[BACK]Return to lcuseradd CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom
File:  [LON-CAPA] / loncom / Attic / lcuseradd
Revision 1.5: download - view: text, annotated - select for diffs
Sun Oct 29 22:50:56 2000 UTC (23 years, 6 months ago) by harris41
Branches: MAIN
CVS tags: HEAD
various small changes..

    1: #!/usr/bin/perl
    2: #
    3: # lcuseradd
    4: #
    5: # Scott Harrison
    6: # October 27, 2000
    7: 
    8: use strict;
    9: 
   10: # This script is a setuid script that should
   11: # be run by user 'www'.  It creates a /home/USERNAME directory
   12: # as well as a /home/USERNAME/public_html directory.
   13: # It adds user entries to
   14: # /etc/passwd and /etc/groups.
   15: # Passwords are set with lcpasswd.
   16: # www becomes a member of this user group.
   17: 
   18: # Standard input usage
   19: # First line is USERNAME
   20: # Second line is PASSWORD
   21: # Third line is PASSWORD
   22: 
   23: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
   24: # Yes, but be very careful here (don't pass shell commands)
   25: # and this is only supported to allow perl-system calls.
   26: 
   27: # Usage within code
   28: #
   29: # $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
   30: # print "uh-oh" if $exitcode;
   31: 
   32: # These are the exit codes.
   33: 
   34: # Security
   35: $ENV{'PATH'}=""; # Nullify path information.
   36: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   37: 
   38: # Do not print error messages if there are command-line arguments
   39: my $noprint=0;
   40: if (@ARGV) {
   41:     $noprint=1;
   42: }
   43: 
   44: # Read in /etc/passwd, and make sure this process is running from user=www
   45: open (IN, "</etc/passwd");
   46: my @lines=<IN>;
   47: close IN;
   48: my $wwwid;
   49: for my $l (@lines) {
   50:     chop $l;
   51:     my @F=split(/\:/,$l);
   52:     if ($F[0] eq 'www') {$wwwid=$F[2];}
   53: }
   54: if ($wwwid!=$<) {
   55:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
   56:     exit 1;
   57: }
   58: &disable_root_capability;
   59: 
   60: # Handle case of another lcpasswd process
   61: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
   62:     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
   63:     exit 4;
   64: }
   65: 
   66: # Gather input.  Should be 3 values (user name, password 1, password 2).
   67: my @input;
   68: if (@ARGV==3) {
   69:     @input=@ARGV;
   70: }
   71: elsif (@ARGV) {
   72:     print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint;
   73:     unlink('/tmp/lock_lcpasswd');
   74:     exit 2;
   75: }
   76: else {
   77:     @input=<>;
   78:     if (@input!=3) {
   79: 	print("Error. Three lines should be entered into standard input.\n") unless $noprint;
   80: 	unlink('/tmp/lock_lcpasswd');
   81: 	exit 3;
   82:     }
   83:     map {chop} @input;
   84: }
   85: 
   86: my ($username,$password1,$password2)=@input;
   87: $username=~/^(\w+)$/;
   88: my $safeusername=$1;
   89: 
   90: if ($password1 ne $password2) {
   91:     print "Error. Password mismatch.\n";
   92:     unlink('/tmp/lock_lcpasswd');
   93:     exit 7;
   94: }
   95: 
   96: &enable_root_capability;
   97: 
   98: # Add user entry to /etc/passwd and /etc/groups in such
   99: # a way that www is a member of the user-specific group
  100: 
  101: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
  102:     print "Error.  Something went wrong with the addition of user \"$safeusername\".\n";
  103:     unlink('/tmp/lock_lcpasswd');
  104:     exit 5;
  105: }
  106: if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
  107:     print "Error. Could not make www a member of the group \"$safeusername\".\n";
  108:     unlink('/tmp/lock_lcpasswd');
  109:     exit 6;
  110: }
  111: 
  112: # Set password with lcpasswd-style algorithm (which creates smbpasswd entry).
  113: # I cannot place a direct shell call to lcpasswd since I have to allow
  114: # for crazy characters in the password, and the setuid environment of perl
  115: # requires me to make everything safe.
  116: 
  117: 
  118: 
  119: # ----------------------------------------------------------- have setuid script run as root
  120: sub enable_root_capability {
  121:     if ($wwwid==$>) {
  122: 	($<,$>)=($>,$<);
  123: 	($(,$))=($),$();
  124:     }
  125:     else {
  126: 	# root capability is already enabled
  127:     }
  128:     return $>;
  129: }
  130: 
  131: # ----------------------------------------------------------- have setuid script run as www
  132: sub disable_root_capability {
  133:     if ($wwwid==$<) {
  134: 	($<,$>)=($>,$<);
  135: 	($(,$))=($),$();
  136:     }
  137:     else {
  138: 	# root capability is already disabled
  139:     }
  140: }
  141: 
  142: # ----------------------------------- make sure that another lcpasswd process isn't running
  143: sub try_to_lock {
  144:     my ($lockfile)=@_;
  145:     my $currentpid;
  146:     my $lastpid;
  147:     # Do not manipulate lock file as root
  148:     if ($>==0) {
  149: 	return 0;
  150:     }
  151:     # Try to generate lock file.
  152:     # Wait 3 seconds.  If same process id is in
  153:     # lock file, then assume lock file is stale, and
  154:     # go ahead.  If process id's fluctuate, try
  155:     # for a maximum of 10 times.
  156:     for (0..10) {
  157: 	if (-e $lockfile) {
  158: 	    open(LOCK,"<$lockfile");
  159: 	    $currentpid=<LOCK>;
  160: 	    close LOCK;
  161: 	    if ($currentpid==$lastpid) {
  162: 		last;
  163: 	    }
  164: 	    sleep 3;
  165: 	    $lastpid=$currentpid;
  166: 	}
  167: 	else {
  168: 	    last;
  169: 	}
  170: 	if ($_==10) {
  171: 	    return 0;
  172: 	}
  173:     }
  174:     open(LOCK,">$lockfile");
  175:     print LOCK $$;
  176:     close LOCK;
  177:     return 1;
  178: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>