Annotation of loncom/lcuseradd, revision 1.25
1.1 harris41 1: #!/usr/bin/perl
1.16 harris41 2:
3: # The Learning Online Network with CAPA
1.1 harris41 4: #
1.16 harris41 5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
6: # with adding a user with filesystem privileges (e.g. author)
1.1 harris41 7: #
1.20 foxr 8: # YEAR=2002
9: # May 19, 2002 Ron Fox
10: # - Removed creation of the pulic_html directory. This directory
11: # can now be added in two ways:
12: # o The user can add it themselves if they want some local web
13: # space which may or may not contain construction items.
14: # o LonCapa will add it if/when the user is granted an Author
15: # role.
1.16 harris41 16: #
1.25 ! harris41 17: # $Id: lcuseradd,v 1.24 2002/12/09 16:15:51 www Exp $
1.16 harris41 18: ###
1.15 harris41 19:
20: ###############################################################################
21: ## ##
22: ## ORGANIZATION OF THIS PERL SCRIPT ##
23: ## ##
24: ## 1. Description of script ##
25: ## 2. Invoking script (standard input) ##
26: ## 3. Example usage inside another piece of code ##
27: ## 4. Description of functions ##
28: ## 5. Exit codes ##
29: ## 6. Initializations ##
30: ## 7. Make sure this process is running from user=www ##
31: ## 8. Start running script with www permissions ##
32: ## 9. Handle case of another lcpasswd process (locking) ##
33: ## 10. Error-check input, need 3 values (user name, password 1, password 2) ##
34: ## 11. Start running script with root permissions ##
35: ## 12. Add user and make www a member of the user-specific group ##
36: ## 13. Set password ##
37: ## 14. Make final modifications to the user directory ##
38: ## 15. Exit script (unlock) ##
39: ## ##
40: ###############################################################################
1.1 harris41 41:
42: use strict;
43:
1.15 harris41 44: # ------------------------------------------------------- Description of script
45: #
1.1 harris41 46: # This script is a setuid script that should
1.20 foxr 47: # be run by user 'www'. It creates a /home/USERNAME directory.
1.15 harris41 48: # It adds a user to the unix system.
1.2 harris41 49: # Passwords are set with lcpasswd.
50: # www becomes a member of this user group.
1.1 harris41 51:
1.15 harris41 52: # -------------- Invoking script (standard input versus command-line arguments)
53: #
54: # Standard input (STDIN) usage
1.1 harris41 55: # First line is USERNAME
56: # Second line is PASSWORD
1.3 harris41 57: # Third line is PASSWORD
1.15 harris41 58: #
59: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
60: # Yes, but be very careful here (don't pass shell commands)
61: # and this is only supported to allow perl-system calls.
62: #
1.7 harris41 63: # Valid passwords must consist of the
64: # ascii characters within the inclusive
65: # range of 0x20 (32) to 0x7E (126).
66: # These characters are:
67: # SPACE and
68: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
69: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15 harris41 70: #
1.7 harris41 71: # Valid user names must consist of ascii
72: # characters that are alphabetical characters
73: # (A-Z,a-z), numeric (0-9), or the underscore
74: # mark (_). (Essentially, the perl regex \w).
1.15 harris41 75: # User names must begin with an alphabetical character
76: # (A-Z,a-z).
1.7 harris41 77:
1.15 harris41 78: # ---------------------------------- Example usage inside another piece of code
1.4 harris41 79: # Usage within code
80: #
1.15 harris41 81: # $exitcode=
82: # system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4 harris41 83: # print "uh-oh" if $exitcode;
84:
1.15 harris41 85: # ---------------------------------------------------- Description of functions
86: # enable_root_capability() : have setuid script run as root
87: # disable_root_capability() : have setuid script run as www
88: # try_to_lock() : make sure that another lcpasswd process isn't running
89:
90: # ------------------------------------------------------------------ Exit codes
1.4 harris41 91: # These are the exit codes.
1.13 harris41 92: # ( (0,"ok"),
93: # (1,"User ID mismatch. This program must be run as user 'www'"),
1.15 harris41 94: # (2,"Error. This program needs 3 command-line arguments (username, ".
95: # "password 1, password 2)."),
1.13 harris41 96: # (3,"Error. Three lines should be entered into standard input."),
1.15 harris41 97: # (4,"Error. Too many other simultaneous password change requests being ".
98: # "made."),
1.13 harris41 99: # (5,"Error. User $username does not exist."),
100: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
101: # (7,"Error. Root was not successfully enabled.),
1.15 harris41 102: # (8,"Error. Cannot set password."),
1.13 harris41 103: # (9,"Error. The user name specified has invalid characters."),
104: # (10,"Error. A password entry had an invalid character."),
105: # (11,"Error. User already exists.),
1.15 harris41 106: # (12,"Error. Something went wrong with the addition of user ".
107: # "\"$safeusername\"."),
1.13 harris41 108: # (13,"Error. Password mismatch."),
1.4 harris41 109:
1.15 harris41 110: # ------------------------------------------------------------- Initializations
1.1 harris41 111: # Security
1.15 harris41 112: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
113: # information
1.16 harris41 114: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
1.2 harris41 115:
1.15 harris41 116: # Do not print error messages.
117: my $noprint=1;
118:
1.23 foxr 119: print "In lcuseradd\n" unless $noprint;
120:
1.15 harris41 121: # ----------------------------- Make sure this process is running from user=www
122: my $wwwid=getpwnam('www');
123: &disable_root_capability;
124: if ($wwwid!=$>) {
125: print("User ID mismatch. This program must be run as user 'www'\n")
126: unless $noprint;
1.4 harris41 127: exit 1;
128: }
1.15 harris41 129:
130: # ----------------------------------- Start running script with www permissions
1.4 harris41 131: &disable_root_capability;
132:
1.15 harris41 133: # --------------------------- Handle case of another lcpasswd process (locking)
1.4 harris41 134: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15 harris41 135: print "Error. Too many other simultaneous password change requests being ".
136: "made.\n" unless $noprint;
1.4 harris41 137: exit 4;
138: }
139:
1.15 harris41 140: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4 harris41 141: my @input;
1.5 harris41 142: if (@ARGV==3) {
1.4 harris41 143: @input=@ARGV;
144: }
145: elsif (@ARGV) {
1.15 harris41 146: print("Error. This program needs 3 command-line arguments (username, ".
147: "password 1, password 2).\n") unless $noprint;
1.4 harris41 148: unlink('/tmp/lock_lcpasswd');
149: exit 2;
150: }
151: else {
152: @input=<>;
1.5 harris41 153: if (@input!=3) {
1.15 harris41 154: print("Error. Three lines should be entered into standard input.\n")
155: unless $noprint;
1.4 harris41 156: unlink('/tmp/lock_lcpasswd');
157: exit 3;
158: }
1.19 harris41 159: foreach (@input) {chomp;}
1.4 harris41 160: }
161:
162: my ($username,$password1,$password2)=@input;
1.23 foxr 163: print "Username = ".$username."\n" unless $noprint;
1.4 harris41 164: $username=~/^(\w+)$/;
1.22 foxr 165: print "Username after substitution - ".$username unless $noprint;
1.4 harris41 166: my $safeusername=$1;
1.23 foxr 167: print "Safe username = $safeusername \n" unless $noprint;
1.22 foxr 168:
1.15 harris41 169: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
1.22 foxr 170: print "Error. The user name specified $username $safeusername has invalid characters.\n"
1.15 harris41 171: unless $noprint;
1.8 harris41 172: unlink('/tmp/lock_lcpasswd');
173: exit 9;
174: }
175: my $pbad=0;
1.19 harris41 176: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
177: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
1.8 harris41 178: if ($pbad) {
179: print "Error. A password entry had an invalid character.\n";
180: unlink('/tmp/lock_lcpasswd');
181: exit 10;
182: }
1.5 harris41 183:
1.15 harris41 184: # -- Only add user if we can create a brand new home directory (/home/username)
1.7 harris41 185: if (-e "/home/$safeusername") {
186: print "Error. User already exists.\n" unless $noprint;
187: unlink('/tmp/lock_lcpasswd');
1.13 harris41 188: exit 11;
1.7 harris41 189: }
190:
1.15 harris41 191: # -- Only add user if the two password arguments match.
1.23 foxr 192:
1.5 harris41 193: if ($password1 ne $password2) {
1.6 harris41 194: print "Error. Password mismatch.\n" unless $noprint;
1.5 harris41 195: unlink('/tmp/lock_lcpasswd');
1.13 harris41 196: exit 13;
1.5 harris41 197: }
1.23 foxr 198: print "enabling root\n" unless $noprint;
1.15 harris41 199: # ---------------------------------- Start running script with root permissions
1.4 harris41 200: &enable_root_capability;
201:
1.15 harris41 202: # ------------------- Add user and make www a member of the user-specific group
203: # -- Add user
1.23 foxr 204:
205: print "adding user: $safeusername \n" unless $noprint;
206: my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
207: if ($status) {
1.15 harris41 208: print "Error. Something went wrong with the addition of user ".
209: "\"$safeusername\".\n" unless $noprint;
1.23 foxr 210: print "Final status of useradd = $status";
1.4 harris41 211: unlink('/tmp/lock_lcpasswd');
1.13 harris41 212: exit 12;
1.4 harris41 213: }
1.23 foxr 214: print "Done adding user\n" unless $noprint;
1.7 harris41 215: # Make www a member of that user group.
1.17 harris41 216: my $groups=`/usr/bin/groups www` or exit(6);
217: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
218: my @grouplist=split(/\s+/,$groups);
219: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
220: my $gl=join(',',(@ugrouplist,$safeusername));
1.23 foxr 221: print "Putting user in its own group\n" unless $noprint;
1.17 harris41 222: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
1.15 harris41 223: print "Error. Could not make www a member of the group ".
224: "\"$safeusername\".\n" unless $noprint;
1.5 harris41 225: unlink('/tmp/lock_lcpasswd');
226: exit 6;
227: }
228:
1.15 harris41 229: # ---------------------------------------------------------------- Set password
230: # Set password with lcpasswd (which creates smbpasswd entry).
1.2 harris41 231:
1.15 harris41 232: unlink('/tmp/lock_lcpasswd');
233: &disable_root_capability;
1.16 harris41 234: ($>,$<)=($wwwid,$wwwid);
1.23 foxr 235: print "Opening lcpasswd pipeline\n" unless $noprint;
1.16 harris41 236: open OUT,"|/home/httpd/perl/lcpasswd";
1.15 harris41 237: print OUT $safeusername;
238: print OUT "\n";
239: print OUT $password1;
240: print OUT "\n";
241: print OUT $password1;
242: print OUT "\n";
243: close OUT;
244: if ($?) {
1.23 foxr 245: print "abnormal exit from close lcpasswd\n" unless $noprint;
1.15 harris41 246: exit 8;
1.8 harris41 247: }
1.18 harris41 248: ($>,$<)=($wwwid,0);
1.15 harris41 249: &enable_root_capability;
1.8 harris41 250:
1.20 foxr 251: # -- Don't add public_html... that can be added either by the user
252: # or by lchtmldir when the user is granted an authorship role.
253:
1.15 harris41 254: # ------------------------------ Make final modifications to the user directory
255: # -- Add a public_html file with a stand-in index.html file
1.8 harris41 256:
1.21 foxr 257: system('/bin/chmod','-R','0660',"/home/$safeusername");
258: system('/bin/chmod','0710',"/home/$safeusername");
259: mkdir "/home/$safeusername/public_html",0755;
260: system('/bin/chmod','02770',"/home/$safeusername/public_html");
261: open OUT,">/home/$safeusername/public_html/index.html";
262: print OUT<<END;
263: <html>
264: <head>
265: <title>$safeusername</title>
266: </head>
267: <body>
1.24 www 268: <h1>Construction Space</h1>
269: <h3>$safeusername</h3>
1.21 foxr 270: </body>
271: </html>
272: END
273: close OUT;
1.20 foxr 274:
1.24 www 275: print "lcuseradd ownership\n" unless $noprint;
1.11 harris41 276: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.24 www 277: # ---------------------------------------------------- Gracefull Apache Restart
278: if (-e '/var/run/httpd.pid') {
279: print "lcuseradd Apache restart\n" unless $noprint;
280: open(PID,'/var/run/httpd.pid');
281: my $pid=<PID>;
282: close(PID);
283: $pid=~s/\D+//g;
284: if ($pid) {
285: system('kill','-USR1',"$pid");
286: }
287: }
1.15 harris41 288: # -------------------------------------------------------- Exit script
1.24 www 289: print "lcuseradd exiting\n" unless $noprint;
1.8 harris41 290: &disable_root_capability;
291: exit 0;
1.1 harris41 292:
1.15 harris41 293: # ---------------------------------------------- Have setuid script run as root
1.5 harris41 294: sub enable_root_capability {
295: if ($wwwid==$>) {
1.23 foxr 296: ($<,$>)=($>,0);
297: ($(,$))=($),0);
1.5 harris41 298: }
299: else {
300: # root capability is already enabled
301: }
302: return $>;
303: }
304:
1.15 harris41 305: # ----------------------------------------------- Have setuid script run as www
1.5 harris41 306: sub disable_root_capability {
307: if ($wwwid==$<) {
308: ($<,$>)=($>,$<);
309: ($(,$))=($),$();
310: }
311: else {
312: # root capability is already disabled
313: }
314: }
315:
1.15 harris41 316: # ----------------------- Make sure that another lcpasswd process isn't running
1.5 harris41 317: sub try_to_lock {
318: my ($lockfile)=@_;
319: my $currentpid;
320: my $lastpid;
321: # Do not manipulate lock file as root
322: if ($>==0) {
323: return 0;
324: }
325: # Try to generate lock file.
326: # Wait 3 seconds. If same process id is in
327: # lock file, then assume lock file is stale, and
328: # go ahead. If process id's fluctuate, try
329: # for a maximum of 10 times.
330: for (0..10) {
331: if (-e $lockfile) {
332: open(LOCK,"<$lockfile");
333: $currentpid=<LOCK>;
334: close LOCK;
335: if ($currentpid==$lastpid) {
336: last;
337: }
338: sleep 3;
339: $lastpid=$currentpid;
340: }
341: else {
342: last;
343: }
344: if ($_==10) {
345: return 0;
346: }
347: }
348: open(LOCK,">$lockfile");
349: print LOCK $$;
350: close LOCK;
351: return 1;
352: }
1.16 harris41 353:
354: =head1 NAME
355:
356: lcuseradd - LON-CAPA setuid script to coordinate all actions
357: with adding a user with filesystem privileges (e.g. author)
358:
359: =head1 DESCRIPTION
360:
361: lcuseradd - LON-CAPA setuid script to coordinate all actions
362: with adding a user with filesystem privileges (e.g. author)
363:
364: =head1 README
365:
366: lcuseradd - LON-CAPA setuid script to coordinate all actions
367: with adding a user with filesystem privileges (e.g. author)
368:
369: =head1 PREREQUISITES
370:
371: =head1 COREQUISITES
372:
373: =pod OSNAMES
374:
375: linux
376:
377: =pod SCRIPT CATEGORIES
378:
379: LONCAPA/Administrative
380:
381: =cut
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuseradd CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom