loncom/lcpasswd - diff

Return to lcpasswd CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/lcpasswd between versions 1.12 and 1.22

version 1.12, 2001/10/23 03:42:30	version 1.22, 2010/10/12 10:33:47
Line 1	Line 1
#!/usr/bin/perl	#!/usr/bin/perl
	# The Learning Online Network with CAPA
#	#
# lcpasswd	# lcpasswd - LON-CAPA setuid script to synchronously change all
	# filesystem-related passwords (samba, unix, etc)
#	#
# Scott Harrison	# YEAR=2002
# SH: October 27, 2000	# 02/19 Matthew Hall
# SH: October 28, 2000	#
# SH: October 29, 2000	# $Id$
# YEAR=2001	###
# Scott Harrison 10/22

###############################################################################	###############################################################################
## ##	## ##
Line 39 use strict;	Line 40 use strict;
#	#
# Standard input usage	# Standard input usage
# First line is USERNAME	# First line is USERNAME
# Second line is CURRENT PASSWORD	# Second line is NEW PASSWORD
# Third line is NEW PASSWORD	# Third line is NEW PASSWORD
#	#
# Valid passwords must consist of the	# Valid passwords must consist of the
Line 82 use strict;	Line 83 use strict;
# Security	# Security
$ENV{'PATH'}='/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path	$ENV{'PATH'}='/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
# information	# information
$ENV{'BASH_ENV'}=''; # Nullify shell environment information.	delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints

# Do not print error messages	# Do not print error messages
my $noprint=1;	my $noprint=1;

	print "In lcpasswd" unless $noprint;

# ----------------------------- Make sure this process is running from user=www	# ----------------------------- Make sure this process is running from user=www
my $wwwid=getpwnam('www');	my $wwwid=getpwnam('www');
&disable_root_capability;
if ($wwwid!=$>) {	if ($wwwid!=$<) {
print("User ID mismatch. This program must be run as user 'www'\n")	print("User ID mismatch. This program must be run as user 'www'\n")
unless $noprint;	unless $noprint;
exit 1;	exit 1;
}	}

# ----------------------------------- Start running script with www permissions	# ----------------------------------- Start running script with www permissions
&disable_root_capability;

# --------------------------- Handle case of another lcpasswd process (locking)	# --------------------------- Handle case of another lcpasswd process (locking)
unless (&try_to_lock('/tmp/lock_lcpasswd')) {	unless (&try_to_lock('/tmp/lock_lcpasswd')) {
Line 115 if (@input!=3) {	Line 118 if (@input!=3) {
unlink('/tmp/lock_lcpasswd');	unlink('/tmp/lock_lcpasswd');
exit 3;	exit 3;
}	}
map {chomp} @input;	foreach (@input) {chomp;}

my ($username,$password1,$password2)=@input;	my ($username,$password1,$password2)=@input;
$username=~/^(\w+)$/;	$username=~/^(\w+)$/;
Line 126 if (($username ne $safeusername) or ($sa	Line 129 if (($username ne $safeusername) or ($sa
exit 9;	exit 9;
}	}
my $pbad=0;	my $pbad=0;
map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$password1));	foreach (split(//,$password1)) {if ((ord($_)<32)\|\|(ord($_)>126)){$pbad=1;}}
map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$password2));	foreach (split(//,$password2)) {if ((ord($_)<32)\|\|(ord($_)>126)){$pbad=1;}}
if ($pbad) {	if ($pbad) {
print "Error. A password entry had an invalid character.\n";	print "Error. A password entry had an invalid character.\n";
unlink('/tmp/lock_lcpasswd');	unlink('/tmp/lock_lcpasswd');
Line 147 unless(getpwnam($safeusername)) {	Line 150 unless(getpwnam($safeusername)) {
unlink('/tmp/lock_lcpasswd');	unlink('/tmp/lock_lcpasswd');
exit 5;	exit 5;
}	}

&enable_root_capability;	&enable_root_capability;
($>,$<)=(0,0);	($>,$<)=(0,0);

	print "Now $> , $< , -invoking pwchange with $safeusername $password1"
	unless $noprint;
open OUT,"\|pwchange $safeusername";	open OUT,"\|pwchange $safeusername";
print OUT $password1;	print OUT $password1;
print OUT "\n";	print OUT "\n";
close OUT;	close OUT;
($>,$<)=(0,500);	($>,$<)=(0,$wwwid);

	print "pwchange done, back to uid $wwwid" unless $noprint;

if ($?) {	if ($?) {
exit 8;	exit 8;
}	}
my $userid=getpwnam($safeusername);	my $userid=getpwnam($safeusername);

unless (-e '/usr/bin/smbpasswd') {	if (-e '/usr/bin/smbpasswd') {

($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid	($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid
# environment	# environment
unless (-e '/etc/smbpasswd') {
open (OUT,'>/etc/smbpasswd'); close OUT;
}

my $smbexist=0;	# If the -a switch is put on the smbpasswd
open (IN, '</etc/smbpasswd');	# command line, either a new entry will be created or the old one
my @lines=<IN>;	# will be used.
close IN;	# Therefore the old strategy of looking for and adding a dummy entry is
for my $l (@lines) {	# not needed... Finally, the smbpasswd file is in /etc/samba not
chop $l;	# /etc/smbpasswd as older versions of the script implied.
my @F=split(/\:/,$l);
if ($F[0] eq $username) {$smbexist=1;}	print "Running smbpasswd" unless $noprint;
}	open(OUT,"\|/usr/bin/smbpasswd -s -a $safeusername>/dev/null") or
unless ($smbexist) {	die('cannot run smbpasswd');
open(OUT,'>>/etc/smbpasswd');
print OUT join(':',($safeusername,$userid,
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXX'.
'XXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,
'/bin/bash')) . "\n";
close OUT;
}

open(OUT,"\|/usr/bin/smbpasswd -s $safeusername>/dev/null");
print OUT $password2; print OUT "\n";	print OUT $password2; print OUT "\n";
print OUT $password2; print OUT "\n";	print OUT $password2; print OUT "\n";
close OUT;	close OUT;
$<=$wwwid; # unfool the program	$<=$wwwid; # unfool the program
	print "smbpasswd done" unless $noprint;
}	}

&disable_root_capability;
unlink('/tmp/lock_lcpasswd');	unlink('/tmp/lock_lcpasswd');
exit 0;	exit 0;

# ---------------------------------------------- have setuid script run as root	# ---------------------------------------------- have setuid script run as root
sub enable_root_capability {	sub enable_root_capability {
if ($wwwid==$>) {	if ($wwwid==$>) {
($<,$>)=($>,$<);	($<,$>)=($>,0);
($(,$))=($),$();	($(,$))=($),0);
}	}
else {	else {
# root capability is already enabled	# root capability is already enabled
Line 226 sub try_to_lock {	Line 222 sub try_to_lock {
my ($lockfile)=@_;	my ($lockfile)=@_;
my $currentpid;	my $currentpid;
my $lastpid;	my $lastpid;
# Do not manipulate lock file as root
if ($>==0) {
return 0;
}
# Try to generate lock file.	# Try to generate lock file.
# Wait 3 seconds. If same process id is in	# Wait 3 seconds. If same process id is in
# lock file, then assume lock file is stale, and	# lock file, then assume lock file is stale, and
Line 258 sub try_to_lock {	Line 251 sub try_to_lock {
close LOCK;	close LOCK;
return 1;	return 1;
}	}

	=head1 NAME

	lcpasswd - LON-CAPA setuid script to synchronously change all
	filesystem-related passwords (samba, unix, etc)

	=head1 DESCRIPTION

	LON-CAPA setuid script to synchronously change all
	filesystem-related passwords (samba, unix, etc)

	=head1 README

	LON-CAPA setuid script to synchronously change all
	filesystem-related passwords (samba, unix, etc)

	=head1 PREREQUISITES

	=head1 COREQUISITES

	=pod OSNAMES

	linux

	=pod SCRIPT CATEGORIES

	LONCAPA/Administrative

	=cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.12
changed lines
	Added in v.1.22