loncom/lcuserdel - view

File: [LON-CAPA] / loncom / lcuserdel
Revision 1.9: download - view: text, annotated - select for diffs
Sun Oct 29 22:38:21 2000 UTC (23 years, 6 months ago) by harris41
Branches: MAIN
CVS tags: HEAD

fixing up exit code documentation for lcpasswd and lcuserdel.  lcuseradd
useradd system call syntax still incorrect here.  I'm putting in more
of the setuid handling code. -Scott

1: #!/usr/bin/perl 2: # 3: # lcuserdel 4: # 5: # Scott Harrison 6: # SH: October 27, 2000 7: # SH: October 28, 2000 8: # SH: October 29, 2000 9: 10: use strict; 11: 12: # This script is a setuid script (chmod 6755) that should 13: # be run by user 'www'. It DOES NOT delete directories. 14: # All it does is remove a user's entries from 15: # /etc/passwd, /etc/groups, and /etc/smbpasswd. 16: # It also disables user directory access by making the directory 17: # to be owned by user=www (as opposed to the former "username"). 18: # This command only returns an error if it is 19: # invoked incorrectly (by passing bad command-line arguments, etc). 20: 21: # This script works under the same process control mechanism 22: # as lcuseradd and lcpasswd, to make sure that only one of these 23: # processes is running at any one time on the system. 24: 25: # Standard input usage 26: # First line is USERNAME 27: 28: # Command-line arguments [USERNAME] 29: # Yes, but be very careful here (don't pass shell commands) 30: # and this is only supported to allow perl-system calls. 31: 32: # Usage within code 33: # 34: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256; 35: # print "uh-oh" if $exitcode; 36: 37: # These are the exit codes. 38: # ( (0,"ok"), 39: # (1,"User ID mismatch. This program must be run as user 'www'"), 40: # (2,"Error. Too many other simultaneous password change requests being made."), 41: # (3,"Error. Only one line should be entered into standard input."), 42: # (4,"Error. This program needs just 1 command-line argument (username).") ) 43: 44: # Security 45: $ENV{'PATH'}=""; # Nullify path information. 46: $ENV{'BASH_ENV'}=""; # Nullify shell environment information. 47: 48: # Do not print error messages if there are command-line arguments 49: my $noprint=0; 50: if (@ARGV) { 51: $noprint=1; 52: } 53: 54: # Read in /etc/passwd, and make sure this process is running from user=www 55: open (IN, "</etc/passwd"); 56: my @lines=<IN>; 57: close IN; 58: my $wwwid; 59: for my $l (@lines) { 60: chop $l; 61: my @F=split(/\:/,$l); 62: if ($F[0] eq 'www') {$wwwid=$F[2];} 63: } 64: if ($wwwid!=$<) { 65: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint; 66: exit 1; 67: } 68: &disable_root_capability; 69: 70: # Handle case of another lcpasswd process 71: unless (&try_to_lock("/tmp/lock_lcpasswd")) { 72: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint; 73: exit 4; 74: } 75: 76: # Gather input. Should only be 1 value (user name). 77: my @input; 78: if (@ARGV==1) { 79: @input=@ARGV; 80: } 81: elsif (@ARGV) { 82: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint; 83: unlink('/tmp/lock_lcpasswd'); 84: exit 2; 85: } 86: else { 87: @input=<>; 88: if (@input!=1) { 89: print("Error. Only one line should be entered into standard input.\n") unless $noprint; 90: unlink('/tmp/lock_lcpasswd'); 91: exit 3; 92: } 93: map {chop} @input; 94: } 95: 96: my ($username)=@input; 97: $username=~/^(\w+)$/; 98: my $safeusername=$1; 99: 100: &enable_root_capability; 101: 102: # By using the system userdel command: 103: # Remove entry from /etc/passwd if it exists 104: # Remove entry from /etc/groups if it exists 105: # I surround with groupdel command to make absolutely sure the group definition disappears. 106: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message 107: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message 108: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message 109: 110: # Remove entry from /etc/smbpasswd if it exists 111: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`; 112: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`; 113: 114: if ($oldsmbpasswd ne $newsmbpasswd) { 115: open OUT,">/etc/smbpasswd"; 116: print OUT $newsmbpasswd; 117: close OUT; 118: } 119: 120: # Change ownership on directory from username:username to www:www 121: # This prevents subsequently added users from having access. 122: 123: system('/bin/chown','-R','www:www',"/home/$safeusername"); 124: 125: &disable_root_capability; 126: unlink("/tmp/lock_lcpasswd"); 127: exit 0; 128: 129: # ----------------------------------------------------------- have setuid script run as root 130: sub enable_root_capability { 131: if ($wwwid==$>) { 132: ($<,$>)=($>,$<); 133: ($(,$))=($),$(); 134: } 135: else { 136: # root capability is already enabled 137: } 138: return $>; 139: } 140: 141: # ----------------------------------------------------------- have setuid script run as www 142: sub disable_root_capability { 143: if ($wwwid==$<) { 144: ($<,$>)=($>,$<); 145: ($(,$))=($),$(); 146: } 147: else { 148: # root capability is already disabled 149: } 150: } 151: 152: # ----------------------------------- make sure that another lcpasswd process isn't running 153: sub try_to_lock { 154: my ($lockfile)=@_; 155: my $currentpid; 156: my $lastpid; 157: # Do not manipulate lock file as root 158: if ($>==0) { 159: return 0; 160: } 161: # Try to generate lock file. 162: # Wait 3 seconds. If same process id is in 163: # lock file, then assume lock file is stale, and 164: # go ahead. If process id's fluctuate, try 165: # for a maximum of 10 times. 166: for (0..10) { 167: if (-e $lockfile) { 168: open(LOCK,"<$lockfile"); 169: $currentpid=<LOCK>; 170: close LOCK; 171: if ($currentpid==$lastpid) { 172: last; 173: } 174: sleep 3; 175: $lastpid=$currentpid; 176: } 177: else { 178: last; 179: } 180: if ($_==10) { 181: return 0; 182: } 183: } 184: open(LOCK,">$lockfile"); 185: print LOCK $$; 186: close LOCK; 187: return 1; 188: } 189: 190: