1: #!/usr/bin/perl
2: #
3: # lcuserdel
4: #
5: # Scott Harrison
6: # SH: October 27, 2000
7: # SH: October 28, 2000
8: # SH: October 29, 2000
9:
10: use strict;
11:
12: # This script is a setuid script (chmod 6755) that should
13: # be run by user 'www'. It DOES NOT delete directories.
14: # All it does is remove a user's entries from
15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
16: # It also disables user directory access by making the directory
17: # to be owned by user=www (as opposed to the former "username").
18: # This command only returns an error if it is
19: # invoked incorrectly (by passing bad command-line arguments, etc).
20:
21: # This script works under the same process control mechanism
22: # as lcuseradd and lcpasswd, to make sure that only one of these
23: # processes is running at any one time on the system.
24:
25: # Standard input usage
26: # First line is USERNAME
27:
28: # Command-line arguments [USERNAME]
29: # Yes, but be very careful here (don't pass shell commands)
30: # and this is only supported to allow perl-system calls.
31:
32: # Usage within code
33: #
34: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
35: # print "uh-oh" if $exitcode;
36:
37: # These are the exit codes.
38:
39: # Security
40: $ENV{'PATH'}=""; # Nullify path information.
41: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
42:
43: # Do not print error messages if there are command-line arguments
44: my $noprint=0;
45: if (@ARGV) {
46: $noprint=1;
47: }
48:
49: # Read in /etc/passwd, and make sure this process is running from user=www
50: open (IN, "</etc/passwd");
51: my @lines=<IN>;
52: close IN;
53: my $wwwid;
54: for my $l (@lines) {
55: chop $l;
56: my @F=split(/\:/,$l);
57: if ($F[0] eq 'www') {$wwwid=$F[2];}
58: }
59: if ($wwwid!=$<) {
60: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
61: exit 1;
62: }
63: &disable_root_capability;
64:
65: # Handle case of another lcpasswd process
66: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
67: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
68: exit 4;
69: }
70:
71: # Gather input. Should only be 1 value (user name).
72: my @input;
73: if (@ARGV==1) {
74: @input=@ARGV;
75: }
76: elsif (@ARGV) {
77: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
78: exit 2;
79: }
80: else {
81: @input=<>;
82: if (@input!=1) {
83: print("Error. Only one line should be entered into standard input.\n") unless $noprint;
84: exit 3;
85: }
86: map {chop} @input;
87: }
88:
89: my ($username)=@input;
90: $username=~/^(\w+)$/;
91: my $safeusername=$1;
92:
93: &enable_root_capability;
94:
95: # By using the system userdel command:
96: # Remove entry from /etc/passwd if it exists
97: # Remove entry from /etc/groups if it exists
98: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
99: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
100:
101: # Remove entry from /etc/smbpasswd if it exists
102: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
103: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
104:
105: if ($oldsmbpasswd ne $newsmbpasswd) {
106: open OUT,">/etc/smbpasswd";
107: print OUT $newsmbpasswd;
108: close OUT;
109: }
110:
111: # Change ownership on directory from username:username to www:www
112: # This prevents subsequently added users from having access.
113:
114: system('/bin/chown','-R','www:www',"/home/$safeusername");
115:
116: &disable_root_capability;
117: unlink("/tmp/lock_lcpasswd");
118: exit 0;
119:
120: # ----------------------------------------------------------- have setuid script run as root
121: sub enable_root_capability {
122: if ($wwwid==$>) {
123: ($<,$>)=($>,$<);
124: ($(,$))=($),$();
125: }
126: else {
127: # root capability is already enabled
128: }
129: return $>;
130: }
131:
132: # ----------------------------------------------------------- have setuid script run as www
133: sub disable_root_capability {
134: if ($wwwid==$<) {
135: ($<,$>)=($>,$<);
136: ($(,$))=($),$();
137: }
138: else {
139: # root capability is already disabled
140: }
141: }
142:
143: # ----------------------------------- make sure that another lcpasswd process isn't running
144: sub try_to_lock {
145: my ($lockfile)=@_;
146: my $currentpid;
147: my $lastpid;
148: # Do not manipulate lock file as root
149: if ($>==0) {
150: return 0;
151: }
152: # Try to generate lock file.
153: # Wait 3 seconds. If same process id is in
154: # lock file, then assume lock file is stale, and
155: # go ahead. If process id's fluctuate, try
156: # for a maximum of 10 times.
157: for (0..10) {
158: if (-e $lockfile) {
159: open(LOCK,"<$lockfile");
160: $currentpid=<LOCK>;
161: close LOCK;
162: if ($currentpid==$lastpid) {
163: last;
164: }
165: sleep 3;
166: $lastpid=$currentpid;
167: }
168: else {
169: last;
170: }
171: if ($_==10) {
172: return 0;
173: }
174: }
175: open(LOCK,">$lockfile");
176: print LOCK $$;
177: close LOCK;
178: return 1;
179: }
180:
181:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuserdel CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom