--- loncom/build/make_domain_coordinator.pl 2003/02/03 18:03:52 1.9 +++ loncom/build/make_domain_coordinator.pl 2012/08/17 22:43:03 1.22 @@ -11,7 +11,7 @@ make_domain_coordinator.pl - Make a doma # The LearningOnline Network # make_domain_coordinator.pl - Make a domain coordinator on a system # -# $Id: make_domain_coordinator.pl,v 1.9 2003/02/03 18:03:52 harris41 Exp $ +# $Id: make_domain_coordinator.pl,v 1.22 2012/08/17 22:43:03 raeburn Exp $ # # This file is part of the LearningOnline Network with CAPA (LON-CAPA). # @@ -33,8 +33,6 @@ make_domain_coordinator.pl - Make a doma # # http://www.lon-capa.org/ # -# YEAR=2002 -# ### =pod @@ -91,10 +89,15 @@ Set roles.hist and roles.db # ---------------------------------------------------- Configure general values -my %perlvar; # Holds network-wide and machine-specific configuration values. -# We only need one configuration value however, lonUsersDir. Rather than -# read this out of loncapa.conf, I am just going to hard-code this for now. -$perlvar{'lonUsersDir'}='/home/httpd/lonUsers'; +use lib '/home/httpd/lib/perl/'; +use LONCAPA; +use LONCAPA::lonmetadata; +use Term::ReadKey; +use Apache::lonnet; +use Apache::lonlocal; +use DBI; +use Storable qw(nfreeze); +use strict; =pod @@ -117,73 +120,115 @@ For example, "dcmsu" or "dcumich" would USERNAMEs for places like Mich State Univ, etc. The second argument specifies the domain of the computer -coordinator and should consist of only alphanumeric characters. +coordinator. =cut +my $lang = &Apache::lonlocal::choose_language(); +&Apache::lonlocal::get_language_handle(undef,$lang); +print"\n"; + # ----------------------------------------------- So, are we invoked correctly? # Two arguments or abort if (@ARGV!=2) { - die('usage: make_domain_coordinator.pl [USERNAME] [DOMAIN] '."\n". - '(and password through standard input)'."\n". - 'It is recommended that the USERNAME should be institution-specific '. - "\n".'as opposed to something like "Sammy" or "Jo".'."\n". - 'For example, "dcmsu" or "dcumich" would be good domain coordinator'. - "\n".'USERNAMEs for places like Mich State Univ, etc.'."\n"); -} -my ($username,$domain)=(@ARGV); shift @ARGV; shift @ARGV; -unless ($username=~/^\w+$/ and $username!~/\_/) { - die('**** ERROR **** '. - 'Username '.$username.' must consist only of alphanumeric characters'. - "\n"); -} -unless ($domain=~/^\w+$/ and $domain!~/\_/) { - die('**** ERROR **** '. - 'Domain '.$domain.' must consist only of alphanumeric characters'. - "\n"); + print(&mt('usage: [_1]','make_domain_coordinator.pl [USERNAME] [DOMAIN]')."\n\n". + &mt('It is recommended that the USERNAME should be institution-specific.'). + "\n".&mt('It should not be something like "Sammy" or "Jo".')."\n". + &mt('For example, [_1] or [_2] would be good domain coordinator USERNAMEs for places like Michigan State University, etc.','"domcoordmsu"','"dcmichstate"')."\n"); + exit; } - -# Output a warning message. -print('**** NOTE **** '. - 'Generating a domain coordinator is "serious business".'."\n". - 'Choosing a difficult-to-guess (and keeping it a secret) password '."\n". - 'is highly recommended.'."\n"); - -print("Password: "); $|=1; -my $passwd=<>; # read in password from standard input -chomp($passwd); - -if (length($passwd)<6 or length($passwd)>30) { - die('**** ERROR **** '.'Password is an unreasonable length.'."\n". - 'It should be at least 6 characters in length.'."