File:  [LON-CAPA] / loncom / lcuserdel
Revision 1.7: download - view: text, annotated - select for diffs
Sun Oct 29 22:07:20 2000 UTC (23 years, 6 months ago) by harris41
Branches: MAIN
CVS tags: HEAD
adjusting comments and shell command execution order in lcuserdel.  lcuseradd
is beginning to take form, but is still buggy...

    1: #!/usr/bin/perl
    2: #
    3: # lcuserdel
    4: #
    5: # Scott Harrison
    6: # SH: October 27, 2000
    7: # SH: October 28, 2000
    8: # SH: October 29, 2000
    9: 
   10: use strict;
   11: 
   12: # This script is a setuid script (chmod 6755) that should
   13: # be run by user 'www'.  It DOES NOT delete directories.
   14: # All it does is remove a user's entries from
   15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
   16: # It also disables user directory access by making the directory
   17: # to be owned by user=www (as opposed to the former "username").
   18: # It also removes group membership from www (via the groupdel command).
   19: # This command only returns an error if it is
   20: # invoked incorrectly (by passing bad command-line arguments, etc).
   21: 
   22: # This script works under the same process control mechanism
   23: # as lcuseradd and lcpasswd, to make sure that only one of these
   24: # processes is running at any one time on the system.
   25: 
   26: # Standard input usage
   27: # First line is USERNAME
   28: 
   29: # Command-line arguments [USERNAME]
   30: # Yes, but be very careful here (don't pass shell commands)
   31: # and this is only supported to allow perl-system calls.
   32: 
   33: # Usage within code
   34: #
   35: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
   36: # print "uh-oh" if $exitcode;
   37: 
   38: # These are the exit codes.
   39: 
   40: # Security
   41: $ENV{'PATH'}=""; # Nullify path information.
   42: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   43: 
   44: # Do not print error messages if there are command-line arguments
   45: my $noprint=0;
   46: if (@ARGV) {
   47:     $noprint=1;
   48: }
   49: 
   50: # Read in /etc/passwd, and make sure this process is running from user=www
   51: open (IN, "</etc/passwd");
   52: my @lines=<IN>;
   53: close IN;
   54: my $wwwid;
   55: for my $l (@lines) {
   56:     chop $l;
   57:     my @F=split(/\:/,$l);
   58:     if ($F[0] eq 'www') {$wwwid=$F[2];}
   59: }
   60: if ($wwwid!=$<) {
   61:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
   62:     exit 1;
   63: }
   64: &disable_root_capability;
   65: 
   66: # Handle case of another lcpasswd process
   67: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
   68:     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
   69:     exit 4;
   70: }
   71: 
   72: # Gather input.  Should only be 1 value (user name).
   73: my @input;
   74: if (@ARGV==1) {
   75:     @input=@ARGV;
   76: }
   77: elsif (@ARGV) {
   78:     print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
   79:     exit 2;
   80: }
   81: else {
   82:     @input=<>;
   83:     if (@input!=1) {
   84: 	print("Error. Only one line should be entered into standard input.\n") unless $noprint;
   85: 	exit 3;
   86:     }
   87:     map {chop} @input;
   88: }
   89: 
   90: my ($username)=@input;
   91: $username=~/^(\w+)$/;
   92: my $safeusername=$1;
   93: 
   94: &enable_root_capability;
   95: 
   96: # By using the system userdel command:
   97: # Remove entry from /etc/passwd if it exists
   98: # Remove entry from /etc/groups if it exists
   99: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
  100: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
  101: 
  102: # Remove entry from /etc/smbpasswd if it exists
  103: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
  104: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
  105: 
  106: if ($oldsmbpasswd ne $newsmbpasswd) {
  107:     open OUT,">/etc/smbpasswd";
  108:     print OUT $newsmbpasswd;
  109:     close OUT;
  110: }
  111: 
  112: # Change ownership on directory from username:username to www:www
  113: # This prevents subsequently added users from having access.
  114: 
  115: system('/bin/chown','-R','www:www',"/home/$safeusername");
  116: 
  117: &disable_root_capability;
  118: unlink("/tmp/lock_lcpasswd");
  119: exit 0;
  120: 
  121: # ----------------------------------------------------------- have setuid script run as root
  122: sub enable_root_capability {
  123:     if ($wwwid==$>) {
  124: 	($<,$>)=($>,$<);
  125: 	($(,$))=($),$();
  126:     }
  127:     else {
  128: 	# root capability is already enabled
  129:     }
  130:     return $>;
  131: }
  132: 
  133: # ----------------------------------------------------------- have setuid script run as www
  134: sub disable_root_capability {
  135:     if ($wwwid==$<) {
  136: 	($<,$>)=($>,$<);
  137: 	($(,$))=($),$();
  138:     }
  139:     else {
  140: 	# root capability is already disabled
  141:     }
  142: }
  143: 
  144: # ----------------------------------- make sure that another lcpasswd process isn't running
  145: sub try_to_lock {
  146:     my ($lockfile)=@_;
  147:     my $currentpid;
  148:     my $lastpid;
  149:     # Do not manipulate lock file as root
  150:     if ($>==0) {
  151: 	return 0;
  152:     }
  153:     # Try to generate lock file.
  154:     # Wait 3 seconds.  If same process id is in
  155:     # lock file, then assume lock file is stale, and
  156:     # go ahead.  If process id's fluctuate, try
  157:     # for a maximum of 10 times.
  158:     for (0..10) {
  159: 	if (-e $lockfile) {
  160: 	    open(LOCK,"<$lockfile");
  161: 	    $currentpid=<LOCK>;
  162: 	    close LOCK;
  163: 	    if ($currentpid==$lastpid) {
  164: 		last;
  165: 	    }
  166: 	    sleep 3;
  167: 	    $lastpid=$currentpid;
  168: 	}
  169: 	else {
  170: 	    last;
  171: 	}
  172: 	if ($_==10) {
  173: 	    return 0;
  174: 	}
  175:     }
  176:     open(LOCK,">$lockfile");
  177:     print LOCK $$;
  178:     close LOCK;
  179:     return 1;
  180: }
  181: 
  182: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>