Annotation of loncom/lcuserdel, revision 1.10
1.1 harris41 1: #!/usr/bin/perl
2: #
3: # lcuserdel
4: #
5: # Scott Harrison
1.4 harris41 6: # SH: October 27, 2000
7: # SH: October 28, 2000
1.5 harris41 8: # SH: October 29, 2000
1.1 harris41 9:
10: use strict;
11:
1.2 harris41 12: # This script is a setuid script (chmod 6755) that should
1.1 harris41 13: # be run by user 'www'. It DOES NOT delete directories.
14: # All it does is remove a user's entries from
15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
1.5 harris41 16: # It also disables user directory access by making the directory
17: # to be owned by user=www (as opposed to the former "username").
18: # This command only returns an error if it is
19: # invoked incorrectly (by passing bad command-line arguments, etc).
1.1 harris41 20:
1.3 harris41 21: # This script works under the same process control mechanism
22: # as lcuseradd and lcpasswd, to make sure that only one of these
23: # processes is running at any one time on the system.
1.1 harris41 24:
25: # Standard input usage
26: # First line is USERNAME
27:
1.10 ! harris41 28: # Valid user names must consist of ascii
! 29: # characters that are alphabetical characters
! 30: # (A-Z,a-z), numeric (0-9), or the underscore
! 31: # mark (_). (Essentially, the perl regex \w).
! 32:
1.1 harris41 33: # Command-line arguments [USERNAME]
34: # Yes, but be very careful here (don't pass shell commands)
35: # and this is only supported to allow perl-system calls.
36:
1.2 harris41 37: # Usage within code
38: #
1.3 harris41 39: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
1.2 harris41 40: # print "uh-oh" if $exitcode;
41:
42: # These are the exit codes.
1.9 harris41 43: # ( (0,"ok"),
44: # (1,"User ID mismatch. This program must be run as user 'www'"),
45: # (2,"Error. Too many other simultaneous password change requests being made."),
46: # (3,"Error. Only one line should be entered into standard input."),
47: # (4,"Error. This program needs just 1 command-line argument (username).") )
1.2 harris41 48:
1.1 harris41 49: # Security
50: $ENV{'PATH'}=""; # Nullify path information.
51: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
1.2 harris41 52:
53: # Do not print error messages if there are command-line arguments
54: my $noprint=0;
55: if (@ARGV) {
56: $noprint=1;
57: }
58:
1.3 harris41 59: # Read in /etc/passwd, and make sure this process is running from user=www
1.2 harris41 60: open (IN, "</etc/passwd");
61: my @lines=<IN>;
62: close IN;
63: my $wwwid;
64: for my $l (@lines) {
65: chop $l;
66: my @F=split(/\:/,$l);
67: if ($F[0] eq 'www') {$wwwid=$F[2];}
68: }
69: if ($wwwid!=$<) {
70: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
71: exit 1;
72: }
73: &disable_root_capability;
74:
1.3 harris41 75: # Handle case of another lcpasswd process
76: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
77: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
78: exit 4;
79: }
80:
81: # Gather input. Should only be 1 value (user name).
1.2 harris41 82: my @input;
1.3 harris41 83: if (@ARGV==1) {
1.2 harris41 84: @input=@ARGV;
85: }
86: elsif (@ARGV) {
1.3 harris41 87: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
1.9 harris41 88: unlink('/tmp/lock_lcpasswd');
1.2 harris41 89: exit 2;
90: }
91: else {
92: @input=<>;
1.3 harris41 93: if (@input!=1) {
94: print("Error. Only one line should be entered into standard input.\n") unless $noprint;
1.9 harris41 95: unlink('/tmp/lock_lcpasswd');
1.2 harris41 96: exit 3;
97: }
98: map {chop} @input;
99: }
1.4 harris41 100:
101: my ($username)=@input;
102: $username=~/^(\w+)$/;
103: my $safeusername=$1;
1.10 ! harris41 104: if ($username ne $safeusername) {
! 105: print "Error. The user name specified has invalid characters.\n";
! 106: unlink('/tmp/lock_lcpasswd');
! 107: exit 9;
! 108: }
1.4 harris41 109:
1.5 harris41 110: &enable_root_capability;
111:
1.4 harris41 112: # By using the system userdel command:
113: # Remove entry from /etc/passwd if it exists
114: # Remove entry from /etc/groups if it exists
1.8 harris41 115: # I surround with groupdel command to make absolutely sure the group definition disappears.
1.7 harris41 116: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
1.6 harris41 117: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
1.8 harris41 118: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
1.4 harris41 119:
120: # Remove entry from /etc/smbpasswd if it exists
1.5 harris41 121: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
122: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
1.4 harris41 123:
1.5 harris41 124: if ($oldsmbpasswd ne $newsmbpasswd) {
1.6 harris41 125: open OUT,">/etc/smbpasswd";
126: print OUT $newsmbpasswd;
127: close OUT;
128: }
1.4 harris41 129:
130: # Change ownership on directory from username:username to www:www
131: # This prevents subsequently added users from having access.
132:
1.5 harris41 133: system('/bin/chown','-R','www:www',"/home/$safeusername");
1.3 harris41 134:
135: &disable_root_capability;
136: unlink("/tmp/lock_lcpasswd");
137: exit 0;
138:
139: # ----------------------------------------------------------- have setuid script run as root
140: sub enable_root_capability {
141: if ($wwwid==$>) {
142: ($<,$>)=($>,$<);
143: ($(,$))=($),$();
144: }
145: else {
146: # root capability is already enabled
147: }
148: return $>;
149: }
150:
151: # ----------------------------------------------------------- have setuid script run as www
152: sub disable_root_capability {
153: if ($wwwid==$<) {
154: ($<,$>)=($>,$<);
155: ($(,$))=($),$();
156: }
157: else {
158: # root capability is already disabled
159: }
1.2 harris41 160: }
161:
1.3 harris41 162: # ----------------------------------- make sure that another lcpasswd process isn't running
163: sub try_to_lock {
164: my ($lockfile)=@_;
165: my $currentpid;
166: my $lastpid;
167: # Do not manipulate lock file as root
168: if ($>==0) {
169: return 0;
170: }
171: # Try to generate lock file.
172: # Wait 3 seconds. If same process id is in
173: # lock file, then assume lock file is stale, and
174: # go ahead. If process id's fluctuate, try
175: # for a maximum of 10 times.
176: for (0..10) {
177: if (-e $lockfile) {
178: open(LOCK,"<$lockfile");
179: $currentpid=<LOCK>;
180: close LOCK;
181: if ($currentpid==$lastpid) {
182: last;
183: }
184: sleep 3;
185: $lastpid=$currentpid;
186: }
187: else {
188: last;
189: }
190: if ($_==10) {
191: return 0;
192: }
193: }
194: open(LOCK,">$lockfile");
195: print LOCK $$;
196: close LOCK;
197: return 1;
198: }
1.2 harris41 199:
1.1 harris41 200:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuserdel CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom