Annotation of loncom/lcuseradd, revision 1.25.2.2

1.1       harris41    1: #!/usr/bin/perl
1.16      harris41    2: 
                      3: # The Learning Online Network with CAPA
1.1       harris41    4: #
1.16      harris41    5: # lcuseradd - LON-CAPA setuid script to coordinate all actions
                      6: #             with adding a user with filesystem privileges (e.g. author)
1.1       harris41    7: #
1.20      foxr        8: # YEAR=2002
                      9: #   May 19, 2002 Ron Fox
                     10: #      - Removed creation of the pulic_html directory.  This directory
                     11: #        can now be added in two ways:
                     12: #        o The user can add it themselves if they want some local web
                     13: #          space which may or may not contain construction items.
                     14: #        o LonCapa will add it if/when the user is granted an Author
                     15: #          role.
1.16      harris41   16: #
1.25.2.2! albertel   17: # $Id: lcuseradd,v 1.25.2.1 2004/08/05 21:01:20 albertel Exp $
1.16      harris41   18: ###
1.15      harris41   19: 
                     20: ###############################################################################
                     21: ##                                                                           ##
                     22: ## ORGANIZATION OF THIS PERL SCRIPT                                          ##
                     23: ##                                                                           ##
                     24: ## 1. Description of script                                                  ##
                     25: ## 2. Invoking script (standard input)                                       ##
                     26: ## 3. Example usage inside another piece of code                             ##
                     27: ## 4. Description of functions                                               ##
                     28: ## 5. Exit codes                                                             ##
                     29: ## 6. Initializations                                                        ##
                     30: ## 7. Make sure this process is running from user=www                        ##
                     31: ## 8. Start running script with www permissions                              ##
                     32: ## 9. Handle case of another lcpasswd process (locking)                      ##
                     33: ## 10. Error-check input, need 3 values (user name, password 1, password 2)  ##
                     34: ## 11. Start running script with root permissions                            ##
                     35: ## 12. Add user and make www a member of the user-specific group             ##
                     36: ## 13. Set password                                                          ##
                     37: ## 14. Make final modifications to the user directory                        ##
                     38: ## 15. Exit script (unlock)                                                  ##
                     39: ##                                                                           ##
                     40: ###############################################################################
1.1       harris41   41: 
                     42: use strict;
                     43: 
1.15      harris41   44: # ------------------------------------------------------- Description of script
                     45: #
1.1       harris41   46: # This script is a setuid script that should
1.20      foxr       47: # be run by user 'www'.  It creates a /home/USERNAME directory.
1.15      harris41   48: # It adds a user to the unix system.
1.2       harris41   49: # Passwords are set with lcpasswd.
                     50: # www becomes a member of this user group.
1.1       harris41   51: 
1.15      harris41   52: # -------------- Invoking script (standard input versus command-line arguments)
                     53: #
                     54: # Standard input (STDIN) usage
1.1       harris41   55: # First line is USERNAME
                     56: # Second line is PASSWORD
1.3       harris41   57: # Third line is PASSWORD
1.15      harris41   58: #
                     59: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
                     60: # Yes, but be very careful here (don't pass shell commands)
                     61: # and this is only supported to allow perl-system calls.
                     62: #
1.7       harris41   63: # Valid passwords must consist of the
                     64: # ascii characters within the inclusive
                     65: # range of 0x20 (32) to 0x7E (126).
                     66: # These characters are:
                     67: # SPACE and
                     68: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
                     69: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1.15      harris41   70: #
1.7       harris41   71: # Valid user names must consist of ascii
                     72: # characters that are alphabetical characters
                     73: # (A-Z,a-z), numeric (0-9), or the underscore
                     74: # mark (_). (Essentially, the perl regex \w).
1.15      harris41   75: # User names must begin with an alphabetical character
                     76: # (A-Z,a-z).
1.7       harris41   77: 
1.15      harris41   78: # ---------------------------------- Example usage inside another piece of code
1.4       harris41   79: # Usage within code
                     80: #
1.15      harris41   81: # $exitcode=
                     82: #      system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
1.4       harris41   83: # print "uh-oh" if $exitcode;
                     84: 
1.15      harris41   85: # ---------------------------------------------------- Description of functions
                     86: # enable_root_capability() : have setuid script run as root
                     87: # disable_root_capability() : have setuid script run as www
                     88: # try_to_lock() : make sure that another lcpasswd process isn't running
                     89: 
                     90: # ------------------------------------------------------------------ Exit codes
1.4       harris41   91: # These are the exit codes.
1.13      harris41   92: # ( (0,"ok"),
                     93: # (1,"User ID mismatch.  This program must be run as user 'www'"),
1.15      harris41   94: # (2,"Error. This program needs 3 command-line arguments (username, ".
                     95: #    "password 1, password 2)."),
1.13      harris41   96: # (3,"Error. Three lines should be entered into standard input."),
1.15      harris41   97: # (4,"Error. Too many other simultaneous password change requests being ".
                     98: #    "made."),
1.13      harris41   99: # (5,"Error. User $username does not exist."),
                    100: # (6,"Error. Could not make www a member of the group \"$safeusername\"."),
                    101: # (7,"Error. Root was not successfully enabled.),
1.15      harris41  102: # (8,"Error. Cannot set password."),
1.13      harris41  103: # (9,"Error. The user name specified has invalid characters."),
                    104: # (10,"Error. A password entry had an invalid character."),
                    105: # (11,"Error. User already exists.),
1.15      harris41  106: # (12,"Error. Something went wrong with the addition of user ".
                    107: #     "\"$safeusername\"."),
1.13      harris41  108: # (13,"Error. Password mismatch."),
1.4       harris41  109: 
1.15      harris41  110: # ------------------------------------------------------------- Initializations
1.1       harris41  111: # Security
1.15      harris41  112: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                    113:                                                                 # information
1.16      harris41  114: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
1.2       harris41  115: 
1.15      harris41  116: # Do not print error messages.
                    117: my $noprint=1;
                    118: 
1.23      foxr      119: print "In lcuseradd\n" unless $noprint;
                    120: 
1.15      harris41  121: # ----------------------------- Make sure this process is running from user=www
                    122: my $wwwid=getpwnam('www');
                    123: &disable_root_capability;
                    124: if ($wwwid!=$>) {
                    125:     print("User ID mismatch.  This program must be run as user 'www'\n")
                    126: 	unless $noprint;
1.4       harris41  127:     exit 1;
                    128: }
1.15      harris41  129: 
                    130: # ----------------------------------- Start running script with www permissions
1.4       harris41  131: &disable_root_capability;
                    132: 
1.15      harris41  133: # --------------------------- Handle case of another lcpasswd process (locking)
1.4       harris41  134: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
1.15      harris41  135:     print "Error. Too many other simultaneous password change requests being ".
                    136: 	"made.\n" unless $noprint;
1.4       harris41  137:     exit 4;
                    138: }
                    139: 
1.15      harris41  140: # ------- Error-check input, need 3 values (user name, password 1, password 2).
1.4       harris41  141: my @input;
1.5       harris41  142: if (@ARGV==3) {
1.4       harris41  143:     @input=@ARGV;
                    144: }
                    145: elsif (@ARGV) {
1.15      harris41  146:     print("Error. This program needs 3 command-line arguments (username, ".
                    147: 	  "password 1, password 2).\n") unless $noprint;
1.4       harris41  148:     unlink('/tmp/lock_lcpasswd');
                    149:     exit 2;
                    150: }
                    151: else {
                    152:     @input=<>;
1.5       harris41  153:     if (@input!=3) {
1.15      harris41  154: 	print("Error. Three lines should be entered into standard input.\n")
                    155: 	    unless $noprint;
1.4       harris41  156: 	unlink('/tmp/lock_lcpasswd');
                    157: 	exit 3;
                    158:     }
1.19      harris41  159:     foreach (@input) {chomp;}
1.4       harris41  160: }
                    161: 
                    162: my ($username,$password1,$password2)=@input;
1.23      foxr      163: print "Username = ".$username."\n" unless $noprint;
1.4       harris41  164: $username=~/^(\w+)$/;
1.22      foxr      165: print "Username after substitution - ".$username unless $noprint;
1.4       harris41  166: my $safeusername=$1;
1.23      foxr      167: print "Safe username = $safeusername \n" unless $noprint;
1.22      foxr      168: 
1.15      harris41  169: if (($username ne $safeusername) or ($safeusername!~/^[A-Za-z]/)) {
1.22      foxr      170:     print "Error. The user name specified $username $safeusername  has invalid characters.\n"
1.15      harris41  171: 	unless $noprint;
1.8       harris41  172:     unlink('/tmp/lock_lcpasswd');
                    173:     exit 9;
                    174: }
                    175: my $pbad=0;
1.19      harris41  176: foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
                    177: foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
1.8       harris41  178: if ($pbad) {
                    179:     print "Error. A password entry had an invalid character.\n";
                    180:     unlink('/tmp/lock_lcpasswd');
                    181:     exit 10;
                    182: }
1.5       harris41  183: 
1.15      harris41  184: # -- Only add user if we can create a brand new home directory (/home/username)
1.7       harris41  185: if (-e "/home/$safeusername") {
                    186:     print "Error. User already exists.\n" unless $noprint;
                    187:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  188:     exit 11;
1.7       harris41  189: }
                    190: 
1.15      harris41  191: # -- Only add user if the two password arguments match.
1.23      foxr      192: 
1.5       harris41  193: if ($password1 ne $password2) {
1.6       harris41  194:     print "Error. Password mismatch.\n" unless $noprint;
1.5       harris41  195:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  196:     exit 13;
1.5       harris41  197: }
1.23      foxr      198: print "enabling root\n" unless $noprint;
1.15      harris41  199: # ---------------------------------- Start running script with root permissions
1.4       harris41  200: &enable_root_capability;
                    201: 
1.15      harris41  202: # ------------------- Add user and make www a member of the user-specific group
                    203: # -- Add user
1.23      foxr      204: 
                    205: print "adding user: $safeusername \n" unless $noprint;
                    206: my $status = system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername);
                    207: if ($status) {
1.15      harris41  208:     print "Error.  Something went wrong with the addition of user ".
                    209: 	  "\"$safeusername\".\n" unless $noprint;
1.23      foxr      210:     print "Final status of useradd = $status";
1.4       harris41  211:     unlink('/tmp/lock_lcpasswd');
1.13      harris41  212:     exit 12;
1.4       harris41  213: }
1.23      foxr      214: print "Done adding user\n" unless $noprint;
1.7       harris41  215: # Make www a member of that user group.
1.17      harris41  216: my $groups=`/usr/bin/groups www` or exit(6);
1.25.2.1  albertel  217: # untaint
1.25.2.2! albertel  218: my ($safegroups)=($groups=~/:\s*([\s\w]+)/);
1.25.2.1  albertel  219: $groups=$safegroups;
1.17      harris41  220: chomp $groups; $groups=~s/^\S+\s+\:\s+//;
                    221: my @grouplist=split(/\s+/,$groups);
                    222: my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
                    223: my $gl=join(',',(@ugrouplist,$safeusername));
1.23      foxr      224: print "Putting user in its own group\n" unless $noprint;
1.17      harris41  225: if (system('/usr/sbin/usermod','-G',$gl,'www')) {
1.15      harris41  226:     print "Error. Could not make www a member of the group ".
                    227: 	  "\"$safeusername\".\n" unless $noprint;
1.5       harris41  228:     unlink('/tmp/lock_lcpasswd');
                    229:     exit 6;
                    230: }
                    231: 
1.15      harris41  232: # ---------------------------------------------------------------- Set password
                    233: # Set password with lcpasswd (which creates smbpasswd entry).
1.2       harris41  234: 
1.15      harris41  235: unlink('/tmp/lock_lcpasswd');
                    236: &disable_root_capability;
1.16      harris41  237: ($>,$<)=($wwwid,$wwwid);
1.23      foxr      238: print "Opening lcpasswd pipeline\n" unless $noprint;
1.16      harris41  239: open OUT,"|/home/httpd/perl/lcpasswd";
1.15      harris41  240: print OUT $safeusername;
                    241: print OUT "\n";
                    242: print OUT $password1;
                    243: print OUT "\n";
                    244: print OUT $password1;
                    245: print OUT "\n";
                    246: close OUT;
                    247: if ($?) {
1.23      foxr      248:     print "abnormal exit from close lcpasswd\n" unless $noprint;
1.15      harris41  249:     exit 8;
1.8       harris41  250: }
1.18      harris41  251: ($>,$<)=($wwwid,0);
1.15      harris41  252: &enable_root_capability;
1.8       harris41  253: 
1.20      foxr      254: # -- Don't add public_html... that can be added either by the user
                    255: #    or by lchtmldir when the user is granted an authorship role.
                    256: 
1.15      harris41  257: # ------------------------------ Make final modifications to the user directory
                    258: # -- Add a public_html file with a stand-in index.html file
1.8       harris41  259: 
1.21      foxr      260:  system('/bin/chmod','-R','0660',"/home/$safeusername");
                    261: system('/bin/chmod','0710',"/home/$safeusername");
                    262: mkdir "/home/$safeusername/public_html",0755;
                    263: system('/bin/chmod','02770',"/home/$safeusername/public_html");
                    264: open OUT,">/home/$safeusername/public_html/index.html";
                    265: print OUT<<END;
                    266: <html>
                    267: <head>
                    268: <title>$safeusername</title>
                    269: </head>
                    270: <body>
1.24      www       271: <h1>Construction Space</h1>
                    272: <h3>$safeusername</h3>
1.21      foxr      273: </body>
                    274: </html>
                    275: END
                    276: close OUT;
1.20      foxr      277: 
1.24      www       278: print "lcuseradd ownership\n" unless $noprint;
1.11      harris41  279: system('/bin/chown','-R',"$safeusername:$safeusername","/home/$safeusername");
1.24      www       280: # ---------------------------------------------------- Gracefull Apache Restart
                    281: if (-e '/var/run/httpd.pid') {
                    282:     print "lcuseradd Apache restart\n" unless $noprint;
                    283:     open(PID,'/var/run/httpd.pid');
                    284:     my $pid=<PID>;
                    285:     close(PID);
1.25.2.1  albertel  286:     my ($safepid)=($pid=~s/(\D+)//g);
1.24      www       287:     if ($pid) {
1.25.2.1  albertel  288: 	system('kill','-USR1',"$safepid");
1.24      www       289:     }
                    290: }
1.15      harris41  291: # -------------------------------------------------------- Exit script
1.24      www       292: print "lcuseradd exiting\n" unless $noprint;
1.8       harris41  293: &disable_root_capability;
                    294: exit 0;
1.1       harris41  295: 
1.15      harris41  296: # ---------------------------------------------- Have setuid script run as root
1.5       harris41  297: sub enable_root_capability {
                    298:     if ($wwwid==$>) {
1.23      foxr      299: 	($<,$>)=($>,0);
                    300: 	($(,$))=($),0);
1.5       harris41  301:     }
                    302:     else {
                    303: 	# root capability is already enabled
                    304:     }
                    305:     return $>;
                    306: }
                    307: 
1.15      harris41  308: # ----------------------------------------------- Have setuid script run as www
1.5       harris41  309: sub disable_root_capability {
                    310:     if ($wwwid==$<) {
                    311: 	($<,$>)=($>,$<);
                    312: 	($(,$))=($),$();
                    313:     }
                    314:     else {
                    315: 	# root capability is already disabled
                    316:     }
                    317: }
                    318: 
1.15      harris41  319: # ----------------------- Make sure that another lcpasswd process isn't running
1.5       harris41  320: sub try_to_lock {
                    321:     my ($lockfile)=@_;
                    322:     my $currentpid;
                    323:     my $lastpid;
                    324:     # Do not manipulate lock file as root
                    325:     if ($>==0) {
                    326: 	return 0;
                    327:     }
                    328:     # Try to generate lock file.
                    329:     # Wait 3 seconds.  If same process id is in
                    330:     # lock file, then assume lock file is stale, and
                    331:     # go ahead.  If process id's fluctuate, try
                    332:     # for a maximum of 10 times.
                    333:     for (0..10) {
                    334: 	if (-e $lockfile) {
                    335: 	    open(LOCK,"<$lockfile");
                    336: 	    $currentpid=<LOCK>;
                    337: 	    close LOCK;
                    338: 	    if ($currentpid==$lastpid) {
                    339: 		last;
                    340: 	    }
                    341: 	    sleep 3;
                    342: 	    $lastpid=$currentpid;
                    343: 	}
                    344: 	else {
                    345: 	    last;
                    346: 	}
                    347: 	if ($_==10) {
                    348: 	    return 0;
                    349: 	}
                    350:     }
                    351:     open(LOCK,">$lockfile");
                    352:     print LOCK $$;
                    353:     close LOCK;
                    354:     return 1;
                    355: }
1.16      harris41  356: 
                    357: =head1 NAME
                    358: 
                    359: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    360:             with adding a user with filesystem privileges (e.g. author)
                    361: 
                    362: =head1 DESCRIPTION
                    363: 
                    364: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    365:             with adding a user with filesystem privileges (e.g. author)
                    366: 
                    367: =head1 README
                    368: 
                    369: lcuseradd - LON-CAPA setuid script to coordinate all actions
                    370:             with adding a user with filesystem privileges (e.g. author)
                    371: 
                    372: =head1 PREREQUISITES
                    373: 
                    374: =head1 COREQUISITES
                    375: 
                    376: =pod OSNAMES
                    377: 
                    378: linux
                    379: 
                    380: =pod SCRIPT CATEGORIES
                    381: 
                    382: LONCAPA/Administrative
                    383: 
                    384: =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>