loncom/lcuseradd - view

File: [LON-CAPA] / loncom / Attic / lcuseradd
Revision 1.38: download - view: text, annotated - select for diffs
Fri Jul 29 17:33:18 2005 UTC (18 years, 9 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_2_0, version_2_1_X, version_2_1_99_3, version_2_1_99_2, version_2_1_99_1, version_2_1_99_0, version_2_1_3, version_2_1_2, version_2_1_1, version_2_1_0, version_2_0_X, version_2_0_99_1, version_2_0_2, version_2_0_1, version_2_0_0, version_1_99_3, HEAD

Changes to accommodate suse, where new users are put into default group rather than into new group with same name as username.  Solve this by creating group first, before adding user. Also create user's home directory if not created automatically.

1: #!/usr/bin/perl 2: 3: # The Learning Online Network with CAPA 4: # 5: # lcuseradd - LON-CAPA setuid script to coordinate all actions 6: # with adding a user with filesystem privileges (e.g. author) 7: # 8: # 9: # $Id: lcuseradd,v 1.38 2005/07/29 17:33:18 raeburn Exp $ 10: ### 11: 12: ############################################################################### 13: ## ## 14: ## ORGANIZATION OF THIS PERL SCRIPT ## 15: ## ## 16: ## 1. Description of script ## 17: ## 2. Invoking script (standard input) ## 18: ## 3. Example usage inside another piece of code ## 19: ## 4. Description of functions ## 20: ## 5. Exit codes ## 21: ## 6. Initializations ## 22: ## 7. Make sure this process is running from user=www ## 23: ## 8. Start running script with www permissions ## 24: ## 9. Handle case of another lcpasswd process (locking) ## 25: ## 10. Error-check input, need 3 values (user name, password 1, password 2) ## 26: ## 11. Start running script with root permissions ## 27: ## 12. Add user and make www a member of the user-specific group ## 28: ## 13. Set password ## 29: ## 14. Make final modifications to the user directory ## 30: ## 15. Exit script (unlock) ## 31: ## ## 32: ############################################################################### 33: 34: use strict; 35: use File::Find; 36: 37: 38: # ------------------------------------------------------- Description of script 39: # 40: # This script is a setuid script that should 41: # be run by user 'www'. It creates a /home/USERNAME directory. 42: # It adds a user to the unix system. 43: # Passwords are set with lcpasswd. 44: # www becomes a member of this user group. 45: 46: # -------------- Invoking script (standard input versus command-line arguments) 47: # Otherwise sensitive information will be available to ps-ers for 48: # a small but exploitable time window. 49: # 50: # Standard input (STDIN) usage 51: # First line is USERNAME 52: # Second line is PASSWORD 53: # Third line is PASSWORD 54: # Fouth line is the name of a file to which an error code will be written. 55: # If the fourth line is omitted, no error file will be written. 56: # In either case, the program Exits with the code as its Exit status. 57: # The error file will just be a single line containing an 58: # error code. 59: # 60: # 61: # 62: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD] 63: # Yes, but be very careful here (don't pass shell commands) 64: # and this is only supported to allow perl-system calls. 65: # 66: # Valid passwords must consist of the 67: # ascii characters within the inclusive 68: # range of 0x20 (32) to 0x7E (126). 69: # These characters are: 70: # SPACE and 71: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO 72: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ 73: # 74: # Valid user names must consist of ascii 75: # characters that are alphabetical characters 76: # (A-Z,a-z), numeric (0-9), or the underscore 77: # mark (_). (Essentially, the perl regex \w). 78: # User names must begin with an alphabetical character 79: # (A-Z,a-z). 80: 81: # ---------------------------------- Example usage inside another piece of code 82: # Usage within code 83: # 84: # $Exitcode= 85: # system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256; 86: # print "uh-oh" if $Exitcode; 87: 88: # ---------------------------------------------------- Description of functions 89: # enable_root_capability() : have setuid script run as root 90: # disable_root_capability() : have setuid script run as www 91: # try_to_lock() : make sure that another lcpasswd process isn't running 92: 93: # ------------------------------------------------------------------ Exit codes 94: # These are the Exit codes. 95: # ( (0,"ok"), 96: # (1,"User ID mismatch. This program must be run as user 'www'"), 97: # (2,"Error. This program needs 3 command-line arguments (username, ". 98: # "password 1, password 2)."), 99: # (3,"Error. Three lines should be entered into standard input."), 100: # (4,"Error. Too many other simultaneous password change requests being ". 101: # "made."), 102: # (5,"Error. User $username does not exist."), 103: # (6,"Error. Could not make www a member of the group \"$safeusername\"."), 104: # (7,"Error. Root was not successfully enabled.), 105: # (8,"Error. Cannot set password."), 106: # (9,"Error. The user name specified has invalid characters."), 107: # (10,"Error. A password entry had an invalid character."), 108: # (11,"Error. User already exists.), 109: # (12,"Error. Something went wrong with the addition of user ". 110: # "\"$safeusername\"."), 111: # (13,"Error. Password mismatch."), 112: # (14, "Error filename is invalid"), 113: # (15, "Error. Could not add home directory.") 114: 115: # ------------------------------------------------------------- Initializations 116: # Security 117: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path 118: # information 119: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints 120: 121: # Do not print error messages. 122: my $noprint=1; 123: 124: # Error file: 125: 126: my $error_file; # This is either the error file name or undef. 127: 128: print "In lcuseradd\n" unless $noprint; 129: 130: # ----------------------------- Make sure this process is running from user=www 131: my $wwwid=getpwnam('www'); 132: &disable_root_capability; 133: if ($wwwid!=$>) { 134: print("User ID mismatch. This program must be run as user 'www'\n") 135: unless $noprint; 136: &Exit(1); 137: } 138: 139: # ----------------------------------- Start running script with www permissions 140: &disable_root_capability; 141: 142: # --------------------------- Handle case of another lcpasswd process (locking) 143: unless (&try_to_lock("/tmp/lock_lcpasswd")) { 144: print "Error. Too many other simultaneous password change requests being ". 145: "made.\n" unless $noprint; 146: &Exit(4); 147: } 148: 149: # ------- Error-check input, need 3 values (user name, password 1, password 2). 150: my @input; 151: if (@ARGV>=3) { 152: @input=@ARGV; 153: } elsif (@ARGV) { 154: print("Error. This program needs at least 3 command-line arguments (username, ". 155: "password 1, password 2 [errorfile]).\n") unless $noprint; 156: unlink('/tmp/lock_lcpasswd'); 157: &Exit(2); 158: } else { 159: @input=<>; 160: if (@input < 3) { 161: print("Error. At least three lines should be entered into standard input.\n") 162: unless $noprint; 163: unlink('/tmp/lock_lcpasswd'); 164: &Exit(3); 165: } 166: foreach (@input) {chomp;} 167: } 168: 169: my ($username,$password1,$password2, $error_file)=@input; 170: print "Username = ".$username."\n" unless $noprint; 171: $username=~/^(\w+)$/; 172: print "Username after substitution - ".$username unless $noprint; 173: my $safeusername=$1; 174: print "Safe username = $safeusername \n" unless $noprint; 175: 176: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) { 177: print "Error. The user name specified $username $safeusername has invalid characters.\n" 178: unless $noprint; 179: unlink('/tmp/lock_lcpasswd'); 180: &Exit(9); 181: } 182: my $pbad=0; 183: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} 184: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} 185: if ($pbad) { 186: print "Error. A password entry had an invalid character.\n" unless $noprint; 187: unlink('/tmp/lock_lcpasswd'); 188: &Exit(10); 189: } 190: 191: # 192: # Safe the filename. For our case, it must only have alpha, numeric, period 193: # and path sparators.. 194: # 195: 196: print "Error file is $error_file \n" unless $noprint; 197: 198: if($error_file) { 199: if($error_file =~ /^([(\w)(\d)\.\/]+)$/) { 200: print "Error file matched pattern $error_file : $1\n" unless $noprint; 201: my $safe_error_file = $1; # Untainted I think. 202: print "Error file after transform $safe_error_file\n" 203: unless $noprint; 204: if($error_file == $safe_error_file) { 205: $error_file = $safe_error_file; # untainted error_file. 206: } else { 207: $error_file =""; 208: print "Invalid error filename\n" unless $noprint; 209: Exit(14); 210: } 211: 212: } else { 213: $error_file=""; 214: print "Invalid error filename\n" unless $noprint; 215: Exit(14); 216: } 217: } 218: 219: 220: # -- Only add the user if they are >not< in /etc/passwd. 221: # Used to look for the ability to create a new directory for the 222: # user, however that disallows authentication changes from i 223: # internal->fs.. so just check the passwd file instead. 224: # 225: my $not_found = system("cut -d: -f1 /etc/passwd | grep -q \"^$safeusername\$\" "); 226: if (!$not_found) { 227: print "Error user already exists\n" unless $noprint; 228: unlink('/tmp/lock_lcpasswd'); 229: &Exit(11); 230: } 231: 232: 233: 234: # -- Only add user if the two password arguments match. 235: 236: if ($password1 ne $password2) { 237: print "Error. Password mismatch.\n" unless $noprint; 238: unlink('/tmp/lock_lcpasswd'); 239: &Exit(13); 240: } 241: print "enabling root\n" unless $noprint; 242: # ---------------------------------- Start running script with root permissions 243: &enable_root_capability; 244: 245: # ------------------- Add group and user, and make www a member of the group 246: # -- Add group 247: 248: print "adding group: $safeusername \n" unless $noprint; 249: my $status = system('/usr/sbin/groupadd', $safeusername); 250: if ($status) { 251: print "Error. Something went wrong with the addition of group ". 252: "\"$safeusername\".\n" unless $noprint; 253: print "Final status of groupadd = $status\n"; 254: unlink('/tmp/lock_lcpasswd'); 255: &Exit(12); 256: } 257: my $gid = getgrnam($safeusername); 258: 259: # -- Add user 260: 261: print "adding user: $safeusername \n" unless $noprint; 262: my $status = system('/usr/sbin/useradd','-c','LON-CAPA user','-g',$gid,$safeusername); 263: if ($status) { 264: print "Error. Something went wrong with the addition of user ". 265: "\"$safeusername\".\n" unless $noprint; 266: system("/usr/sbin/groupdel $safeusername"); 267: print "Final status of useradd = $status\n"; 268: unlink('/tmp/lock_lcpasswd'); 269: &Exit(12); 270: } 271: 272: print "Done adding user\n" unless $noprint; 273: # Make www a member of that user group. 274: my $groups=`/usr/bin/groups www` or &Exit(6); 275: # untaint 276: my ($safegroups)=($groups=~/:\s*([\s\w]+)/); 277: $groups=$safegroups; 278: chomp $groups; $groups=~s/^\S+\s+\:\s+//; 279: my @grouplist=split(/\s+/,$groups); 280: my @ugrouplist=grep {!/www|$safeusername/} @grouplist; 281: my $gl=join(',',(@ugrouplist,$safeusername)); 282: print "Putting www in user's group\n" unless $noprint; 283: if (system('/usr/sbin/usermod','-G',$gl,'www')) { 284: print "Error. Could not make www a member of the group ". 285: "\"$safeusername\".\n" unless $noprint; 286: unlink('/tmp/lock_lcpasswd'); 287: &Exit(6); 288: } 289: 290: # ---------------------------------------------------------------- Set password 291: # Set password with lcpasswd (which creates smbpasswd entry). 292: 293: unlink('/tmp/lock_lcpasswd'); 294: &disable_root_capability; 295: ($>,$<)=($wwwid,$wwwid); 296: print "Opening lcpasswd pipeline\n" unless $noprint; 297: open OUT,"|/home/httpd/perl/lcpasswd"; 298: print OUT $safeusername; 299: print OUT "\n"; 300: print OUT $password1; 301: print OUT "\n"; 302: print OUT $password1; 303: print OUT "\n"; 304: close OUT; 305: if ($?) { 306: print "abnormal Exit from close lcpasswd\n" unless $noprint; 307: &Exit(8); 308: } 309: ($>,$<)=($wwwid,0); 310: &enable_root_capability; 311: 312: # Check if home directory exists for user 313: # If not, create one. 314: if (!-e "/home/$safeusername") { 315: if (!mkdir("/home/$safeusername",0710)) { 316: print "Error. Could not add home directory for ". 317: "\"$safeusername\".\n" unless $noprint; 318: unlink('/tmp/lock_lcpasswd'); 319: &Exit(15); 320: } 321: } 322: 323: # ------------------------------ Make final modifications to the user directory 324: # -- Add a public_html file with a stand-in index.html file 325: 326: if (-d "/home/$safeusername") { 327: system('/bin/chmod','-R','0660',"/home/$safeusername"); 328: system('/bin/chmod','0710',"/home/$safeusername"); 329: mkdir "/home/$safeusername/public_html",0755; 330: open OUT,">/home/$safeusername/public_html/index.html"; 331: print OUT<<END; 332: <html> 333: <head> 334: <title>$safeusername</title> 335: </head> 336: <body> 337: <h1>Construction Space</h1> 338: <h3>$safeusername</h3> 339: </body> 340: </html> 341: END 342: close OUT; 343: } 344: 345: # 346: # In order to allow the loncapa daemons appropriate access 347: # to public_html, Top level and public_html directories should 348: # be owned by safeusername:safeusername as should the smaple index.html.. 349: print "lcuseradd ownership\n" unless $noprint; 350: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername"); # First set std ownership on everything. 351: &set_public_html_permissions("/home/$safeusername/public_html"); 352: # system('/bin/chown',"$safeusername:www","/home/$safeusername"); # Now adust top level... 