Annotation of loncom/lcuseradd, revision 1.8
1.1 harris41 1: #!/usr/bin/perl
2: #
3: # lcuseradd
4: #
5: # Scott Harrison
6: # October 27, 2000
7:
8: use strict;
9:
10: # This script is a setuid script that should
11: # be run by user 'www'. It creates a /home/USERNAME directory
12: # as well as a /home/USERNAME/public_html directory.
13: # It adds user entries to
14: # /etc/passwd and /etc/groups.
1.2 harris41 15: # Passwords are set with lcpasswd.
16: # www becomes a member of this user group.
1.1 harris41 17:
18: # Standard input usage
19: # First line is USERNAME
20: # Second line is PASSWORD
1.3 harris41 21: # Third line is PASSWORD
1.1 harris41 22:
1.7 harris41 23: # Valid passwords must consist of the
24: # ascii characters within the inclusive
25: # range of 0x20 (32) to 0x7E (126).
26: # These characters are:
27: # SPACE and
28: # !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO
29: # PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
30:
31: # Valid user names must consist of ascii
32: # characters that are alphabetical characters
33: # (A-Z,a-z), numeric (0-9), or the underscore
34: # mark (_). (Essentially, the perl regex \w).
35:
1.3 harris41 36: # Command-line arguments [USERNAME] [PASSWORD] [PASSWORD]
1.1 harris41 37: # Yes, but be very careful here (don't pass shell commands)
38: # and this is only supported to allow perl-system calls.
39:
1.4 harris41 40: # Usage within code
41: #
42: # $exitcode=system("/home/httpd/perl/lcuseradd","NAME","PASSWORD1","PASSWORD2")/256;
43: # print "uh-oh" if $exitcode;
44:
45: # These are the exit codes.
46:
1.1 harris41 47: # Security
48: $ENV{'PATH'}=""; # Nullify path information.
49: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
1.2 harris41 50:
1.4 harris41 51: # Do not print error messages if there are command-line arguments
52: my $noprint=0;
53: if (@ARGV) {
54: $noprint=1;
55: }
56:
57: # Read in /etc/passwd, and make sure this process is running from user=www
58: open (IN, "</etc/passwd");
59: my @lines=<IN>;
60: close IN;
61: my $wwwid;
62: for my $l (@lines) {
63: chop $l;
64: my @F=split(/\:/,$l);
65: if ($F[0] eq 'www') {$wwwid=$F[2];}
66: }
67: if ($wwwid!=$<) {
68: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
69: exit 1;
70: }
71: &disable_root_capability;
72:
73: # Handle case of another lcpasswd process
74: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
75: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
76: exit 4;
77: }
78:
79: # Gather input. Should be 3 values (user name, password 1, password 2).
80: my @input;
1.5 harris41 81: if (@ARGV==3) {
1.4 harris41 82: @input=@ARGV;
83: }
84: elsif (@ARGV) {
85: print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint;
86: unlink('/tmp/lock_lcpasswd');
87: exit 2;
88: }
89: else {
90: @input=<>;
1.5 harris41 91: if (@input!=3) {
1.4 harris41 92: print("Error. Three lines should be entered into standard input.\n") unless $noprint;
93: unlink('/tmp/lock_lcpasswd');
94: exit 3;
95: }
96: map {chop} @input;
97: }
98:
99: my ($username,$password1,$password2)=@input;
100: $username=~/^(\w+)$/;
101: my $safeusername=$1;
1.8 ! harris41 102: if ($username ne $safeusername) {
! 103: print "Error. The user name specified has invalid characters.\n";
! 104: unlink('/tmp/lock_lcpasswd');
! 105: exit 9;
! 106: }
! 107: my $pbad=0;
! 108: map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$oldpwd));
! 109: map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$newpwd));
! 110: if ($pbad) {
! 111: print "Error. A password entry had an invalid character.\n";
! 112: unlink('/tmp/lock_lcpasswd');
! 113: exit 10;
! 114: }
1.5 harris41 115:
1.7 harris41 116: # Only add user if we can create a brand new home directory (/home/username).
117: if (-e "/home/$safeusername") {
118: print "Error. User already exists.\n" unless $noprint;
119: unlink('/tmp/lock_lcpasswd');
120: exit 8;
121: }
122:
123: # Only add user if the two password arguments match.
1.5 harris41 124: if ($password1 ne $password2) {
1.6 harris41 125: print "Error. Password mismatch.\n" unless $noprint;
1.5 harris41 126: unlink('/tmp/lock_lcpasswd');
127: exit 7;
128: }
1.4 harris41 129:
130: &enable_root_capability;
131:
1.3 harris41 132: # Add user entry to /etc/passwd and /etc/groups in such
133: # a way that www is a member of the user-specific group
134:
1.5 harris41 135: if (system('/usr/sbin/useradd','-c','LON-CAPA user',$safeusername)) {
1.6 harris41 136: print "Error. Something went wrong with the addition of user \"$safeusername\".\n" unless $noprint;
1.4 harris41 137: unlink('/tmp/lock_lcpasswd');
138: exit 5;
139: }
1.7 harris41 140:
141: # Make www a member of that user group.
1.5 harris41 142: if (system('/usr/sbin/usermod','-G',$safeusername,'www')) {
1.6 harris41 143: print "Error. Could not make www a member of the group \"$safeusername\".\n" unless $noprint;
1.5 harris41 144: unlink('/tmp/lock_lcpasswd');
145: exit 6;
146: }
147:
148: # Set password with lcpasswd-style algorithm (which creates smbpasswd entry).
149: # I cannot place a direct shell call to lcpasswd since I have to allow
150: # for crazy characters in the password, and the setuid environment of perl
151: # requires me to make everything safe.
1.7 harris41 152:
1.8 ! harris41 153: my $pbad=0;
! 154: map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$oldpwd));
! 155: map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$newpwd));
! 156: if ($pbad) {
! 157: print "Error. A password entry had an invalid character.\n";
! 158: unlink('/tmp/lock_lcpasswd');
! 159: exit 10;
! 160: }
! 161:
! 162: # Grab the line corresponding to username
! 163: my ($userid,$useroldcryptpwd);
! 164: my @F; my @U;
! 165: for my $l (@lines) {
! 166: @F=split(/\:/,$l);
! 167: if ($F[0] eq $username) {($userid,$useroldcryptpwd)=($F[2],$F[1]); @U=@F;}
! 168: }
1.5 harris41 169:
1.8 ! harris41 170: # Verify existence of user
! 171: if (!defined($userid)) {
! 172: print "Error. User $username does not exist.\n" unless $noprint;
! 173: unlink('/tmp/lock_lcpasswd');
! 174: exit 5;
! 175: }
1.2 harris41 176:
1.8 ! harris41 177: # Verify password entry
! 178: if (crypt($oldpwd,$useroldcryptpwd) ne $useroldcryptpwd) {
! 179: print "Error. Invalid entry of current password.\n" unless $noprint;
! 180: unlink('/tmp/lock_lcpasswd');
! 181: exit 6;
! 182: }
! 183:
! 184: # Construct new password entry (random salt)
! 185: my $newcryptpwd=crypt($newpwd,(join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]));
! 186: $U[1]=$newcryptpwd;
! 187: my $userline=join(':',@U);
! 188: my $rootid=&enable_root_capability;
! 189: if ($rootid!=0) {
! 190: print "Error. Root was not successfully enabled.\n" unless $noprint;
! 191: unlink('/tmp/lock_lcpasswd');
! 192: exit 7;
! 193: }
! 194: open PASSWORDFILE, '>/etc/passwd' or (print("Error. Cannot open /etc/passwd.\n") && unlink('/tmp/lock_lcpasswd') && exit(8));
! 195: for my $l (@lines) {
! 196: @F=split(/\:/,$l);
! 197: if ($F[0] eq $username) {print PASSWORDFILE "$userline\n";}
! 198: else {print PASSWORDFILE "$l\n";}
! 199: }
! 200: close PASSWORDFILE;
! 201:
! 202: ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid environment
! 203: unless (-e '/etc/smbpasswd') {
! 204: open (OUT,'>/etc/smbpasswd'); close OUT;
! 205: }
! 206: my $smbexist=0;
! 207: open (IN, '</etc/smbpasswd');
! 208: my @lines=<IN>;
! 209: close IN;
! 210: for my $l (@lines) {
! 211: chop $l;
! 212: my @F=split(/\:/,$l);
! 213: if ($F[0] eq $username) {$smbexist=1;}
! 214: }
! 215: unless ($smbexist) {
! 216: open(OUT,'>>/etc/smbpasswd');
! 217: print OUT join(':',($safeusername,$userid,'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,'/bin/bash')) . "\n";
! 218: close OUT;
! 219: }
! 220: open(OUT,"|/usr/bin/smbpasswd -s $safeusername>/dev/null");
! 221: print OUT $newpwd; print OUT "\n";
! 222: print OUT $newpwd; print OUT "\n";
! 223: close OUT;
! 224: $<=$wwwid; # unfool the program
! 225:
! 226: # Make final modifications to the user directory.
! 227: # Add a public_html file with a stand-in index.html file.
! 228:
! 229: mkdir "/home/$safeusername/public_html",0750;
! 230: # chmod -R
! 231: open OUT,">/home/$safeusername/public_html";
! 232: print OUT<<END;
! 233: <HTML>
! 234: <HEAD>
! 235: <TITLE>$safeusername</TITLE>
! 236: </HEAD>
! 237: <BODY>
! 238: <H1>$safeusername</H1>
! 239: <P>
! 240: Learning Online Network
! 241: </P>
! 242: <P>
! 243: This area provides for:
! 244: </P>
! 245: <UL>
! 246: <LI>resource construction
! 247: <LI>resource publication
! 248: <LI>record-keeping
! 249: </UL>
! 250: </BODY>
! 251: </HTML>
! 252: END
! 253: close OUT;
! 254:
! 255: &disable_root_capability;
! 256: unlink('/tmp/lock_lcpasswd');
! 257: exit 0;
1.1 harris41 258:
1.5 harris41 259: # ----------------------------------------------------------- have setuid script run as root
260: sub enable_root_capability {
261: if ($wwwid==$>) {
262: ($<,$>)=($>,$<);
263: ($(,$))=($),$();
264: }
265: else {
266: # root capability is already enabled
267: }
268: return $>;
269: }
270:
271: # ----------------------------------------------------------- have setuid script run as www
272: sub disable_root_capability {
273: if ($wwwid==$<) {
274: ($<,$>)=($>,$<);
275: ($(,$))=($),$();
276: }
277: else {
278: # root capability is already disabled
279: }
280: }
281:
282: # ----------------------------------- make sure that another lcpasswd process isn't running
283: sub try_to_lock {
284: my ($lockfile)=@_;
285: my $currentpid;
286: my $lastpid;
287: # Do not manipulate lock file as root
288: if ($>==0) {
289: return 0;
290: }
291: # Try to generate lock file.
292: # Wait 3 seconds. If same process id is in
293: # lock file, then assume lock file is stale, and
294: # go ahead. If process id's fluctuate, try
295: # for a maximum of 10 times.
296: for (0..10) {
297: if (-e $lockfile) {
298: open(LOCK,"<$lockfile");
299: $currentpid=<LOCK>;
300: close LOCK;
301: if ($currentpid==$lastpid) {
302: last;
303: }
304: sleep 3;
305: $lastpid=$currentpid;
306: }
307: else {
308: last;
309: }
310: if ($_==10) {
311: return 0;
312: }
313: }
314: open(LOCK,">$lockfile");
315: print LOCK $$;
316: close LOCK;
317: return 1;
318: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuseradd CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom