
   64:     my @F=split(/\:/,$l);
   65:     if ($F[0] eq 'www') {$wwwid=$F[2];}
   66: }
   67: if ($wwwid!=$<) {
   68:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
   69:     exit 1;
   70: }
   71: &disable_root_capability;
   72: 
   73: # Handle case of another lcpasswd process
   74: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
   75:     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
   76:     exit 4;
   77: }
   78: 
   79: # Gather input.  Should be 3 values (user name, password 1, password 2).
   80: my @input;
   81: if (@ARGV==3) {
   82:     @input=@ARGV;
   83: }
   84: elsif (@ARGV) {
   85:     print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint;
   86:     unlink('/tmp/lock_lcpasswd');
   87:     exit 2;
   88: }
   89: else {
   90:     @input=<>;
   91:     if (@input!=3) {
   92: 	print("Error. Three lines should be entered into standard input.\n") unless $noprint;
   93: 	unlink('/tmp/lock_lcpasswd');
   94: 	exit 3;
   95:     }
   96:     map {chop} @input;
   97: }
   98: 
   99: my ($username,$password1,$password2)=@input;
  100: $username=~/^(\w+)$/;
  101: my $safeusername=$1;
  102: 
  103: # Only add user if we can create a brand new home directory (/home/username).
  104: if (-e "/home/$safeusername") {
  105:     print "Error. User already exists.\n" unless $noprint;
  106:     unlink('/tmp/lock_lcpasswd');
  107:     exit 8;
  108: }
  109: 
  110: # Only add user if the two password arguments match.
  111: if ($password1 ne $password2) {
  112:     print "Error. Password mismatch.\n" unless $noprint;
  113:     unlink('/tmp/lock_lcpasswd');
  114:     exit 7;
  115: }
  116: 
  117: &enable_root_capability;
  118: 
  119: # Add user entry to /etc/passwd and /etc/groups in such
  120: # a way that www is a member of the user-specific group
  121: 
  122: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
  123:     print "Error.  Something went wrong with the addition of user \"$safeusername\".\n" unless $noprint;
  124:     unlink('/tmp/lock_lcpasswd');
  125:     exit 5;
  126: }
  127: 
  128: # Make www a member of that user group.
  129: if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
  130:     print "Error. Could not make www a member of the group \"$safeusername\".\n" unless $noprint;
  131:     unlink('/tmp/lock_lcpasswd');
  132:     exit 6;
  133: }
  134: 
  135: # Set password with lcpasswd-style algorithm (which creates smbpasswd entry).
  136: # I cannot place a direct shell call to lcpasswd since I have to allow
  137: # for crazy characters in the password, and the setuid environment of perl
  138: # requires me to make everything safe.
  139: 
  140: 
  141: 
  142: 
  143: # ----------------------------------------------------------- have setuid script run as root
  144: sub enable_root_capability {
  145:     if ($wwwid==$>) {
  146: 	($<,$>)=($>,$<);
  147: 	($(,$))=($),$();
  148:     }
  149:     else {
  150: 	# root capability is already enabled
  151:     }
  152:     return $>;
  153: }
  154: 
  155: # ----------------------------------------------------------- have setuid script run as www
  156: sub disable_root_capability {
  157:     if ($wwwid==$<) {
  158: 	($<,$>)=($>,$<);
  159: 	($(,$))=($),$();
  160:     }
  161:     else {
  162: 	# root capability is already disabled
  163:     }
  164: }
  165: 
  166: # ----------------------------------- make sure that another lcpasswd process isn't running
  167: sub try_to_lock {
  168:     my ($lockfile)=@_;
  169:     my $currentpid;
  170:     my $lastpid;
  171:     # Do not manipulate lock file as root
  172:     if ($>==0) {
  173: 	return 0;
  174:     }
  175:     # Try to generate lock file.
  176:     # Wait 3 seconds.  If same process id is in
  177:     # lock file, then assume lock file is stale, and
  178:     # go ahead.  If process id's fluctuate, try
  179:     # for a maximum of 10 times.
  180:     for (0..10) {
  181: 	if (-e $lockfile) {
  182: 	    open(LOCK,"<$lockfile");
  183: 	    $currentpid=<LOCK>;
  184: 	    close LOCK;
  185: 	    if ($currentpid==$lastpid) {
  186: 		last;
  187: 	    }
  188: 	    sleep 3;
  189: 	    $lastpid=$currentpid;
  190: 	}
  191: 	else {
  192: 	    last;
  193: 	}
  194: 	if ($_==10) {
  195: 	    return 0;
  196: 	}
  197:     }
  198:     open(LOCK,">$lockfile");
  199:     print LOCK $$;
  200:     close LOCK;
  201:     return 1;
  202: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>