[BACK]Return to lcuseradd CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom

Diff for /loncom/Attic/lcuseradd between versions 1.1 and 1.12

version 1.1, 2000/10/27 23:42:33 version 1.12, 2000/10/30 03:08:28
Line 12  use strict; Line 12  use strict;
 # as well as a /home/USERNAME/public_html directory.  # as well as a /home/USERNAME/public_html directory.
 # It adds user entries to  # It adds user entries to
 # /etc/passwd and /etc/groups.  # /etc/passwd and /etc/groups.
 # Passwords are set with lcpasswd  # Passwords are set with lcpasswd.
   # www becomes a member of this user group.
   
 # Standard input usage  # Standard input usage
 # First line is USERNAME  # First line is USERNAME
 # Second line is PASSWORD  # Second line is PASSWORD
   # Third line is PASSWORD
   
 # Command-line arguments [USERNAME] [PASSWORD]  # Valid passwords must consist of the
   # ascii characters within the inclusive
   # range of 0x20 (32) to 0x7E (126).
   # These characters are:
   # SPACE and
   # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
   # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
   
   # Valid user names must consist of ascii
   # characters that are alphabetical characters
   # (A-Z,a-z), numeric (0-9), or the underscore
   # mark (_). (Essentially, the perl regex \w).
   
   # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
 # Yes, but be very careful here (don't pass shell commands)  # Yes, but be very careful here (don't pass shell commands)
 # and this is only supported to allow perl-system calls.  # and this is only supported to allow perl-system calls.
   
   # Usage within code
   #
   # $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
   # print "uh-oh" if $exitcode;
   
   # These are the exit codes.
   
 # Security  # Security
 $ENV{'PATH'}=""; # Nullify path information.  $ENV{'PATH'}=""; # Nullify path information.
 $ENV{'BASH_ENV'}=""; # Nullify shell environment information.  $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   
   # Do not print error messages if there are command-line arguments
   my $noprint=0;
   if (@ARGV) {
       $noprint=1;
   }
   
   # Read in /etc/passwd, and make sure this process is running from user=www
   open (IN, "</etc/passwd");
   my @lines=<IN>;
   close IN;
   my $wwwid;
   for my $l (@lines) {
       chop $l;
       my @F=split(/\:/,$l);
       if ($F[0] eq 'www') {$wwwid=$F[2];}
   }
   if ($wwwid!=$<) {
       print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
       exit 1;
   }
   &disable_root_capability;
   
   # Handle case of another lcpasswd process
   unless (&try_to_lock("/tmp/lock_lcpasswd")) {
       print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
       exit 4;
   }
   
   # Gather input.  Should be 3 values (user name, password 1, password 2).
   my @input;
   if (@ARGV==3) {
       @input=@ARGV;
   }
   elsif (@ARGV) {
       print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 2;
   }
   else {
       @input=<>;
       if (@input!=3) {
    print("Error. Three lines should be entered into standard input.\n") unless $noprint;
    unlink('/tmp/lock_lcpasswd');
    exit 3;
       }
       map {chop} @input;
   }
   
   my ($username,$password1,$password2)=@input;
   $username=~/^(\w+)$/;
   my $safeusername=$1;
   if ($username ne $safeusername) {
       print "Error. The user name specified has invalid characters.\n";
       unlink('/tmp/lock_lcpasswd');
       exit 9;
   }
   my $pbad=0;
   map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password1));
   map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password2));
   if ($pbad) {
       print "Error. A password entry had an invalid character.\n";
       unlink('/tmp/lock_lcpasswd');
       exit 10;
   }
   
   # Only add user if we can create a brand new home directory (/home/username).
   if (-e "/home/$safeusername") {
       print "Error. User already exists.\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 8;
   }
   
   # Only add user if the two password arguments match.
   if ($password1 ne $password2) {
       print "Error. Password mismatch.\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 7;
   }
   
   &enable_root_capability;
   
   # Add user entry to /etc/passwd and /etc/groups in such
   # a way that www is a member of the user-specific group
   
   if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
       print "Error.  Something went wrong with the addition of user \"$safeusername\".\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 5;
   }
   
   # Make www a member of that user group.
   if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
       print "Error. Could not make www a member of the group \"$safeusername\".\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 6;
   }
   
   # Set password with lcpasswd-style algorithm (which creates smbpasswd entry).
   # I cannot place a direct shell call to lcpasswd since I have to allow
   # for crazy characters in the password, and the setuid environment of perl
   # requires me to make everything safe.
   
   # Grab the line corresponding to username
   open (IN, "</etc/passwd");
   @lines=<IN>;
   close IN;
   my ($userid,$useroldcryptpwd);
   my @F; my @U;
   for my $l (@lines) {
       chop $l;
       @F=split(/\:/,$l);
       if ($F[0] eq $username) {($userid,$useroldcryptpwd)=($F[2],$F[1]); @U=@F;}
   }
   
   # Verify existence of user
   if (!defined($userid)) {
       print "Error. User $username does not exist.\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 5;
   }
   
   # Construct new password entry (random salt)
   my $newcryptpwd=crypt($password1,(join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]));
   $U[1]=$newcryptpwd;
   my $userline=join(':',@U);
   my $rootid=&enable_root_capability;
   if ($rootid!=0) {
       print "Error.  Root was not successfully enabled.\n" unless $noprint;
       unlink('/tmp/lock_lcpasswd');
       exit 7;
   }
   open PASSWORDFILE, '>/etc/passwd' or (print("Error.  Cannot open /etc/passwd.\n") && unlink('/tmp/lock_lcpasswd') && exit(8));
   for my $l (@lines) {
       @F=split(/\:/,$l);
       if ($F[0] eq $username) {print PASSWORDFILE "$userline\n";}
       else {print PASSWORDFILE "$l\n";}
   }
   close PASSWORDFILE;
   
   ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid environment
   unless (-e '/etc/smbpasswd') {
       open (OUT,'>/etc/smbpasswd'); close OUT;
   }
   my $smbexist=0;
   open (IN, '</etc/smbpasswd');
   my @lines=<IN>;
   close IN;
   for my $l (@lines) {
       chop $l;
       my @F=split(/\:/,$l);
       if ($F[0] eq $username) {$smbexist=1;}
   }
   unless ($smbexist) {
       open(OUT,'>>/etc/smbpasswd');
       print OUT join(':',($safeusername,$userid,'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,'/bin/bash')) . "\n";
       close OUT;
   }
   open(OUT,"|/usr/bin/smbpasswd -s $safeusername>/dev/null");
   print OUT $password1; print OUT "\n";
   print OUT $password1; print OUT "\n";
   close OUT;
   $<=$wwwid; # unfool the program
   
   # Make final modifications to the user directory.
   # Add a public_html file with a stand-in index.html file.
   
   system('/bin/chmod','-R','0660',"/home/$safeusername");
   system('/bin/chmod','0770',"/home/$safeusername");
   mkdir "/home/$safeusername/public_html",0770;
   open OUT,">/home/$safeusername/public_html/index.html";
   print OUT<<END;
   <HTML>
   <HEAD>
   <TITLE>$safeusername</TITLE>
   </HEAD>
   <BODY>
   <H1>$safeusername</H1>
   <P>
   Learning Online Network
   </P>
   <P>
   This area provides for:
   </P>
   <UL>
   <LI>resource construction
   <LI>resource publication
   <LI>record-keeping
   </UL>
   </BODY>
   </HTML>
   END
   close OUT;
   system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
   &disable_root_capability;
   unlink('/tmp/lock_lcpasswd');
   exit 0;
   
   # ----------------------------------------------------------- have setuid script run as root
   sub enable_root_capability {
       if ($wwwid==$>) {
    ($<,$>)=($>,$<);
    ($(,$))=($),$();
       }
       else {
    # root capability is already enabled
       }
       return $>;
   }
   
   # ----------------------------------------------------------- have setuid script run as www
   sub disable_root_capability {
       if ($wwwid==$<) {
    ($<,$>)=($>,$<);
    ($(,$))=($),$();
       }
       else {
    # root capability is already disabled
       }
   }
   
   # ----------------------------------- make sure that another lcpasswd process isn't running
   sub try_to_lock {
       my ($lockfile)=@_;
       my $currentpid;
       my $lastpid;
       # Do not manipulate lock file as root
       if ($>==0) {
    return 0;
       }
       # Try to generate lock file.
       # Wait 3 seconds.  If same process id is in
       # lock file, then assume lock file is stale, and
       # go ahead.  If process id's fluctuate, try
       # for a maximum of 10 times.
       for (0..10) {
    if (-e $lockfile) {
       open(LOCK,"<$lockfile");
       $currentpid=<LOCK>;
       close LOCK;
       if ($currentpid==$lastpid) {
    last;
       }
       sleep 3;
       $lastpid=$currentpid;
    }
    else {
       last;
    }
    if ($_==10) {
       return 0;
    }
       }
       open(LOCK,">$lockfile");
       print LOCK $$;
       close LOCK;
       return 1;
   }
Removed from v.1.1  
changed lines
  Added in v.1.12

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>