--- loncom/Attic/lcuseradd 2004/08/06 10:29:37 1.28
+++ loncom/Attic/lcuseradd 2006/08/25 21:25:22 1.39
@@ -6,7 +6,7 @@
# with adding a user with filesystem privileges (e.g. author)
#
#
-# $Id: lcuseradd,v 1.28 2004/08/06 10:29:37 foxr Exp $
+# $Id: lcuseradd,v 1.39 2006/08/25 21:25:22 albertel Exp $
###
###############################################################################
@@ -32,6 +32,8 @@
###############################################################################
use strict;
+use File::Find;
+
# ------------------------------------------------------- Description of script
#
@@ -107,7 +109,8 @@ use strict;
# (12,"Error. Something went wrong with the addition of user ".
# "\"$safeusername\"."),
# (13,"Error. Password mismatch."),
-# (14, "Error filename is invalid")
+# (14, "Error filename is invalid"),
+# (15, "Error. Could not add home directory.")
# ------------------------------------------------------------- Initializations
# Security
@@ -118,10 +121,6 @@ delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}
# Do not print error messages.
my $noprint=1;
-# Error file:
-
-my $error_file; # This is either the error file name or undef.
-
print "In lcuseradd\n" unless $noprint;
# ----------------------------- Make sure this process is running from user=www
@@ -214,13 +213,20 @@ if($error_file) {
}
-# -- Only add user if we can create a brand new home directory (/home/username)
-if (-e "/home/$safeusername") {
- print "Error. User already exists.\n" unless $noprint;
+# -- Only add the user if they are >not< in /etc/passwd.
+# Used to look for the ability to create a new directory for the
+# user, however that disallows authentication changes from i
+# internal->fs.. so just check the passwd file instead.
+#
+my $not_found = system("cut -d: -f1 /etc/passwd | grep -q \"^$safeusername\$\" ");
+if (!$not_found) {
+ print "Error user already exists\n" unless $noprint;
unlink('/tmp/lock_lcpasswd');
&Exit(11);
}
+
+
# -- Only add user if the two password arguments match.
if ($password1 ne $password2) {
@@ -232,29 +238,44 @@ print "enabling root\n" unless $noprint;
# ---------------------------------- Start running script with root permissions
&enable_root_capability;
-# ------------------- Add user and make www a member of the user-specific group
+# ------------------- Add group and user, and make www a member of the group
+# -- Add group
+
+print "adding group: $safeusername \n" unless $noprint;
+my $status = system('/usr/sbin/groupadd', $safeusername);
+if ($status) {
+ print "Error. Something went wrong with the addition of group ".
+ "\"$safeusername\".\n" unless $noprint;
+ print "Final status of groupadd = $status\n";
+ unlink('/tmp/lock_lcpasswd');
+ &Exit(12);
+}
+my $gid = getgrnam($safeusername);
+
# -- Add user
print "adding user: $safeusername \n" unless $noprint;
-my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
+my $status = system('/usr/sbin/useradd','-c','LON-CAPA user','-g',$gid,$safeusername);
if ($status) {
print "Error. Something went wrong with the addition of user ".
"\"$safeusername\".\n" unless $noprint;
- print "Final status of useradd = $status";
+ system("/usr/sbin/groupdel $safeusername");
+ print "Final status of useradd = $status\n";
unlink('/tmp/lock_lcpasswd');
&Exit(12);
}
+
print "Done adding user\n" unless $noprint;
# Make www a member of that user group.
my $groups=`/usr/bin/groups www` or &Exit(6);
# untaint
-my ($safegroups)=($groups=~/([\s\w]+)/);
+my ($safegroups)=($groups=~/:\s*([\s\w]+)/);
$groups=$safegroups;
chomp $groups; $groups=~s/^\S+\s+\:\s+//;
my @grouplist=split(/\s+/,$groups);
my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
my $gl=join(',',(@ugrouplist,$safeusername));
-print "Putting user in its own group\n" unless $noprint;
+print "Putting www in user's group\n" unless $noprint;
if (system('/usr/sbin/usermod','-G',$gl,'www')) {
print "Error. Could not make www a member of the group ".
"\"$safeusername\".\n" unless $noprint;
@@ -284,18 +305,26 @@ if ($?) {
($>,$<)=($wwwid,0);
&enable_root_capability;
-# -- Don't add public_html... that can be added either by the user
-# or by lchtmldir when the user is granted an authorship role.
+# Check if home directory exists for user
+# If not, create one.
+if (!-e "/home/$safeusername") {
+ if (!mkdir("/home/$safeusername",0710)) {
+ print "Error. Could not add home directory for ".
+ "\"$safeusername\".\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ &Exit(15);
+ }
+}
# ------------------------------ Make final modifications to the user directory
# -- Add a public_html file with a stand-in index.html file
- system('/bin/chmod','-R','0660',"/home/$safeusername");
-system('/bin/chmod','0710',"/home/$safeusername");
-mkdir "/home/$safeusername/public_html",0755;
-system('/bin/chmod','02770',"/home/$safeusername/public_html");
-open OUT,">/home/$safeusername/public_html/index.html";
-print OUT<<END;
+if (-d "/home/$safeusername") {
+ system('/bin/chmod','-R','0660',"/home/$safeusername");
+ system('/bin/chmod','0710',"/home/$safeusername");
+ mkdir "/home/$safeusername/public_html",0755;
+ open OUT,">/home/$safeusername/public_html/index.html";
+ print OUT<<END;
<html>
<head>
<title>$safeusername</title>
@@ -307,16 +336,25 @@ print OUT<<END;
</html>
END
close OUT;
+}
+#
+# In order to allow the loncapa daemons appropriate access
+# to public_html, Top level and public_html directories should
+# be owned by safeusername:safeusername as should the smaple index.html..
print "lcuseradd ownership\n" unless $noprint;
-system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
+system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername"); # First set std ownership on everything.
+&set_public_html_permissions("/home/$safeusername/public_html");
+# system('/bin/chown',"$safeusername:www","/home/$safeusername"); # Now adust top level...
+# system('/bin/chown','-R',"$safeusername:www","/home/$safeusername/public_html"); # And web dir.
# ---------------------------------------------------- Gracefull Apache Restart
if (-e '/var/run/httpd.pid') {
print "lcuseradd Apache restart\n" unless $noprint;
open(PID,'/var/run/httpd.pid');
my $pid=<PID>;
close(PID);
- my ($safepid)=($pid=~s/(\D+)//g);
+ $pid=~ /(\D+)/;
+ my $safepid = $1;
if ($pid) {
system('kill','-USR1',"$safepid");
}
@@ -383,6 +421,53 @@ sub try_to_lock {
close LOCK;
return 1;
}
+# Called by File::Find::find for each file examined.
+#
+# Untaint the file and, if it is a directory,
+# chmod it to 02770
+#
+sub set_permission {
+ $File::Find::name =~ /^(.*)$/;
+ my $safe_name = $1; # Untainted filename...
+
+ print "$safe_name" unless $noprint;
+ if(-d $safe_name) {
+ print " - directory" unless $noprint;
+ chmod(02770, $safe_name);
+ }
+ print "\n" unless $noprint;
+
+}
+#
+# Set up the correct permissions for all files in the
+# user's public htmldir. We just do a chmod -R 0660 ... for
+# the ordinary files. The we use File::Find
+# to pop through the directory tree changing directories only
+# to 02770:
+#
+sub set_public_html_permissions {
+ my ($topdir) = @_;
+
+ # Set the top level dir permissions (I'm not sure if find
+ # will enumerate it specifically), correctly and all
+ # files and dirs to the 'ordinary' file permissions:
+
+ system("chmod -R 0660 $topdir");
+ chmod(02770, $topdir);
+
+ # Now use find to locate all directories under $topdir
+ # and set their modes to 02770...
+ #
+ print "Find file\n " unless $noprint;
+ File::Find::find({"untaint" => 1,
+ "untaint_pattern" => qr(/^(.*)$/),
+ "untaint_skip" => 1,
+ "no_chdir" => 1,
+ "wanted" => \&set_permission }, "$topdir");
+
+
+}
+
#-------------------------- Exit...
#
# Write the file if the error_file is defined. Regardless
@@ -391,6 +476,10 @@ sub try_to_lock {
sub Exit {
my ($code) = @_; # Status code.
+ # TODO: Ensure the error file is owned/deletable by www:www:
+
+ &disable_root_capability(); # We run unprivileged to write the error file.
+
print "Exiting with status $code error file is $error_file\n" unless $noprint;
if($error_file) {
open(FH, ">$error_file");