--- loncom/Attic/lcuseradd 2001/10/23 03:42:30 1.15
+++ loncom/Attic/lcuseradd 2007/03/28 20:43:37 1.41
@@ -1,12 +1,13 @@
#!/usr/bin/perl
+
+# The Learning Online Network with CAPA
+#
+# lcuseradd - LON-CAPA setuid script to coordinate all actions
+# with adding a user with filesystem privileges (e.g. author)
#
-# lcuseradd
#
-# Scott Harrison
-# SH: October 27, 2000
-# SH: October 29, 2000
-# YEAR=2001
-# Scott Harrison 10/21
+# $Id: lcuseradd,v 1.41 2007/03/28 20:43:37 albertel Exp $
+###
###############################################################################
## ##
@@ -31,22 +32,32 @@
###############################################################################
use strict;
+use File::Find;
+
# ------------------------------------------------------- Description of script
#
# This script is a setuid script that should
-# be run by user 'www'. It creates a /home/USERNAME directory
-# as well as a /home/USERNAME/public_html directory.
+# be run by user 'www'. It creates a /home/USERNAME directory.
# It adds a user to the unix system.
# Passwords are set with lcpasswd.
# www becomes a member of this user group.
# -------------- Invoking script (standard input versus command-line arguments)
+# Otherwise sensitive information will be available to ps-ers for
+# a small but exploitable time window.
#
# Standard input (STDIN) usage
# First line is USERNAME
# Second line is PASSWORD
# Third line is PASSWORD
+# Fouth line is the name of a file to which an error code will be written.
+# If the fourth line is omitted, no error file will be written.
+# In either case, the program Exits with the code as its Exit status.
+# The error file will just be a single line containing an
+# error code.
+#
+#
#
# Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
# Yes, but be very careful here (don't pass shell commands)
@@ -70,9 +81,9 @@ use strict;
# ---------------------------------- Example usage inside another piece of code
# Usage within code
#
-# $exitcode=
+# $Exitcode=
# system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
-# print "uh-oh" if $exitcode;
+# print "uh-oh" if $Exitcode;
# ---------------------------------------------------- Description of functions
# enable_root_capability() : have setuid script run as root
@@ -80,7 +91,7 @@ use strict;
# try_to_lock() : make sure that another lcpasswd process isn't running
# ------------------------------------------------------------------ Exit codes
-# These are the exit codes.
+# These are the Exit codes.
# ( (0,"ok"),
# (1,"User ID mismatch. This program must be run as user 'www'"),
# (2,"Error. This program needs 3 command-line arguments (username, ".
@@ -98,23 +109,27 @@ use strict;
# (12,"Error. Something went wrong with the addition of user ".
# "\"$safeusername\"."),
# (13,"Error. Password mismatch."),
+# (14, "Error filename is invalid"),
+# (15, "Error. Could not add home directory.")
# ------------------------------------------------------------- Initializations
# Security
$ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
# information
-$ENV{'BASH_ENV'}=""; # Nullify shell environment information.
+delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
# Do not print error messages.
my $noprint=1;
+print "In lcuseradd\n" unless $noprint;
+
# ----------------------------- Make sure this process is running from user=www
my $wwwid=getpwnam('www');
&disable_root_capability;
if ($wwwid!=$>) {
print("User ID mismatch. This program must be run as user 'www'\n")
unless $noprint;
- exit 1;
+ &Exit(1);
}
# ----------------------------------- Start running script with www permissions
@@ -124,81 +139,148 @@ if ($wwwid!=$>) {
unless (&try_to_lock("/tmp/lock_lcpasswd")) {
print "Error. Too many other simultaneous password change requests being ".
"made.\n" unless $noprint;
- exit 4;
+ &Exit(4);
}
# ------- Error-check input, need 3 values (user name, password 1, password 2).
my @input;
-if (@ARGV==3) {
+if (@ARGV>=3) {
@input=@ARGV;
-}
-elsif (@ARGV) {
- print("Error. This program needs 3 command-line arguments (username, ".
- "password 1, password 2).\n") unless $noprint;
+} elsif (@ARGV) {
+ print("Error. This program needs at least 3 command-line arguments (username, ".
