--- loncom/Attic/lcuseradd 2000/10/27 23:42:33 1.1
+++ loncom/Attic/lcuseradd 2001/10/23 03:42:30 1.15
@@ -3,26 +3,316 @@
# lcuseradd
#
# Scott Harrison
-# October 27, 2000
+# SH: October 27, 2000
+# SH: October 29, 2000
+# YEAR=2001
+# Scott Harrison 10/21
+
+###############################################################################
+## ##
+## ORGANIZATION OF THIS PERL SCRIPT ##
+## ##
+## 1. Description of script ##
+## 2. Invoking script (standard input) ##
+## 3. Example usage inside another piece of code ##
+## 4. Description of functions ##
+## 5. Exit codes ##
+## 6. Initializations ##
+## 7. Make sure this process is running from user=www ##
+## 8. Start running script with www permissions ##
+## 9. Handle case of another lcpasswd process (locking) ##
+## 10. Error-check input, need 3 values (user name, password 1, password 2) ##
+## 11. Start running script with root permissions ##
+## 12. Add user and make www a member of the user-specific group ##
+## 13. Set password ##
+## 14. Make final modifications to the user directory ##
+## 15. Exit script (unlock) ##
+## ##
+###############################################################################
use strict;
+# ------------------------------------------------------- Description of script
+#
# This script is a setuid script that should
# be run by user 'www'. It creates a /home/USERNAME directory
# as well as a /home/USERNAME/public_html directory.
-# It adds user entries to
-# /etc/passwd and /etc/groups.
-# Passwords are set with lcpasswd
+# It adds a user to the unix system.
+# Passwords are set with lcpasswd.
+# www becomes a member of this user group.
-# Standard input usage
+# -------------- Invoking script (standard input versus command-line arguments)
+#
+# Standard input (STDIN) usage
# First line is USERNAME
# Second line is PASSWORD
-
-# Command-line arguments [USERNAME] [PASSWORD]
+# Third line is PASSWORD
+#
+# Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
# Yes, but be very careful here (don't pass shell commands)
# and this is only supported to allow perl-system calls.
+#
+# Valid passwords must consist of the
+# ascii characters within the inclusive
+# range of 0x20 (32) to 0x7E (126).
+# These characters are:
+# SPACE and
+# !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
+# PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
+#
+# Valid user names must consist of ascii
+# characters that are alphabetical characters
+# (A-Z,a-z), numeric (0-9), or the underscore
+# mark (_). (Essentially, the perl regex \w).
+# User names must begin with an alphabetical character
+# (A-Z,a-z).
+# ---------------------------------- Example usage inside another piece of code
+# Usage within code
+#
+# $exitcode=
+# system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
+# print "uh-oh" if $exitcode;
+
+# ---------------------------------------------------- Description of functions
+# enable_root_capability() : have setuid script run as root
+# disable_root_capability() : have setuid script run as www
+# try_to_lock() : make sure that another lcpasswd process isn't running
+
+# ------------------------------------------------------------------ Exit codes
+# These are the exit codes.
+# ( (0,"ok"),
+# (1,"User ID mismatch. This program must be run as user 'www'"),
+# (2,"Error. This program needs 3 command-line arguments (username, ".
+# "password 1, password 2)."),
+# (3,"Error. Three lines should be entered into standard input."),
+# (4,"Error. Too many other simultaneous password change requests being ".
+# "made."),
+# (5,"Error. User $username does not exist."),
+# (6,"Error. Could not make www a member of the group \"$safeusername\"."),
+# (7,"Error. Root was not successfully enabled.),
+# (8,"Error. Cannot set password."),
+# (9,"Error. The user name specified has invalid characters."),
+# (10,"Error. A password entry had an invalid character."),
+# (11,"Error. User already exists.),
+# (12,"Error. Something went wrong with the addition of user ".
+# "\"$safeusername\"."),
+# (13,"Error. Password mismatch."),
+
+# ------------------------------------------------------------- Initializations
# Security
-$ENV{'PATH'}=""; # Nullify path information.
+$ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
+ # information
$ENV{'BASH_ENV'}=""; # Nullify shell environment information.
+# Do not print error messages.
+my $noprint=1;
+
+# ----------------------------- Make sure this process is running from user=www
+my $wwwid=getpwnam('www');
+&disable_root_capability;
+if ($wwwid!=$>) {
+ print("User ID mismatch. This program must be run as user 'www'\n")
+ unless $noprint;
+ exit 1;
+}
+
+# ----------------------------------- Start running script with www permissions
+&disable_root_capability;
+
+# --------------------------- Handle case of another lcpasswd process (locking)
+unless (&try_to_lock("/tmp/lock_lcpasswd")) {
+ print "Error. Too many other simultaneous password change requests being ".
+ "made.\n" unless $noprint;
+ exit 4;
+}
+
+# ------- Error-check input, need 3 values (user name, password 1, password 2).
+my @input;
+if (@ARGV==3) {
+ @input=@ARGV;
+}
+elsif (@ARGV) {
+ print("Error. This program needs 3 command-line arguments (username, ".
+ "password 1, password 2).\n") unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 2;
+}
+else {
+ @input=<>;
+ if (@input!=3) {
+ print("Error. Three lines should be entered into standard input.\n")
+ unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 3;
+ }
+ map {chomp} @input;
+}
+
+my ($username,$password1,$password2)=@input;
+$username=~/^(\w+)$/;
+my $safeusername=$1;
+if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
+ print "Error. The user name specified has invalid characters.\n"
+ unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 9;
+}
+my $pbad=0;
+map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password1));
+map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password2));
+if ($pbad) {
+ print "Error. A password entry had an invalid character.\n";
+ unlink('/tmp/lock_lcpasswd');
+ exit 10;
+}
+
+# -- Only add user if we can create a brand new home directory (/home/username)
+if (-e "/home/$safeusername") {
+ print "Error. User already exists.\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 11;
+}
+
+# -- Only add user if the two password arguments match.
+if ($password1 ne $password2) {
+ print "Error. Password mismatch.\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 13;
+}
+
+# ---------------------------------- Start running script with root permissions
+&enable_root_capability;
+
+# ------------------- Add user and make www a member of the user-specific group
+# -- Add user
+if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
+ print "Error. Something went wrong with the addition of user ".
+ "\"$safeusername\".\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 12;
+}
+
+# Make www a member of that user group.
+if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
+ print "Error. Could not make www a member of the group ".
+ "\"$safeusername\".\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ exit 6;
+}
+
+# ---------------------------------------------------------------- Set password
+# Set password with lcpasswd (which creates smbpasswd entry).
+
+unlink('/tmp/lock_lcpasswd');
+&disable_root_capability;
+($>,$<)=(500,500);
+open OUT,"|lcpasswd";
+print OUT $safeusername;
+print OUT "\n";
+print OUT $password1;
+print OUT "\n";
+print OUT $password1;
+print OUT "\n";
+close OUT;
+($>,$<)=(500,0);
+if ($?) {
+ exit 8;
+}
+&enable_root_capability;
+
+# ------------------------------ Make final modifications to the user directory
+# -- Add a public_html file with a stand-in index.html file
+
+# system('/bin/chmod','-R','0660',"/home/$safeusername");
+system('/bin/chmod','0710',"/home/$safeusername");
+mkdir "/home/$safeusername/public_html",2760;
+open OUT,">/home/$safeusername/public_html/index.html";
+print OUT<<END;
+<html>
+<head>
+<title>$safeusername</title>
+</head>
+<body>
+<h1>$safeusername</h1>
+<p>
+Learning Online Network
+</p>
+<p>
+This area provides for:
+</p>
+<ul>
+<li>resource construction</li>
+<li>resource publication</li>
+<li>record-keeping</li>
+</UL>
+</BODY>
+</HTML>
+END
+close OUT;
+system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
+
+# -------------------------------------------------------- Exit script
+&disable_root_capability;
+exit 0;
+
+# ---------------------------------------------- Have setuid script run as root
+sub enable_root_capability {
+ if ($wwwid==$>) {
+ ($<,$>)=($>,$<);
+ ($(,$))=($),$();
+ }
+ else {
+ # root capability is already enabled
+ }
+ return $>;
+}
+
+# ----------------------------------------------- Have setuid script run as www
+sub disable_root_capability {
+ if ($wwwid==$<) {
+ ($<,$>)=($>,$<);
+ ($(,$))=($),$();
+ }
+ else {
+ # root capability is already disabled
+ }
+}
+
+# ----------------------- Make sure that another lcpasswd process isn't running
+sub try_to_lock {
+ my ($lockfile)=@_;
+ my $currentpid;
+ my $lastpid;
+ # Do not manipulate lock file as root
+ if ($>==0) {
+ return 0;
+ }
+ # Try to generate lock file.
+ # Wait 3 seconds. If same process id is in
+ # lock file, then assume lock file is stale, and
+ # go ahead. If process id's fluctuate, try
+ # for a maximum of 10 times.
+ for (0..10) {
+ if (-e $lockfile) {
+ open(LOCK,"<$lockfile");
+ $currentpid=<LOCK>;
+ close LOCK;
+ if ($currentpid==$lastpid) {
+ last;
+ }
+ sleep 3;
+ $lastpid=$currentpid;
+ }
+ else {
+ last;
+ }
+ if ($_==10) {
+ return 0;
+ }
+ }
+ open(LOCK,">$lockfile");
+ print LOCK $$;
+ close LOCK;
+ return 1;
+}