[BACK]Return to lcpasswd CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom

Diff for /loncom/lcpasswd between versions 1.12 and 1.19

version 1.12, 2001/10/23 03:42:30 version 1.19, 2003/02/03 18:03:52
Line 1 Line 1
 #!/usr/bin/perl  #!/usr/bin/perl
   # The Learning Online Network with CAPA
 #  #
 # lcpasswd  # lcpasswd - LON-CAPA setuid script to synchronously change all
   #            filesystem-related passwords (samba, unix, etc)
 #  #
 # Scott Harrison  # YEAR=2002
 # SH: October 27, 2000  # 02/19 Matthew Hall
 # SH: October 28, 2000  #
 # SH: October 29, 2000  # $Id$
 # YEAR=2001  ###
 # Scott Harrison 10/22  
   
 ###############################################################################  ###############################################################################
 ##                                                                           ##  ##                                                                           ##
Line 39  use strict; Line 40  use strict;
 #  #
 # Standard input usage  # Standard input usage
 # First line is USERNAME  # First line is USERNAME
 # Second line is CURRENT PASSWORD  # Second line is NEW PASSWORD
 # Third line is NEW PASSWORD  # Third line is NEW PASSWORD
 #  #
 # Valid passwords must consist of the  # Valid passwords must consist of the
Line 82  use strict; Line 83  use strict;
 # Security  # Security
 $ENV{'PATH'}='/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path  $ENV{'PATH'}='/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                                                                # information                                                                 # information
 $ENV{'BASH_ENV'}=''; # Nullify shell environment information.  delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
   
 # Do not print error messages  # Do not print error messages
 my $noprint=1;  my $noprint=1;
   
   print "In lcpasswd" unless $noprint;
   
 # ----------------------------- Make sure this process is running from user=www  # ----------------------------- Make sure this process is running from user=www
 my $wwwid=getpwnam('www');  my $wwwid=getpwnam('www');
 &disable_root_capability;  &disable_root_capability;
Line 115  if (@input!=3) { Line 118  if (@input!=3) {
     unlink('/tmp/lock_lcpasswd');      unlink('/tmp/lock_lcpasswd');
     exit 3;      exit 3;
 }  }
 map {chomp} @input;  foreach (@input) {chomp;}
   
 my ($username,$password1,$password2)=@input;  my ($username,$password1,$password2)=@input;
 $username=~/^(\w+)$/;  $username=~/^(\w+)$/;
Line 126  if (($username ne $safeusername) or ($sa Line 129  if (($username ne $safeusername) or ($sa
     exit 9;      exit 9;
 }  }
 my $pbad=0;  my $pbad=0;
 map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$password1));  foreach (split(//,$password1)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
 map {if (($_<32)&&($_>126)){$pbad=1;}} (split(//,$password2));  foreach (split(//,$password2)) {if ((ord($_)<32)||(ord($_)>126)){$pbad=1;}}
 if ($pbad) {  if ($pbad) {
     print "Error. A password entry had an invalid character.\n";      print "Error. A password entry had an invalid character.\n";
     unlink('/tmp/lock_lcpasswd');      unlink('/tmp/lock_lcpasswd');
Line 147  unless(getpwnam($safeusername)) { Line 150  unless(getpwnam($safeusername)) {
     unlink('/tmp/lock_lcpasswd');      unlink('/tmp/lock_lcpasswd');
     exit 5;      exit 5;
 }  }
   
 &enable_root_capability;  &enable_root_capability;
 ($>,$<)=(0,0);  ($>,$<)=(0,0);
   
   print "Now $> , $< , -invoking pwchange with $safeusername $password1"
       unless $noprint;
 open OUT,"|pwchange $safeusername";  open OUT,"|pwchange $safeusername";
 print OUT $password1;  print OUT $password1;
 print OUT "\n";  print OUT "\n";
 close OUT;  close OUT;
 ($>,$<)=(0,500);  ($>,$<)=(0,500);
   
   print "pwchange done, back to uid 500" unless $noprint;
   
 if ($?) {  if ($?) {
     exit 8;      exit 8;
 }  }
 my $userid=getpwnam($safeusername);  my $userid=getpwnam($safeusername);
   
 unless (-e '/usr/bin/smbpasswd') {  if (-e '/usr/bin/smbpasswd') {
   
     ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid      ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid
                    # environment                     # environment
     unless (-e '/etc/smbpasswd') {  
  open (OUT,'>/etc/smbpasswd'); close OUT;  
     }  
   
     my $smbexist=0;  #   If the -a swithc is put on the smbpasswd
     open (IN, '</etc/smbpasswd');  # command line, either a new entry will be created or the old one
     my @lines=<IN>;  # will be used. 
     close IN;  # Therefore the old strategy of looking for and adding a dummy entry is 
     for my $l (@lines) {  # not needed... Finally, the smbpasswd file is in /etc/samba not 
  chop $l;  # /etc/smbpasswd as older versions of the script implied.
  my @F=split(/\:/,$l);  
  if ($F[0] eq $username) {$smbexist=1;}      print "Running smbpasswd" unless $noprint;
     }      open(OUT,"|/usr/bin/smbpasswd -s -a $safeusername>/dev/null") or
     unless ($smbexist) {   die('cannot run smbpasswd');
  open(OUT,'>>/etc/smbpasswd');  
  print OUT join(':',($safeusername,$userid,  
     'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXX'.  
     'XXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,  
     '/bin/bash')) . "\n";  
  close OUT;  
     }  
   
     open(OUT,"|/usr/bin/smbpasswd -s $safeusername>/dev/null");  
     print OUT $password2; print OUT "\n";      print OUT $password2; print OUT "\n";
     print OUT $password2; print OUT "\n";      print OUT $password2; print OUT "\n";
     close OUT;      close OUT;
     $<=$wwwid; # unfool the program      $<=$wwwid; # unfool the program
       print "smbpasswd done" unless $noprint;
 }  }
   
 &disable_root_capability;  &disable_root_capability;
Line 201  exit 0; Line 197  exit 0;
 # ---------------------------------------------- have setuid script run as root  # ---------------------------------------------- have setuid script run as root
 sub enable_root_capability {  sub enable_root_capability {
     if ($wwwid==$>) {      if ($wwwid==$>) {
  ($<,$>)=($>,$<);   ($<,$>)=($>,0);
  ($(,$))=($),$();   ($(,$))=($),0);
     }      }
     else {      else {
  # root capability is already enabled   # root capability is already enabled
Line 258  sub try_to_lock { Line 254  sub try_to_lock {
     close LOCK;      close LOCK;
     return 1;      return 1;
 }  }
   
   =head1 NAME
   
   lcpasswd - LON-CAPA setuid script to synchronously change all
              filesystem-related passwords (samba, unix, etc)
   
   =head1 DESCRIPTION
   
   LON-CAPA setuid script to synchronously change all
   filesystem-related passwords (samba, unix, etc)
   
   =head1 README
   
   LON-CAPA setuid script to synchronously change all
   filesystem-related passwords (samba, unix, etc)
   
   =head1 PREREQUISITES
   
   =head1 COREQUISITES
   
   =pod OSNAMES
   
   linux
   
   =pod SCRIPT CATEGORIES
   
   LONCAPA/Administrative
   
   =cut
Removed from v.1.12  
changed lines
  Added in v.1.19

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>