Annotation of loncom/lcuseradd, revision 1.15

1.1       harris41    1: #!/usr/bin/perl
                      2: #
                      3: # lcuseradd
                      4: #
                      5: # Scott Harrison
1.13      harris41    6: # SH: October 27, 2000
                      7: # SH: October 29, 2000
1.15    ! harris41    8: # YEAR=2001
        !             9: # Scott Harrison 10/21
        !            10: 
        !            11: ###############################################################################
        !            12: ##                                                                           ##
        !            13: ## ORGANIZATION OF THIS PERL SCRIPT                                          ##
        !            14: ##                                                                           ##
        !            15: ## 1. Description of script                                                  ##
        !            16: ## 2. Invoking script (standard input)                                       ##
        !            17: ## 3. Example usage inside another piece of code                             ##
        !            18: ## 4. Description of functions                                               ##
        !            19: ## 5. Exit codes                                                             ##
        !            20: ## 6. Initializations                                                        ##
        !            21: ## 7. Make sure this process is running from user=www                        ##
        !            22: ## 8. Start running script with www permissions                              ##
        !            23: ## 9. Handle case of another lcpasswd process (locking)                      ##
        !            24: ## 10. Error-check input, need 3 values (user name, password 1, password 2)  ##
        !            25: ## 11. Start running script with root permissions                            ##
        !            26: ## 12. Add user and make www a member of the user-specific group             ##
        !            27: ## 13. Set password                                                          ##
        !            28: ## 14. Make final modifications to the user directory                        ##
        !            29: ## 15. Exit script (unlock)                                                  ##
        !            30: ##                                                                           ##
        !            31: ###############################################################################
1.1       harris41   32: 
                     33: use strict;
                     34: 
1.15    ! harris41   35: # ------------------------------------------------------- Description of script
        !            36: #
1.1       harris41   37: # This script is a setuid script that should
                     38: # be run by user 'www'.  It creates a /home/USERNAME directory
                     39: # as well as a /home/USERNAME/public_html directory.
1.15    ! harris41   40: # It adds a user to the unix system.
1.2       harris41   41: # Passwords are set with lcpasswd.
                     42: # www becomes a member of this user group.
1.1       harris41   43: 
1.15    ! harris41   44: # -------------- Invoking script (standard input versus command-line arguments)
        !            45: #
        !            46: # Standard input (STDIN) usage
1.1       harris41   47: # First line is USERNAME
                     48: # Second line is PASSWORD
1.3       harris41   49: # Third line is PASSWORD
1.15    ! harris41   50: #
        !            51: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
        !            52: # Yes, but be very careful here (don't pass shell commands)
        !            53: # and this is only supported to allow perl-system calls.
        !            54: #
1.7       harris41   55: # Valid passwords must consist of the
                     56: # ascii characters within the inclusive
                     57: # range of 0x20 (32) to 0x7E (126).
                     58: # These characters are:
                     59: # SPACE and
                     60: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
                     61: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15    ! harris41   62: #
1.7       harris41   63: # Valid user names must consist of ascii
                     64: # characters that are alphabetical characters
                     65: # (A-Z,a-z), numeric (0-9), or the underscore
                     66: # mark (_). (Essentially, the perl regex \w).
1.15    ! harris41   67: # User names must begin with an alphabetical character
        !            68: # (A-Z,a-z).
1.7       harris41   69: 
1.15    ! harris41   70: # ---------------------------------- Example usage inside another piece of code
1.4       harris41   71: # Usage within code
                     72: #
1.15    ! harris41   73: # $exitcode=
        !            74: #      system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4       harris41   75: # print "uh-oh" if $exitcode;
                     76: 
1.15    ! harris41   77: # ---------------------------------------------------- Description of functions
        !            78: # enable_root_capability() : have setuid script run as root
        !            79: # disable_root_capability() : have setuid script run as www
        !            80: # try_to_lock() : make sure that another lcpasswd process isn't running
        !            81: 
        !            82: # ------------------------------------------------------------------ Exit codes
1.4       harris41   83: # These are the exit codes.
1.13      harris41   84: # ( (0,"ok"),
                     85: # (1,"User ID mismatch.  This program must be run as user 'www'"),
1.15    ! harris41   86: # (2,"Error. This program needs 3 command-line arguments (username, ".
        !            87: #    "password 1, password 2)."),
1.13      harris41   88: # (3,"Error. Three lines should be entered into standard input."),
1.15    ! harris41   89: # (4,"Error. Too many other simultaneous password change requests being ".
        !            90: #    "made."),
1.13      harris41   91: # (5,"Error. User $username does not exist."),
                     92: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
                     93: # (7,"Error. Root was not successfully enabled.),
1.15    ! harris41   94: # (8,"Error. Cannot set password."),
1.13      harris41   95: # (9,"Error. The user name specified has invalid characters."),
                     96: # (10,"Error. A password entry had an invalid character."),
                     97: # (11,"Error. User already exists.),
1.15    ! harris41   98: # (12,"Error. Something went wrong with the addition of user ".
        !            99: #     "\"$safeusername\"."),
1.13      harris41  100: # (13,"Error. Password mismatch."),
1.4       harris41  101: 
1.15    ! harris41  102: # ------------------------------------------------------------- Initializations
1.1       harris41  103: # Security
1.15    ! harris41  104: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
        !           105:                                                                 # information
1.1       harris41  106: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
1.2       harris41  107: 
1.15    ! harris41  108: # Do not print error messages.
        !           109: my $noprint=1;
        !           110: 
        !           111: # ----------------------------- Make sure this process is running from user=www
        !           112: my $wwwid=getpwnam('www');
        !           113: &disable_root_capability;
        !           114: if ($wwwid!=$>) {
        !           115:     print("User ID mismatch.  This program must be run as user 'www'\n")
        !           116: 	unless $noprint;
1.4       harris41  117:     exit 1;
                    118: }
1.15    ! harris41  119: 
        !           120: # ----------------------------------- Start running script with www permissions
1.4       harris41  121: &disable_root_capability;
                    122: 
1.15    ! harris41  123: # --------------------------- Handle case of another lcpasswd process (locking)
1.4       harris41  124: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15    ! harris41  125:     print "Error. Too many other simultaneous password change requests being ".
        !           126: 	"made.\n" unless $noprint;
1.4       harris41  127:     exit 4;
                    128: }
                    129: 
1.15    ! harris41  130: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4       harris41  131: my @input;
1.5       harris41  132: if (@ARGV==3) {
1.4       harris41  133:     @input=@ARGV;
                    134: }
                    135: elsif (@ARGV) {
1.15    ! harris41  136:     print("Error. This program needs 3 command-line arguments (username, ".
        !           137: 	  "password 1, password 2).\n") unless $noprint;
1.4       harris41  138:     unlink('/tmp/lock_lcpasswd');
                    139:     exit 2;
                    140: }
                    141: else {
                    142:     @input=<>;
1.5       harris41  143:     if (@input!=3) {
1.15    ! harris41  144: 	print("Error. Three lines should be entered into standard input.\n")
        !           145: 	    unless $noprint;
1.4       harris41  146: 	unlink('/tmp/lock_lcpasswd');
                    147: 	exit 3;
                    148:     }
1.15    ! harris41  149:     map {chomp} @input;
1.4       harris41  150: }
                    151: 
                    152: my ($username,$password1,$password2)=@input;
                    153: $username=~/^(\w+)$/;
                    154: my $safeusername=$1;
1.15    ! harris41  155: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
        !           156:     print "Error. The user name specified has invalid characters.\n"
        !           157: 	unless $noprint;
1.8       harris41  158:     unlink('/tmp/lock_lcpasswd');
                    159:     exit 9;
                    160: }
                    161: my $pbad=0;
1.9       harris41  162: map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password1));
                    163: map {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}} (split(//,$password2));
1.8       harris41  164: if ($pbad) {
                    165:     print "Error. A password entry had an invalid character.\n";
                    166:     unlink('/tmp/lock_lcpasswd');
                    167:     exit 10;
                    168: }
1.5       harris41  169: 
1.15    ! harris41  170: # -- Only add user if we can create a brand new home directory (/home/username)
1.7       harris41  171: if (-e "/home/$safeusername") {
                    172:     print "Error. User already exists.\n" unless $noprint;
                    173:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  174:     exit 11;
1.7       harris41  175: }
                    176: 
1.15    ! harris41  177: # -- Only add user if the two password arguments match.
1.5       harris41  178: if ($password1 ne $password2) {
1.6       harris41  179:     print "Error. Password mismatch.\n" unless $noprint;
1.5       harris41  180:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  181:     exit 13;
1.5       harris41  182: }
1.4       harris41  183: 
1.15    ! harris41  184: # ---------------------------------- Start running script with root permissions
1.4       harris41  185: &enable_root_capability;
                    186: 
1.15    ! harris41  187: # ------------------- Add user and make www a member of the user-specific group
        !           188: # -- Add user
1.5       harris41  189: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
1.15    ! harris41  190:     print "Error.  Something went wrong with the addition of user ".
        !           191: 	  "\"$safeusername\".\n" unless $noprint;
1.4       harris41  192:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  193:     exit 12;
1.4       harris41  194: }
1.7       harris41  195: 
                    196: # Make www a member of that user group.
1.5       harris41  197: if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
1.15    ! harris41  198:     print "Error. Could not make www a member of the group ".
        !           199: 	  "\"$safeusername\".\n" unless $noprint;
1.5       harris41  200:     unlink('/tmp/lock_lcpasswd');
                    201:     exit 6;
                    202: }
                    203: 
1.15    ! harris41  204: # ---------------------------------------------------------------- Set password
        !           205: # Set password with lcpasswd (which creates smbpasswd entry).
1.2       harris41  206: 
1.15    ! harris41  207: unlink('/tmp/lock_lcpasswd');
        !           208: &disable_root_capability;
        !           209: ($>,$<)=(500,500);
        !           210: open OUT,"|lcpasswd";
        !           211: print OUT $safeusername;
        !           212: print OUT "\n";
        !           213: print OUT $password1;
        !           214: print OUT "\n";
        !           215: print OUT $password1;
        !           216: print OUT "\n";
        !           217: close OUT;
        !           218: ($>,$<)=(500,0);
        !           219: if ($?) {
        !           220:     exit 8;
1.8       harris41  221: }
1.15    ! harris41  222: &enable_root_capability;
1.8       harris41  223: 
1.15    ! harris41  224: # ------------------------------ Make final modifications to the user directory
        !           225: # -- Add a public_html file with a stand-in index.html file
1.8       harris41  226: 
1.15    ! harris41  227: # system('/bin/chmod','-R','0660',"/home/$safeusername");
        !           228: system('/bin/chmod','0710',"/home/$safeusername");
        !           229: mkdir "/home/$safeusername/public_html",2760;
1.11      harris41  230: open OUT,">/home/$safeusername/public_html/index.html";
1.8       harris41  231: print OUT<<END;
1.15    ! harris41  232: <html>
        !           233: <head>
        !           234: <title>$safeusername</title>
        !           235: </head>
        !           236: <body>
        !           237: <h1>$safeusername</h1>
        !           238: <p>
1.8       harris41  239: Learning Online Network
1.15    ! harris41  240: </p>
        !           241: <p>
1.8       harris41  242: This area provides for:
1.15    ! harris41  243: </p>
        !           244: <ul>
        !           245: <li>resource construction</li>
        !           246: <li>resource publication</li>
        !           247: <li>record-keeping</li>
1.8       harris41  248: </UL>
                    249: </BODY>
                    250: </HTML>
                    251: END
                    252: close OUT;
1.11      harris41  253: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.15    ! harris41  254: 
        !           255: # -------------------------------------------------------- Exit script
1.8       harris41  256: &disable_root_capability;
                    257: exit 0;
1.1       harris41  258: 
1.15    ! harris41  259: # ---------------------------------------------- Have setuid script run as root
1.5       harris41  260: sub enable_root_capability {
                    261:     if ($wwwid==$>) {
                    262: 	($<,$>)=($>,$<);
                    263: 	($(,$))=($),$();
                    264:     }
                    265:     else {
                    266: 	# root capability is already enabled
                    267:     }
                    268:     return $>;
                    269: }
                    270: 
1.15    ! harris41  271: # ----------------------------------------------- Have setuid script run as www
1.5       harris41  272: sub disable_root_capability {
                    273:     if ($wwwid==$<) {
                    274: 	($<,$>)=($>,$<);
                    275: 	($(,$))=($),$();
                    276:     }
                    277:     else {
                    278: 	# root capability is already disabled
                    279:     }
                    280: }
                    281: 
1.15    ! harris41  282: # ----------------------- Make sure that another lcpasswd process isn't running
1.5       harris41  283: sub try_to_lock {
                    284:     my ($lockfile)=@_;
                    285:     my $currentpid;
                    286:     my $lastpid;
                    287:     # Do not manipulate lock file as root
                    288:     if ($>==0) {
                    289: 	return 0;
                    290:     }
                    291:     # Try to generate lock file.
                    292:     # Wait 3 seconds.  If same process id is in
                    293:     # lock file, then assume lock file is stale, and
                    294:     # go ahead.  If process id's fluctuate, try
                    295:     # for a maximum of 10 times.
                    296:     for (0..10) {
                    297: 	if (-e $lockfile) {
                    298: 	    open(LOCK,"<$lockfile");
                    299: 	    $currentpid=<LOCK>;
                    300: 	    close LOCK;
                    301: 	    if ($currentpid==$lastpid) {
                    302: 		last;
                    303: 	    }
                    304: 	    sleep 3;
                    305: 	    $lastpid=$currentpid;
                    306: 	}
                    307: 	else {
                    308: 	    last;
                    309: 	}
                    310: 	if ($_==10) {
                    311: 	    return 0;
                    312: 	}
                    313:     }
                    314:     open(LOCK,">$lockfile");
                    315:     print LOCK $$;
                    316:     close LOCK;
                    317:     return 1;
                    318: }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>