353: # system('/bin/chown','-R',"$safeusername:www","/home/$safeusername/public_html"); # And web dir. 354: # ---------------------------------------------------- Gracefull Apache Restart 355: if (-e '/var/run/httpd.pid') { 356: print "lcuseradd Apache restart\n" unless $noprint; 357: open(PID,'/var/run/httpd.pid'); 358: my $pid=<PID>; 359: close(PID); 360: my $pid=~ /(\D+)/; 361: my $safepid = $1; 362: if ($pid) { 363: system('kill','-USR1',"$safepid"); 364: } 365: } 366: # -------------------------------------------------------- Exit script 367: print "lcuseradd Exiting\n" unless $noprint; 368: &disable_root_capability; 369: &Exit(0); 370: 371: # ---------------------------------------------- Have setuid script run as root 372: sub enable_root_capability { 373: if ($wwwid==$>) { 374: ($<,$>)=($>,0); 375: ($(,$))=($),0); 376: } else { 377: # root capability is already enabled 378: } 379: return $>; 380: } 381: 382: # ----------------------------------------------- Have setuid script run as www 383: sub disable_root_capability { 384: if ($wwwid==$<) { 385: ($<,$>)=($>,$<); 386: ($(,$))=($),$(); 387: } else { 388: # root capability is already disabled 389: } 390: } 391: 392: # ----------------------- Make sure that another lcpasswd process isn't running 393: sub try_to_lock { 394: my ($lockfile)=@_; 395: my $currentpid; 396: my $lastpid; 397: # Do not manipulate lock file as root 398: if ($>==0) { 399: return 0; 400: } 401: # Try to generate lock file. 402: # Wait 3 seconds. If same process id is in 403: # lock file, then assume lock file is stale, and 404: # go ahead. If process id's fluctuate, try 405: # for a maximum of 10 times. 406: for (0..10) { 407: if (-e $lockfile) { 408: open(LOCK,"<$lockfile"); 409: $currentpid=<LOCK>; 410: close LOCK; 411: if ($currentpid==$lastpid) { 412: last; 413: } 414: sleep 3; 415: $lastpid=$currentpid; 416: } else { 417: last; 418: } 419: if ($_==10) { 420: return 0; 421: } 422: } 423: open(LOCK,">$lockfile"); 424: print LOCK $$; 425: close LOCK; 426: return 1; 427: } 428: # Called by File::Find::find for each file examined. 429: # 430: # Untaint the file and, if it is a directory, 431: # chmod it to 02770 432: # 433: sub set_permission { 434: $File::Find::name =~ /^(.*)$/; 435: my $safe_name = $1; # Untainted filename... 436: 437: print "$safe_name" unless $noprint; 438: if(-d $safe_name) { 439: print " - directory" unless $noprint; 440: chmod(02770, $safe_name); 441: } 442: print "\n" unless $noprint; 443: 444: } 445: # 446: # Set up the correct permissions for all files in the 447: # user's public htmldir. We just do a chmod -R 0660 ... for 448: # the ordinary files. The we use File::Find 449: # to pop through the directory tree changing directories only 450: # to 02770: 451: # 452: sub set_public_html_permissions { 453: my ($topdir) = @_; 454: 455: # Set the top level dir permissions (I'm not sure if find 456: # will enumerate it specifically), correctly and all 457: # files and dirs to the 'ordinary' file permissions: 458: 459: system("chmod -R 0660 $topdir"); 460: chmod(02770, $topdir); 461: 462: # Now use find to locate all directories under $topdir 463: # and set their modes to 02770... 464: # 465: print "Find file\n " unless $noprint; 466: File::Find::find({"untaint" => 1, 467: "untaint_pattern" => qr(/^(.*)$/), 468: "untaint_skip" => 1, 469: "no_chdir" => 1, 470: "wanted" => \&set_permission }, "$topdir"); 471: 472: 473: } 474: 475: #-------------------------- Exit... 476: # 477: # Write the file if the error_file is defined. Regardless 478: # Exit with the status code. 479: # 480: sub Exit { 481: my ($code) = @_; # Status code. 482: 483: # TODO: Ensure the error file is owned/deletable by www:www: 484: 485: &disable_root_capability(); # We run unprivileged to write the error file. 486: 487: print "Exiting with status $code error file is $error_file\n" unless $noprint; 488: if($error_file) { 489: open(FH, ">$error_file"); 490: print FH "$code\n"; 491: close(FH); 492: } 493: exit $code; 494: } 495: 496: =head1 NAME 497: 498: lcuseradd - LON-CAPA setuid script to coordinate all actions 499: with adding a user with filesystem privileges (e.g. author) 500: 501: =head1 DESCRIPTION 502: 503: lcuseradd - LON-CAPA setuid script to coordinate all actions 504: with adding a user with filesystem privileges (e.g. author) 505: 506: =head1 README 507: 508: lcuseradd - LON-CAPA setuid script to coordinate all actions 509: with adding a user with filesystem privileges (e.g. author) 510: 511: =head1 PREREQUISITES 512: 513: =head1 COREQUISITES 514: 515: =pod OSNAMES 516: 517: linux 518: 519: =pod SCRIPT CATEGORIES 520: 521: LONCAPA/Administrative 522: 523: =cut