--- loncom/Attic/lchtmldir 2005/01/26 12:13:58 1.15
+++ loncom/Attic/lchtmldir 2010/10/12 09:53:45 1.22
@@ -2,6 +2,8 @@
# The Learning Online Network with CAPA
#
+# $Id: lchtmldir,v 1.22 2010/10/12 09:53:45 foxr Exp $
+#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
@@ -41,7 +43,7 @@
# NSCL
# Michigan State University8
# East Lansing, MI 48824-1321
-
+#
# General flow of control:
# 1. Validate process state (must be run as www).
# 2. Validate parameters: Need two parameters:
@@ -61,7 +63,7 @@
# - internal - www:www/2775
# - local - www:www/2775
#
-
+#
#
# Take a few precautions to be sure that we're not vulnerable to trojan
# horses and other fine issues:
@@ -70,11 +72,13 @@ use strict;
use Fcntl qw(:mode);
use DirHandle;
use POSIX;
+use lib '/home/httpd/lib/perl/';
+use LONCAPA qw(:match);
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl';
delete @ENV{qw{IFS CDPATH ENV BASH_ENV}};
-my $DEBUG = 1; # .nonzero -> Debug printing enabled.
+my $DEBUG = 0; # .nonzero -> Debug printing enabled.
my $path_sep = "/"; # Unix like operating systems.
@@ -84,8 +88,8 @@ if ($DEBUG) {
print("Checking uid...\n");
}
my $wwwid = getpwnam('www');
-&DisableRoot;
-if($wwwid != $>) {
+
+if($wwwid != $<) {
if ($DEBUG) {
print("User ID incorrect. This program must be run as user 'www'\n");
}
@@ -125,14 +129,14 @@ if( $authentication ne "unix:" &&
$authentication ne "localauth:") {
if($DEBUG) {
print("Invalid authentication parameter: ".$authentication."\n");
- print("Should be one of: unix, internal, krb4, localauth\n");
+ print("Should be one of-- unix: internal: krb4: krb5: localauth:\n");
}
exit 3;
}
# Untaint the username.
-my $match = $username =~ /^(\w+)$/;
+my $match = $username =~ /^($match_username)$/;
my $patt = $1;
if($DEBUG) {
@@ -144,7 +148,7 @@ my $safeuser = $patt;
if($DEBUG) {
print("Save username = $safeuser \n");
}
-if(($username ne $safeuser) or ($safeuser!~/^[A-za-z]/)) {
+if($username ne $safeuser) {
if($DEBUG) {
print("User name $username had illegal characters\n");
}
@@ -154,39 +158,57 @@ if(($username ne $safeuser) or ($safeuse
#untaint the base directory require that the dir contain only
# alphas, / numbers or underscores, and end in /$safeuser
-$dir =~ /(^([\w\/]+))/;
-my $dirtry1 = $1;
-$dir =~ /$\/$safeuser/;
-my $dirtry2 = $1;
+my ($allowed_dir) = ($dir =~ m{(^([/]|$match_username)+)});
-if(($dirtry1 ne $dir) or ($dirtry2 ne $dir)) {
+my $has_correct_end = ($dir =~ m{/\Q$safeuser\E$});
+
+if(($allowed_dir ne $dir) or (!$has_correct_end)) {
if ($DEBUG) {
print("Directory $dir is not a valid home for $safeuser\n");
}
exit 5;
}
-
# As root, create the directory.
-my $homedir = $dirtry1;
+my $homedir = $allowed_dir;
my $fulldir = $homedir."/public_html";
if($DEBUG) {
print("Full directory path is: $fulldir \n");
}
-if(!( -e $dirtry1)) {
+if(!( -e $homedir)) {
if($DEBUG) {
- print("User's home directory $dirtry1 does not exist\n");
+ print("User's home directory $homedir does not exist\n");
}
if ($authentication eq "unix:") {
exit 6;
}
}
+if ($authentication eq "unix:") {
+ # check whether group $safeuser exists.
+ my $usergroups = `id -nG $safeuser`;
+ if (! grep /^$safeuser$/, split(/\s+/,$usergroups)) {
+ if($DEBUG) {
+ print("Group \"$safeuser\" does not exist or $safeuser is not a member of that group.\n");
+ }
+ exit 7;
+ }
+}
+
+
+
&EnableRoot;
+# If authentication is internal and the top level directory exists
+# give it the right permissions (in case this is a modification.
+
+if ($authentication eq "internal:") {
+ chmod(0711, $homedir); # so www can enter ~/public_html.
+}
+
&System("/bin/mkdir -p $fulldir") unless (-e $fulldir);
unless(-e $fulldir."/index.html") {
open OUT,">".$fulldir."/index.html";