\n"); +my ($username,$domain)=(@ARGV); +if ($username=~/$LONCAPA::not_username_re/) { + print(&mt('**** ERROR **** Username [_1] must consist only of - . and alphanumeric characters.',$username)."\n"); + exit; } -my $pbad=0; -foreach (split(//,$passwd)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} -if ($pbad) { - die('**** ERROR **** '. - 'Password must consist of standard ASCII characters'."\n"); +if ($domain=~/$LONCAPA::not_domain_re/) { + print(&mt('**** ERROR **** Domain [_1] must consist only of - . and alphanumeric characters.',$domain)."\n"); + exit; } -# And does user already exist +# Does user already exist +my ($is_user,$has_lc_account); -my $caveat = - 'For security reasons, this script will only automatically generate '."\n". - 'new users, not pre-existing users.'."\n". - "If you want to make '$username' a domain coordinator, you "."\n". - 'should do so manually by customizing the MANUAL PROCEDURE'."\n". - 'described in the documentation. To view the documentation '."\n". - 'for this script, type '. - "'perldoc ./make_domain_coordinator.pl'."."\n"; +my $udpath=&propath($domain,$username); +if (-d $udpath) { + $has_lc_account = 1; +} + +if ($has_lc_account) { + print(&mt('**** ERROR **** [_1] is already defined as a LON-CAPA user.', + $username)."\n\n". + &mt('To assign a domain coordinator role to an existing user, use: [_1]', + "\n".'perl add_domain_coordinator_privilege.pl')."\n\n"); + exit; +} if (-d "/home/$username") { - die ('**** ERROR **** '.$username.' is already a linux operating system '. - 'user.'."\n".$caveat); + $is_user = 1; } -my $udpath=propath($domain,$username); -if (-d $udpath) { - die ('**** ERROR **** '.$username.' is already defined as a LON-CAPA '. - 'user.'."\n".$caveat); + +if ($is_user) { + print(&mt('**** ERROR **** [_1] is already a linux operating system user.', + $username)."\n\n". + &mt('This script will only automatically generate new users.')."\n". + &mt('To assign a domain coordinator role to an existing user:')."\n\n". + &mt('If you want to make "[_1]" a domain coordinator, you should do so manually by customizing the MANUAL PROCEDURE described in the documentation.',$username)."\n\n". + &mt('To view the documentation for this script, type: [_1].', + "\n".'perldoc ./make_domain_coordinator.pl')."\n\n"); + exit; +} + +# Output a warning message. +print(&mt('**** NOTE **** Generating a domain coordinator is "serious business".')."\n". + &mt('You must choose a password that is difficult to guess.')."\n"); + +print(&mt('Continue? ~[Y/n~] ')); +my $go_on = ; +chomp($go_on); +$go_on =~ s/(^\s+|\s+$)//g; +my $yes = &mt('y'); +unless (($go_on eq '') || ($go_on =~ /^\Q$yes\E/i)) { + exit; } +print "\n"; + +my ($got_passwd,$firstpass,$secondpass,$passwd); +my $maxtries = 10; +my $trial = 0; +while ((!$got_passwd) && ($trial < $maxtries)) { + $firstpass = &get_password(&mt('Enter password')); + if (length($firstpass) < 6) { + print(&mt('Password too short.')."\n". + &mt('Please choose a password with at least six characters.')."\n". + &mt('Please try again.')."\n"); + } elsif (length($firstpass) > 30) { + print(&mt('Password too long.')."\n". + &mt('Please choose a password with no more than thirty characters.')."\n". + &mt('Please try again.')."\n"); + } else { + my $pbad=0; + foreach (split(//,$firstpass)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} + if ($pbad) { + print(&mt('Password contains invalid characters.')."\n". + &mt('Password must consist of standard ASCII characters')."\n". + &mt('Please try again.')."\n"); + } else { + $secondpass = &get_password(&mt('Enter password a second time')); + if ($firstpass eq $secondpass) { + $got_passwd = 1; + $passwd = $firstpass; + } else { + print(&mt('Passwords did not match.')."\n". + &mt('Please try again.')."\n"); + } + } + $trial ++; + } +} +if (!$got_passwd) { + exit; +} +print "\n"; =pod @@ -221,7 +266,8 @@ login as root on your Linux system # ------------------------------------------------------------ So, are we root? if ($< != 0) { # Am I root? - die 'You must be root in order to generate a domain coordinator.'."\n"; + print(&mt('You must be root in order to generate a domain coordinator.'). + "\n"); } =pod @@ -233,11 +279,65 @@ if ($< != 0) { # Am I root? =cut +# ----------------------------------------------------------- /usr/sbin/groupadd +# -- Add group +$username=~s/\W//g; # an extra filter, just to be sure + +print(&mt('adding group: [_1]',$username)."\n"); +my $status = system('/usr/sbin/groupadd', $username); +if ($status) { + print(&mt('Error.').' '. + &mt('Something went wrong with the addition of group "[_1]".', + $username)."\n"); + exit; +} +my $gid = getgrnam($username); + # ----------------------------------------------------------- /usr/sbin/useradd +# -- Add user -$username=~s/\W//g; # an extra filter, just to be sure -`/usr/sbin/useradd $username`; # Add the user with the 'useradd' command. +print(&mt('adding user: [_1]',$username)."\n"); +my $status = system('/usr/sbin/useradd','-c','LON-CAPA user','-g',$gid,$username); +if ($status) { + system("/usr/sbin/groupdel $username"); + print(&mt('Error.').' '. + &mt('Something went wrong with the addition of user "[_1]".', + $username)."\n"); + exit; +} + +print(&mt('Done adding user.')."\n"); +# Make www a member of that user group. +my $groups=`/usr/bin/groups www`; +# untaint +my ($safegroups)=($groups=~/:\s*([\s\w]+)/); +$groups=$safegroups; +chomp $groups; $groups=~s/^\S+\s+\:\s+//; +my @grouplist=split(/\s+/,$groups); +my @ugrouplist=grep {!/www|$username/} @grouplist; +my $gl=join(',',(@ugrouplist,$username)); +print(&mt("Putting www in user's group.")."\n"); +if (system('/usr/sbin/usermod','-G',$gl,'www')) { + print(&mt('Error.').' '.&mt('Could not make www a member of the group "[_1]".', + $username)."\n"); + exit; +} + +# Check if home directory exists for user +# If not, create one. +if (!-e "/home/$username") { + if (!mkdir("/home/$username",0710)) { + print(&mt('Error.').' '.&mt('Could not add home directory for "[_1]".', + $username)."\n"); + exit; + } +} +if (-d "/home/$username") { + system('/bin/chown',"$username:$username","/home/$username"); + system('/bin/chmod','-R','0660',"/home/$username"); + system('/bin/chmod','0710',"/home/$username"); +} =pod =item 3 (as root). enter in a password @@ -253,14 +353,26 @@ $username=~s/\W//g; # an extra filter, j # Process password (taint-check, then pass to the UNIX passwd command). $username =~ s/\W//g; # an extra filter, just to be sure -$pbad = 0; +my $pbad = 0; foreach (split(//,$passwd)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} if ($pbad) { - die('Password must consist of standard ASCII characters'."\n"); + print(&mt('Password must consist of standard ASCII characters.'). + "\n"); +} + +my $distro; +if (open(PIPE,"perl distprobe|")) { + $distro = ; + close(PIPE); +} +if ($distro =~ /^ubuntu|debian/) { + open(OUT,"|usermod -p `mkpasswd $passwd` $username"); + close(OUT); +} else { + open(OUT,"|passwd --stdin $username"); + print(OUT $passwd."\n"); + close(OUT); } -open(OUT,"|passwd --stdin $username"); -print(OUT $passwd."\n"); -close(OUT); =pod @@ -311,7 +423,12 @@ close(OUT); open(OUT, ">$udpath/passwd"); print(OUT 'unix:'."\n"); close(OUT); -`chown www:www $udpath/passwd`; # Must be writeable by httpd process. + +# Get permissions correct on udpath + + print(&mt('Setting permissions on user data directories.').' '. + &mt('This may take a moment, please be patient ...')."\n"); +`chown -R www:www /home/httpd/lonUsers/$domain` ; # Must be writeable by httpd process. =pod @@ -323,22 +440,77 @@ close(OUT); =cut use GDBM_File; # A simplistic key-value pairing database. -my %hash; -tie(%hash,'GDBM_File',"$udpath/roles.db", - &GDBM_WRCREAT,0640); # Interface with GDBM database thru a hash variable. - -$hash{'/'.$domain.'/_dc'}='dc'; # Set the domain coordinator role. +my $rolesref=&LONCAPA::locking_hash_tie("$udpath/roles.db",&GDBM_WRCREAT()); +if (!$rolesref) { + print(&mt('Error').' '. + &mt('unable to tie roles db: [_1]'."$udpath/roles.db")."\n"); + exit; +} +my $now = time; +$rolesref->{'/'.$domain.'/_dc'}='dc_0_'.$now; # Set the domain coordinator role. open(OUT, ">$udpath/roles.hist"); # roles.hist is the synchronous plain text. -map { - print(OUT $_.' : '.$hash{$_}."\n"); -} keys %hash; +foreach my $key (keys(%{$rolesref})) { + print(OUT $key.' : '.$rolesref->{$key}."\n"); +} close(OUT); -untie(%hash); # Finish interfacing with GDBM database. +&LONCAPA::locking_hash_untie($rolesref); + `chown www:www $udpath/roles.hist`; # Must be writeable by httpd process. `chown www:www $udpath/roles.db`; # Must be writeable by httpd process. +my %perlvar = %{&LONCAPA::Configuration::read_conf('loncapa.conf')}; +my $dompath = $perlvar{'lonUsersDir'}.'/'.$domain; +my $domrolesref = &LONCAPA::locking_hash_tie("$dompath/nohist_domainroles.db",&GDBM_WRCREAT()); + +if (!$domrolesref) { + print(&mt('Error').' '.&mt('unable to tie nohist_domainroles db: [_1].', + "$dompath/nohist_domainroles.db")."\n"); +} + +# Store in nohist_domainroles.db +my $domkey=&LONCAPA::escape('dc:'.$username.':'.$domain.'::'.$domain.':'); +$domrolesref->{$domkey}= &LONCAPA::escape('0:'.$now); +&LONCAPA::locking_hash_untie($domrolesref); + + system('/bin/chown',"www:www","$dompath/nohist_domainroles.db"); # Must be writeable by httpd process. + system('/bin/chown',"www:www","$dompath/nohist_domainroles.db.lock"); + +# Log with domainconfiguser in nohist_rolelog.db +my $domconfiguser = $domain.'-domainconfig'; +my $subdir = $domconfiguser; +$subdir =~ s/(.)(.)(.).*/$1\/$2\/$3/; + +my $rolelogref = &LONCAPA::locking_hash_tie("$dompath/$subdir/$domconfiguser/nohist_rolelog.db",&GDBM_WRCREAT()); +my $domlogkey = &LONCAPA::escape($now.'00000'.$$.'000000'); +my $storehash = { + role => 'dc', + start => $now, + end => 0, + context => 'server', + }; +my $domlogvalue = { + 'exe_uname' => '', + 'exe_udom' => $domain, + 'exe_time' => $now, + 'exe_ip' => '127.0.0.1', + 'delflag' => '', + 'logentry' => $storehash, + 'uname' => $username, + 'udom' => $domain, + }; +$rolelogref->{$domlogkey}=&freeze_escape($domlogvalue); +&LONCAPA::locking_hash_untie($rolelogref); + + system('/bin/chown',"www:www","$dompath/$subdir/nohist_rolelog.db"); # Must be writeable by httpd process. + system('/bin/chown',"www:www","$dompath/$subdir/nohist_rolelog.db.lock"); + +#Update allusers MySQL table + +print(&mt('Adding new user to allusers table.')."\n"); +&allusers_update($username,$domain,\%perlvar); + =pod =item 10. @@ -349,21 +521,96 @@ by going to http://MACHINENAME/adm/creat =cut # Output success message, and inform sysadmin about how to further proceed. -print("$username is now a domain coordinator\n"); # Output success message. +print("\n".&mt('[_1] is now a domain coordinator',$username)."\n"); # Output success message. my $hostname=`hostname`; chomp($hostname); # Read in hostname. -print("http://$hostname/adm/createuser will allow you to further define". - " this user.\n"); # Output a suggested URL. +print("\n". + &mt('Once LON-CAPA is running, you should log-in and use: [_1] to further define this user.', + "\nhttp://$hostname/adm/createuser\n")."\n\n". + &mt('From the user management menu, click the link: "Add/Modify a User" to search for the user and to provide additional information (last name, first name etc.).')."\n"); +# Output a suggested URL. + +sub allusers_update { + my ($username,$domain,$perlvar) = @_; + my %tablenames = ( + 'allusers' => 'allusers', + ); + my $dbh; + unless ($dbh = DBI->connect("DBI:mysql:loncapa","www", + $perlvar->{'lonSqlAccess'}, + { RaiseError =>0,PrintError=>0})) { + print(&mt('Cannot connect to database!')."\n"); + return; + } + my $tablechk = &allusers_table_exists($dbh); + if ($tablechk == 0) { + my $request = + &LONCAPA::lonmetadata::create_metadata_storage('allusers','allusers'); + $dbh->do($request); + if ($dbh->err) { + print(&mt('Failed to create [_1] table.','allusers')."\n"); + return; + } + } + my %userdata = ( + username => $username, + domain => $domain, + ); + my %loghash = + &LONCAPA::lonmetadata::process_allusers_data($dbh,undef, + \%tablenames,$username,$domain,\%userdata,'update'); + foreach my $key (keys(%loghash)) { + print $loghash{$key}."\n"; + } + return; +} + +sub allusers_table_exists { + my ($dbh) = @_; + my $sth=$dbh->prepare('SHOW TABLES'); + $sth->execute(); + my $aref = $sth->fetchall_arrayref; + $sth->finish(); + if ($sth->err()) { + return undef; + } + my $result = 0; + foreach my $table (@{$aref}) { + if ($table->[0] eq 'allusers') { + $result = 1; + last; + } + } + return $result; +} -# ================================================================= SUBROUTINES -# Subroutine propath: take in domain and username, and generate filesystem path -sub propath { - my ($udom,$uname)=@_; # The lonDefDomain, and the domain coord. username. - $udom =~ s/\W//g; # Taint removal. - $uname =~ s/\W//g; # Taint removal. - my $subdir = $uname.'__'; - $subdir =~ s/(.)(.)(.).*/$1\/$2\/$3/; # The path must have three subdirs. - my $proname = "$perlvar{'lonUsersDir'}/$udom/$subdir/$uname"; # Total path. - return $proname; # Return the total user directory filesystem path. +sub get_password { + my ($prompt) = @_; + local $| = 1; + print $prompt.': '; + my $newpasswd = ''; + ReadMode 'raw'; + my $key; + while(ord($key = ReadKey(0)) != 10) { + if(ord($key) == 127 || ord($key) == 8) { + chop($newpasswd); + print "\b \b"; + } elsif(!ord($key) < 32) { + $newpasswd .= $key; + print '*'; + } + } + ReadMode 'normal'; + print "\n"; + return $newpasswd; +} + +sub freeze_escape { + my ($value)=@_; + if (ref($value)) { + $value=&nfreeze($value); + return '__FROZEN__'.&LONCAPA::escape($value); + } + return &LONCAPA::escape($value); } =pod @@ -373,3 +620,4 @@ sub propath { Written to help the LON-CAPA project. =cut +