loncom/lcuserdel - view

File: [LON-CAPA] / loncom / lcuserdel
Revision 1.5: download - view: text, annotated - select for diffs
Sun Oct 29 17:57:26 2000 UTC (23 years, 6 months ago) by harris41
Branches: MAIN
CVS tags: HEAD

the script is complete now, but there remain some syntax errors
upon program execution -Scott

1: #!/usr/bin/perl 2: # 3: # lcuserdel 4: # 5: # Scott Harrison 6: # SH: October 27, 2000 7: # SH: October 28, 2000 8: # SH: October 29, 2000 9: 10: use strict; 11: 12: # This script is a setuid script (chmod 6755) that should 13: # be run by user 'www'. It DOES NOT delete directories. 14: # All it does is remove a user's entries from 15: # /etc/passwd, /etc/groups, and /etc/smbpasswd. 16: # It also disables user directory access by making the directory 17: # to be owned by user=www (as opposed to the former "username"). 18: # This command only returns an error if it is 19: # invoked incorrectly (by passing bad command-line arguments, etc). 20: 21: # This script works under the same process control mechanism 22: # as lcuseradd and lcpasswd, to make sure that only one of these 23: # processes is running at any one time on the system. 24: 25: # Standard input usage 26: # First line is USERNAME 27: 28: # Command-line arguments [USERNAME] 29: # Yes, but be very careful here (don't pass shell commands) 30: # and this is only supported to allow perl-system calls. 31: 32: # Usage within code 33: # 34: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256; 35: # print "uh-oh" if $exitcode; 36: 37: # These are the exit codes. 38: 39: # Security 40: $ENV{'PATH'}=""; # Nullify path information. 41: $ENV{'BASH_ENV'}=""; # Nullify shell environment information. 42: 43: # Do not print error messages if there are command-line arguments 44: my $noprint=0; 45: if (@ARGV) { 46: $noprint=1; 47: } 48: 49: # Read in /etc/passwd, and make sure this process is running from user=www 50: open (IN, "</etc/passwd"); 51: my @lines=<IN>; 52: close IN; 53: my $wwwid; 54: for my $l (@lines) { 55: chop $l; 56: my @F=split(/\:/,$l); 57: if ($F[0] eq 'www') {$wwwid=$F[2];} 58: } 59: if ($wwwid!=$<) { 60: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint; 61: exit 1; 62: } 63: &disable_root_capability; 64: 65: # Handle case of another lcpasswd process 66: unless (&try_to_lock("/tmp/lock_lcpasswd")) { 67: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint; 68: exit 4; 69: } 70: 71: # Gather input. Should only be 1 value (user name). 72: my @input; 73: if (@ARGV==1) { 74: @input=@ARGV; 75: } 76: elsif (@ARGV) { 77: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint; 78: exit 2; 79: } 80: else { 81: @input=<>; 82: if (@input!=1) { 83: print("Error. Only one line should be entered into standard input.\n") unless $noprint; 84: exit 3; 85: } 86: map {chop} @input; 87: } 88: 89: my ($username)=@input; 90: $username=~/^(\w+)$/; 91: my $safeusername=$1; 92: 93: &enable_root_capability; 94: 95: # By using the system userdel command: 96: # Remove entry from /etc/passwd if it exists 97: # Remove entry from /etc/groups if it exists 98: system('/usr/sbin/userdel',$safeusername); # ignore error message 99: system('/usr/sbin/groupdel',$safeusername); # ignore error message 100: 101: # Remove entry from /etc/smbpasswd if it exists 102: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`; 103: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`; 104: 105: if ($oldsmbpasswd ne $newsmbpasswd) { 106: open OUT,">/etc/smbpasswd"; 107: print OUT $newsmbpasswd; 108: close OUT; 109: 110: # Change ownership on directory from username:username to www:www 111: # This prevents subsequently added users from having access. 112: 113: system('/bin/chown','-R','www:www',"/home/$safeusername"); 114: 115: &disable_root_capability; 116: unlink("/tmp/lock_lcpasswd"); 117: exit 0; 118: 119: # ----------------------------------------------------------- have setuid script run as root 120: sub enable_root_capability { 121: if ($wwwid==$>) { 122: ($<,$>)=($>,$<); 123: ($(,$))=($),$(); 124: } 125: else { 126: # root capability is already enabled 127: } 128: return $>; 129: } 130: 131: # ----------------------------------------------------------- have setuid script run as www 132: sub disable_root_capability { 133: if ($wwwid==$<) { 134: ($<,$>)=($>,$<); 135: ($(,$))=($),$(); 136: } 137: else { 138: # root capability is already disabled 139: } 140: } 141: 142: # ----------------------------------- make sure that another lcpasswd process isn't running 143: sub try_to_lock { 144: my ($lockfile)=@_; 145: my $currentpid; 146: my $lastpid; 147: # Do not manipulate lock file as root 148: if ($>==0) { 149: return 0; 150: } 151: # Try to generate lock file. 152: # Wait 3 seconds. If same process id is in 153: # lock file, then assume lock file is stale, and 154: # go ahead. If process id's fluctuate, try 155: # for a maximum of 10 times. 156: for (0..10) { 157: if (-e $lockfile) { 158: open(LOCK,"<$lockfile"); 159: $currentpid=<LOCK>; 160: close LOCK; 161: if ($currentpid==$lastpid) { 162: last; 163: } 164: sleep 3; 165: $lastpid=$currentpid; 166: } 167: else { 168: last; 169: } 170: if ($_==10) { 171: return 0; 172: } 173: } 174: open(LOCK,">$lockfile"); 175: print LOCK $$; 176: close LOCK; 177: return 1; 178: } 179: 180: