version 1.2, 2000/10/28 17:53:01
|
version 1.7, 2000/10/29 22:07:20
|
Line 3
|
Line 3
|
# lcuserdel |
# lcuserdel |
# |
# |
# Scott Harrison |
# Scott Harrison |
# October 27, 2000 |
# SH: October 27, 2000 |
|
# SH: October 28, 2000 |
|
# SH: October 29, 2000 |
|
|
use strict; |
use strict; |
|
|
Line 11 use strict;
|
Line 13 use strict;
|
# be run by user 'www'. It DOES NOT delete directories. |
# be run by user 'www'. It DOES NOT delete directories. |
# All it does is remove a user's entries from |
# All it does is remove a user's entries from |
# /etc/passwd, /etc/groups, and /etc/smbpasswd. |
# /etc/passwd, /etc/groups, and /etc/smbpasswd. |
|
# It also disables user directory access by making the directory |
|
# to be owned by user=www (as opposed to the former "username"). |
|
# It also removes group membership from www (via the groupdel command). |
|
# This command only returns an error if it is |
|
# invoked incorrectly (by passing bad command-line arguments, etc). |
|
|
|
# This script works under the same process control mechanism |
|
# as lcuseradd and lcpasswd, to make sure that only one of these |
|
# processes is running at any one time on the system. |
|
|
# Standard input usage |
# Standard input usage |
# First line is USERNAME |
# First line is USERNAME |
Line 23 use strict;
|
Line 32 use strict;
|
|
|
# Usage within code |
# Usage within code |
# |
# |
# $exitcode=system("NAME")/256; |
# $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256; |
# print "uh-oh" if $exitcode; |
# print "uh-oh" if $exitcode; |
|
|
# These are the exit codes. |
# These are the exit codes. |
Line 38 if (@ARGV) {
|
Line 47 if (@ARGV) {
|
$noprint=1; |
$noprint=1; |
} |
} |
|
|
|
# Read in /etc/passwd, and make sure this process is running from user=www |
open (IN, "</etc/passwd"); |
open (IN, "</etc/passwd"); |
my @lines=<IN>; |
my @lines=<IN>; |
close IN; |
close IN; |
Line 53 if ($wwwid!=$<) {
|
Line 63 if ($wwwid!=$<) {
|
} |
} |
&disable_root_capability; |
&disable_root_capability; |
|
|
# Gather input. Should only be 3 values. |
# Handle case of another lcpasswd process |
|
unless (&try_to_lock("/tmp/lock_lcpasswd")) { |
|
print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint; |
|
exit 4; |
|
} |
|
|
|
# Gather input. Should only be 1 value (user name). |
my @input; |
my @input; |
if (@ARGV==3) { |
if (@ARGV==1) { |
@input=@ARGV; |
@input=@ARGV; |
} |
} |
elsif (@ARGV) { |
elsif (@ARGV) { |
print("Error. This program needs 3 command-line arguments (username, old password, new password).\n") unless $noprint; |
print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint; |
exit 2; |
exit 2; |
} |
} |
else { |
else { |
@input=<>; |
@input=<>; |
if (@input!=3) { |
if (@input!=1) { |
print("Error. Three lines need to be entered into standard input.\n") unless $noprint; |
print("Error. Only one line should be entered into standard input.\n") unless $noprint; |
exit 3; |
exit 3; |
} |
} |
map {chop} @input; |
map {chop} @input; |
} |
} |
# Handle case of another lcpasswd process |
|
unless (&try_to_lock("/tmp/lock_lcpasswd")) { |
my ($username)=@input; |
print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint; |
$username=~/^(\w+)$/; |
exit 4; |
my $safeusername=$1; |
|
|
|
&enable_root_capability; |
|
|
|
# By using the system userdel command: |
|
# Remove entry from /etc/passwd if it exists |
|
# Remove entry from /etc/groups if it exists |
|
system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message |
|
system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message |
|
|
|
# Remove entry from /etc/smbpasswd if it exists |
|
my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`; |
|
my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`; |
|
|
|
if ($oldsmbpasswd ne $newsmbpasswd) { |
|
open OUT,">/etc/smbpasswd"; |
|
print OUT $newsmbpasswd; |
|
close OUT; |
|
} |
|
|
|
# Change ownership on directory from username:username to www:www |
|
# This prevents subsequently added users from having access. |
|
|
|
system('/bin/chown','-R','www:www',"/home/$safeusername"); |
|
|
|
&disable_root_capability; |
|
unlink("/tmp/lock_lcpasswd"); |
|
exit 0; |
|
|
|
# ----------------------------------------------------------- have setuid script run as root |
|
sub enable_root_capability { |
|
if ($wwwid==$>) { |
|
($<,$>)=($>,$<); |
|
($(,$))=($),$(); |
|
} |
|
else { |
|
# root capability is already enabled |
|
} |
|
return $>; |
|
} |
|
|
|
# ----------------------------------------------------------- have setuid script run as www |
|
sub disable_root_capability { |
|
if ($wwwid==$<) { |
|
($<,$>)=($>,$<); |
|
($(,$))=($),$(); |
|
} |
|
else { |
|
# root capability is already disabled |
|
} |
} |
} |
|
|
|
# ----------------------------------- make sure that another lcpasswd process isn't running |
|
sub try_to_lock { |
|
my ($lockfile)=@_; |
|
my $currentpid; |
|
my $lastpid; |
|
# Do not manipulate lock file as root |
|
if ($>==0) { |
|
return 0; |
|
} |
|
# Try to generate lock file. |
|
# Wait 3 seconds. If same process id is in |
|
# lock file, then assume lock file is stale, and |
|
# go ahead. If process id's fluctuate, try |
|
# for a maximum of 10 times. |
|
for (0..10) { |
|
if (-e $lockfile) { |
|
open(LOCK,"<$lockfile"); |
|
$currentpid=<LOCK>; |
|
close LOCK; |
|
if ($currentpid==$lastpid) { |
|
last; |
|
} |
|
sleep 3; |
|
$lastpid=$currentpid; |
|
} |
|
else { |
|
last; |
|
} |
|
if ($_==10) { |
|
return 0; |
|
} |
|
} |
|
open(LOCK,">$lockfile"); |
|
print LOCK $$; |
|
close LOCK; |
|
return 1; |
|
} |
|
|
|
|