+ "password 1, password 2 [errorfile]).\n") unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 2;
-}
-else {
+ &Exit(2);
+} else {
@input=<>;
- if (@input!=3) {
- print("Error. Three lines should be entered into standard input.\n")
+ if (@input < 3) {
+ print("Error. At least three lines should be entered into standard input.\n")
unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 3;
+ &Exit(3);
}
- map {chomp} @input;
+ foreach (@input) {chomp;}
}
-my ($username,$password1,$password2)=@input;
+my ($username,$password1,$password2, $error_file)=@input;
+print "Username = ".$username."\n" unless $noprint;
$username=~/^(\w+)$/;
+print "Username after substitution - ".$username unless $noprint;
my $safeusername=$1;
+print "Safe username = $safeusername \n" unless $noprint;
+
if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
- print "Error. The user name specified has invalid characters.\n"
+ print "Error. The user name specified $username $safeusername has invalid characters.\n"
unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 9;
+ &Exit(9);
}
my $pbad=0;
-map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password1));
-map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password2));
+foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
+foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
if ($pbad) {
- print "Error. A password entry had an invalid character.\n";
+ print "Error. A password entry had an invalid character.\n" unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 10;
+ &Exit(10);
}
-# -- Only add user if we can create a brand new home directory (/home/username)
-if (-e "/home/$safeusername") {
- print "Error. User already exists.\n" unless $noprint;
+#
+# Safe the filename. For our case, it must only have alpha, numeric, period
+# and path sparators..
+#
+
+print "Error file is $error_file \n" unless $noprint;
+
+if($error_file) {
+ if($error_file =~ /^([(\w)(\d)\.\/]+)$/) {
+ print "Error file matched pattern $error_file : $1\n" unless $noprint;
+ my $safe_error_file = $1; # Untainted I think.
+ print "Error file after transform $safe_error_file\n"
+ unless $noprint;
+ if($error_file == $safe_error_file) {
+ $error_file = $safe_error_file; # untainted error_file.
+ } else {
+ $error_file ="";
+ print "Invalid error filename\n" unless $noprint;
+ Exit(14);
+ }
+
+ } else {
+ $error_file="";
+ print "Invalid error filename\n" unless $noprint;
+ Exit(14);
+ }
+}
+
+
+# -- Only add the user if they are >not< in /etc/passwd.
+# Used to look for the ability to create a new directory for the
+# user, however that disallows authentication changes from i
+# internal->fs.. so just check the passwd file instead.
+#
+my $not_found = system("cut -d: -f1 /etc/passwd | grep -q \"^$safeusername\$\" ");
+if (!$not_found) {
+ print "Error user already exists\n" unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 11;
+ &Exit(11);
}
+
+
# -- Only add user if the two password arguments match.
+
if ($password1 ne $password2) {
print "Error. Password mismatch.\n" unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 13;
+ &Exit(13);
}
-
+print "enabling root\n" unless $noprint;
# ---------------------------------- Start running script with root permissions
&enable_root_capability;
-# ------------------- Add user and make www a member of the user-specific group
+# ------------------- Add group and user, and make www a member of the group
+# -- Add group
+
+print "adding group: $safeusername \n" unless $noprint;
+my $status = system('/usr/sbin/groupadd', $safeusername);
+if ($status) {
+ print "Error. Something went wrong with the addition of group ".
+ "\"$safeusername\".\n" unless $noprint;
+ print "Final status of groupadd = $status\n";
+ unlink('/tmp/lock_lcpasswd');
+ &Exit(12);
+}
+my $gid = getgrnam($safeusername);
+
# -- Add user
-if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
+
+print "adding user: $safeusername \n" unless $noprint;
+my $status = system('/usr/sbin/useradd','-c','LON-CAPA user','-g',$gid,$safeusername);
+if ($status) {
print "Error. Something went wrong with the addition of user ".
"\"$safeusername\".\n" unless $noprint;
+ system("/usr/sbin/groupdel $safeusername");
+ print "Final status of useradd = $status\n";
unlink('/tmp/lock_lcpasswd');
- exit 12;
+ &Exit(12);
}
+print "Done adding user\n" unless $noprint;
# Make www a member of that user group.
-if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
+my $groups=`/usr/bin/groups www` or &Exit(6);
+# untaint
+my ($safegroups)=($groups=~/:\s*([\s\w]+)/);
+$groups=$safegroups;
+chomp $groups; $groups=~s/^\S+\s+\:\s+//;
+my @grouplist=split(/\s+/,$groups);
+my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
+my $gl=join(',',(@ugrouplist,$safeusername));
+print "Putting www in user's group\n" unless $noprint;
+if (system('/usr/sbin/usermod','-G',$gl,'www')) {
print "Error. Could not make www a member of the group ".
"\"$safeusername\".\n" unless $noprint;
unlink('/tmp/lock_lcpasswd');
- exit 6;
+ &Exit(6);
}
# ---------------------------------------------------------------- Set password
@@ -206,8 +288,9 @@ if (system('/usr/sbin/usermod','-G',$saf
unlink('/tmp/lock_lcpasswd');
&disable_root_capability;
-($>,$<)=(500,500);
-open OUT,"|lcpasswd";
+($>,$<)=($wwwid,$wwwid);
+print "Opening lcpasswd pipeline\n" unless $noprint;
+open OUT,"|/home/httpd/perl/lcpasswd";
print OUT $safeusername;
print OUT "\n";
print OUT $password1;
@@ -215,56 +298,92 @@ print OUT "\n";
print OUT $password1;
print OUT "\n";
close OUT;
-($>,$<)=(500,0);
if ($?) {
- exit 8;
+ print "abnormal Exit from close lcpasswd\n" unless $noprint;
+ &Exit(8);
}
+($>,$<)=($wwwid,0);
&enable_root_capability;
+# Check if home directory exists for user
+# If not, create one.
+if (!-e "/home/$safeusername") {
+ if (!mkdir("/home/$safeusername",0710)) {
+ print "Error. Could not add home directory for ".
+ "\"$safeusername\".\n" unless $noprint;
+ unlink('/tmp/lock_lcpasswd');
+ &Exit(15);
+ }
+}
+
# ------------------------------ Make final modifications to the user directory
# -- Add a public_html file with a stand-in index.html file
-# system('/bin/chmod','-R','0660',"/home/$safeusername");
-system('/bin/chmod','0710',"/home/$safeusername");
-mkdir "/home/$safeusername/public_html",2760;
-open OUT,">/home/$safeusername/public_html/index.html";
-print OUT<<END;
+if (-d "/home/$safeusername") {
+ system('/bin/chmod','-R','0660',"/home/$safeusername");
+ system('/bin/chmod','0710',"/home/$safeusername");
+ mkdir "/home/$safeusername/public_html",0755;
+ open OUT,">/home/$safeusername/public_html/index.html";
+ print OUT<<END;
<html>
<head>
<title>$safeusername</title>
</head>
<body>
-<h1>$safeusername</h1>
-<p>
-Learning Online Network
-</p>
-<p>
-This area provides for:
-</p>
-<ul>
-<li>resource construction</li>
-<li>resource publication</li>
-<li>record-keeping</li>
-</UL>
-</BODY>
-</HTML>
+<h1>Construction Space</h1>
+<h3>$safeusername</h3>
+</body>
+</html>
END
close OUT;
-system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
+}
+#
+# In order to allow the loncapa daemons appropriate access
+# to public_html, Top level and public_html directories should
+# be owned by safeusername:safeusername as should the smaple index.html..
+print "lcuseradd ownership\n" unless $noprint;
+system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername"); # First set std ownership on everything.
+&set_public_html_permissions("/home/$safeusername/public_html");
+# system('/bin/chown',"$safeusername:www","/home/$safeusername"); # Now adust top level...
+# system('/bin/chown','-R',"$safeusername:www","/home/$safeusername/public_html"); # And web dir.
+# ---------------------------------------------------- Gracefull Apache Restart
+my $pidfile;
+if (-e '/var/run/httpd.pid') {
+ $pidfile = '/var/run/httpd.pid';
+} elsif (-e '/var/run/httpd2.pid') { #Apache 2 on SuSE 10.1 and SLES10
+ $pidfile = '/var/run/httpd2.pid';
+}
+
+if ($pidfile) {
+ print "lcuseradd Apache restart\n" unless $noprint;
+ open(PID,"<$pidfile");
+ my $pid=<PID>;
+ close(PID);
+ $pid=~ /(\D+)/;
+ my $safepid = $1;
+ if ($pid) {
+ system('kill','-USR1',"$safepid");
+ }
+}
# -------------------------------------------------------- Exit script
+print "lcuseradd Exiting\n" unless $noprint;
&disable_root_capability;
-exit 0;
+&Exit(0);
# ---------------------------------------------- Have setuid script run as root
sub enable_root_capability {
if ($wwwid==$>) {
- ($<,$>)=($>,$<);
- ($(,$))=($),$();
- }
- else {
+ ($<,$>)=($>,0);
+ ($(,$))=($),0);
+ } else {
# root capability is already enabled
}
+ if ($wwwid == $>) {
+ print("Failed to become root\n") unless $noprint;
+ } else {
+ print("Became root\n") unless $noprint;
+ }
return $>;
}
@@ -273,8 +392,7 @@ sub disable_root_capability {
if ($wwwid==$<) {
($<,$>)=($>,$<);
($(,$))=($),$();
- }
- else {
+ } else {
# root capability is already disabled
}
}
@@ -303,8 +421,7 @@ sub try_to_lock {
}
sleep 3;
$lastpid=$currentpid;
- }
- else {
+ } else {
last;
}
if ($_==10) {
@@ -316,3 +433,99 @@ sub try_to_lock {
close LOCK;
return 1;
}
+# Called by File::Find::find for each file examined.
+#
+# Untaint the file and, if it is a directory,
+# chmod it to 02770
+#
+sub set_permission {
+ $File::Find::name =~ /^(.*)$/;
+ my $safe_name = $1; # Untainted filename...
+
+ print "$safe_name" unless $noprint;
+ if(-d $safe_name) {
+ print " - directory" unless $noprint;
+ chmod(02770, $safe_name);
+ }
+ print "\n" unless $noprint;
+
+}
+#
+# Set up the correct permissions for all files in the
+# user's public htmldir. We just do a chmod -R 0660 ... for
+# the ordinary files. The we use File::Find
+# to pop through the directory tree changing directories only
+# to 02770:
+#
+sub set_public_html_permissions {
+ my ($topdir) = @_;
+
+ # Set the top level dir permissions (I'm not sure if find
+ # will enumerate it specifically), correctly and all
+ # files and dirs to the 'ordinary' file permissions:
+
+ system("chmod -R 0660 $topdir");
+ chmod(02770, $topdir);
+
+ # Now use find to locate all directories under $topdir
+ # and set their modes to 02770...
+ #
+ print "Find file\n " unless $noprint;
+ File::Find::find({"untaint" => 1,
+ "untaint_pattern" => qr(/^(.*)$/),
+ "untaint_skip" => 1,
+ "no_chdir" => 1,
+ "wanted" => \&set_permission }, "$topdir");
+
+
+}
+
+#-------------------------- Exit...
+#
+# Write the file if the error_file is defined. Regardless
+# Exit with the status code.
+#
+sub Exit {
+ my ($code) = @_; # Status code.
+
+ # TODO: Ensure the error file is owned/deletable by www:www:
+
+ &disable_root_capability(); # We run unprivileged to write the error file.
+
+ print "Exiting with status $code error file is $error_file\n" unless $noprint;
+ if($error_file) {
+ open(FH, ">$error_file");
+ print FH "$code\n";
+ close(FH);
+ }
+ exit $code;
+}
+
+=head1 NAME
+
+lcuseradd - LON-CAPA setuid script to coordinate all actions
+ with adding a user with filesystem privileges (e.g. author)
+
+=head1 DESCRIPTION
+
+lcuseradd - LON-CAPA setuid script to coordinate all actions
+ with adding a user with filesystem privileges (e.g. author)
+
+=head1 README
+
+lcuseradd - LON-CAPA setuid script to coordinate all actions
+ with adding a user with filesystem privileges (e.g. author)
+
+=head1 PREREQUISITES
+
+=head1 COREQUISITES
+
+=pod OSNAMES
+
+linux
+
+=pod SCRIPT CATEGORIES
+
+LONCAPA/Administrative
+
+=cut