Annotation of loncom/lcpasswd, revision 1.5
1.1 harris41 1: #!/usr/bin/perl
1.3 harris41 2: #
3: # lcpasswd
4: #
5: # Scott Harrison
6: # October 27, 2000
1.1 harris41 7:
8: use strict;
9:
10: # This script is a setuid script that should
1.4 harris41 11: # be run by user 'www'. This script allows
12: # for synchronous entry of passwords into
13: # both the /etc/passwd and the /etc/smbpasswd
14: # files.
1.1 harris41 15:
1.5 ! harris41 16: # This script works under the same process control mechanism
! 17: # as lcuseradd and lcpasswd, to make sure that only one of these
! 18: # processes is running at any one time on the system.
! 19:
1.1 harris41 20: # Standard input usage
21: # First line is USERNAME
22: # Second line is CURRENT PASSWORD
23: # Third line is NEW PASSWORD
24:
1.4 harris41 25: # Command-line arguments
26: # Yes, but be very careful here (don't pass shell commands)
27: # and this is only supported to allow perl-system calls.
28:
29: # Usage within code
1.5 ! harris41 30: # Note: NEVER run as system("/home/httpd/perl/lcpasswd NAME OLDPWD NEWPWD")
1.4 harris41 31: #
1.5 ! harris41 32: # $exitcode=system("/home/httpd/perl/lcpasswd","NAME","OLDPWD","NEWPWD")/256;
1.4 harris41 33: # print "uh-oh" if $exitcode;
34:
35: # These are the exit codes.
36: # ( (0,"ok"),
37: # (1,"User ID mismatch. This program must be run as user 'www'),
38: # (2,"Error. This program does not accept command-line arguments."),
39: # (3,"Error. Three lines need to be entered into standard input.\n"),
40: # (4,"Error. Too many other simultaneous password change requests being made.\n"),
41: # (5,"Error. User $username does not exist.\n"),
42: # (6,"Error. Invalid entry of current password.\n"),
43: # (7,"Error. Root was not successfully enabled.\n") )
44:
1.1 harris41 45: # Security
1.2 harris41 46: $ENV{'PATH'}="/bin:/usr/bin"; # Nullify path information except for what smbpasswd needs
1.1 harris41 47: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
48:
1.4 harris41 49: # Do not print error messages if there are command-line arguments
50: my $noprint=0;
51: if (@ARGV) {
52: $noprint=1;
53: }
54:
1.5 ! harris41 55: # Read in /etc/passwd, and make sure this process is running from user=www
1.1 harris41 56: open (IN, "</etc/passwd");
57: my @lines=<IN>;
58: close IN;
59: my $wwwid;
60: for my $l (@lines) {
61: chop $l;
62: my @F=split(/\:/,$l);
63: if ($F[0] eq 'www') {$wwwid=$F[2];}
64: }
65: if ($wwwid!=$<) {
1.4 harris41 66: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
1.5 ! harris41 67: unlink("/tmp/lock_lcpasswd");
1.4 harris41 68: exit 1;
1.1 harris41 69: }
1.2 harris41 70: &disable_root_capability;
1.1 harris41 71:
1.5 ! harris41 72: # Handle case of another lcpasswd process
! 73: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
! 74: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
! 75: exit 4;
! 76: }
! 77:
1.4 harris41 78: # Gather input. Should only be 3 values.
79: my @input;
80: if (@ARGV==3) {
81: @input=@ARGV;
82: }
83: elsif (@ARGV) {
84: print("Error. This program needs 3 command-line arguments (username, old password, new password).\n") unless $noprint;
1.5 ! harris41 85: unlink("/tmp/lock_lcpasswd");
1.4 harris41 86: exit 2;
87: }
88: else {
89: @input=<>;
90: if (@input!=3) {
91: print("Error. Three lines need to be entered into standard input.\n") unless $noprint;
1.5 ! harris41 92: unlink("/tmp/lock_lcpasswd");
1.4 harris41 93: exit 3;
94: }
95: map {chop} @input;
1.1 harris41 96: }
97:
1.4 harris41 98: my ($username,$oldpwd,$newpwd)=@input;
1.1 harris41 99:
100: # Grab the line corresponding to username
101: my ($userid,$useroldcryptpwd);
102: my @F; my @U;
103: for my $l (@lines) {
104: @F=split(/\:/,$l);
105: if ($F[0] eq $username) {($userid,$useroldcryptpwd)=($F[2],$F[1]); @U=@F;}
106: }
107:
108: # Verify existence of user
109: if (!defined($userid)) {
1.4 harris41 110: print "Error. User $username does not exist.\n" unless $noprint;
111: unlink("/tmp/lock_lcpasswd");
112: exit 5;
1.1 harris41 113: }
114:
115: # Verify password entry
116: if (crypt($oldpwd,$useroldcryptpwd) ne $useroldcryptpwd) {
1.4 harris41 117: print "Error. Invalid entry of current password.\n" unless $noprint;
118: unlink("/tmp/lock_lcpasswd");
119: exit 6;
1.1 harris41 120: }
121:
1.2 harris41 122: # Construct new password entry (random salt)
123: my $newcryptpwd=crypt($newpwd,(join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]));
1.1 harris41 124: $U[1]=$newcryptpwd;
125: my $userline=join(":",@U);
1.2 harris41 126: my $rootid=&enable_root_capability;
127: if ($rootid!=0) {
1.4 harris41 128: print "Error. Root was not successfully enabled.\n" unless $noprint;
129: unlink("/tmp/lock_lcpasswd");
130: exit 7;
1.2 harris41 131: }
132: open PASSWORDFILE, ">/etc/passwd" or die("Cannot open /etc/passwd!");
1.1 harris41 133: for my $l (@lines) {
134: @F=split(/\:/,$l);
135: if ($F[0] eq $username) {print PASSWORDFILE "$userline\n";}
136: else {print PASSWORDFILE "$l\n";}
137: }
138: close PASSWORDFILE;
1.2 harris41 139: $username=~/^(\w+)$/;
140: my $safeusername=$1;
141: ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid environment
142: unless (-e "/etc/smbpasswd") {
143: open (OUT,">/etc/smbpasswd"); close OUT;
144: }
145: my $smbexist=0;
146: open (IN, "</etc/smbpasswd");
147: my @lines=<IN>;
148: close IN;
149: for my $l (@lines) {
150: chop $l;
151: my @F=split(/\:/,$l);
152: if ($F[0] eq $username) {$smbexist=1;}
153: }
154: unless ($smbexist) {
155: open(OUT,">>/etc/smbpasswd");
156: print OUT join(":",($safeusername,$userid,'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX','','/home/'.$safeusername,'/bin/bash')) . "\n";
157: close OUT;
158: }
159: open(OUT,"|/usr/bin/smbpasswd -s $safeusername>/dev/null");
160: print OUT $newpwd; print OUT "\n";
161: print OUT $newpwd; print OUT "\n";
162: close OUT;
163: $<=$wwwid; # unfool the program
1.1 harris41 164: &disable_root_capability;
165: unlink("/tmp/lock_lcpasswd");
1.4 harris41 166: exit 0;
1.1 harris41 167:
1.4 harris41 168: # ----------------------------------------------------------- have setuid script run as root
1.1 harris41 169: sub enable_root_capability {
1.2 harris41 170: if ($wwwid==$>) {
1.1 harris41 171: ($<,$>)=($>,$<);
172: ($(,$))=($),$();
173: }
174: else {
175: # root capability is already enabled
176: }
1.2 harris41 177: return $>;
1.1 harris41 178: }
179:
1.4 harris41 180: # ----------------------------------------------------------- have setuid script run as www
1.1 harris41 181: sub disable_root_capability {
1.2 harris41 182: if ($wwwid==$<) {
1.1 harris41 183: ($<,$>)=($>,$<);
184: ($(,$))=($),$();
185: }
186: else {
187: # root capability is already disabled
188: }
189: }
190:
1.4 harris41 191: # ----------------------------------- make sure that another lcpasswd process isn't running
1.1 harris41 192: sub try_to_lock {
193: my ($lockfile)=@_;
194: my $currentpid;
195: my $lastpid;
1.5 ! harris41 196: # Do not manipulate lock file as root
! 197: if ($>==0) {
! 198: return 0;
! 199: }
! 200: # Try to generate lock file.
! 201: # Wait 3 seconds. If same process id is in
! 202: # lock file, then assume lock file is stale, and
! 203: # go ahead. If process id's fluctuate, try
! 204: # for a maximum of 10 times.
1.1 harris41 205: for (0..10) {
206: if (-e $lockfile) {
207: open(LOCK,"<$lockfile");
208: $currentpid=<LOCK>;
209: close LOCK;
210: if ($currentpid==$lastpid) {
211: last;
212: }
213: sleep 3;
214: $lastpid=$currentpid;
215: }
216: else {
217: last;
218: }
219: if ($_==10) {
220: return 0;
221: }
222: }
223: open(LOCK,">$lockfile");
224: print LOCK $$;
225: close LOCK;
226: return 1;
227: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcpasswd CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom