Annotation of loncom/lcuserdel, revision 1.7
1.1 harris41 1: #!/usr/bin/perl
2: #
3: # lcuserdel
4: #
5: # Scott Harrison
1.4 harris41 6: # SH: October 27, 2000
7: # SH: October 28, 2000
1.5 harris41 8: # SH: October 29, 2000
1.1 harris41 9:
10: use strict;
11:
1.2 harris41 12: # This script is a setuid script (chmod 6755) that should
1.1 harris41 13: # be run by user 'www'. It DOES NOT delete directories.
14: # All it does is remove a user's entries from
15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
1.5 harris41 16: # It also disables user directory access by making the directory
17: # to be owned by user=www (as opposed to the former "username").
1.7 ! harris41 18: # It also removes group membership from www (via the groupdel command).
1.5 harris41 19: # This command only returns an error if it is
20: # invoked incorrectly (by passing bad command-line arguments, etc).
1.1 harris41 21:
1.3 harris41 22: # This script works under the same process control mechanism
23: # as lcuseradd and lcpasswd, to make sure that only one of these
24: # processes is running at any one time on the system.
1.1 harris41 25:
26: # Standard input usage
27: # First line is USERNAME
28:
29: # Command-line arguments [USERNAME]
30: # Yes, but be very careful here (don't pass shell commands)
31: # and this is only supported to allow perl-system calls.
32:
1.2 harris41 33: # Usage within code
34: #
1.3 harris41 35: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
1.2 harris41 36: # print "uh-oh" if $exitcode;
37:
38: # These are the exit codes.
39:
1.1 harris41 40: # Security
41: $ENV{'PATH'}=""; # Nullify path information.
42: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
1.2 harris41 43:
44: # Do not print error messages if there are command-line arguments
45: my $noprint=0;
46: if (@ARGV) {
47: $noprint=1;
48: }
49:
1.3 harris41 50: # Read in /etc/passwd, and make sure this process is running from user=www
1.2 harris41 51: open (IN, "</etc/passwd");
52: my @lines=<IN>;
53: close IN;
54: my $wwwid;
55: for my $l (@lines) {
56: chop $l;
57: my @F=split(/\:/,$l);
58: if ($F[0] eq 'www') {$wwwid=$F[2];}
59: }
60: if ($wwwid!=$<) {
61: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
62: exit 1;
63: }
64: &disable_root_capability;
65:
1.3 harris41 66: # Handle case of another lcpasswd process
67: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
68: print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
69: exit 4;
70: }
71:
72: # Gather input. Should only be 1 value (user name).
1.2 harris41 73: my @input;
1.3 harris41 74: if (@ARGV==1) {
1.2 harris41 75: @input=@ARGV;
76: }
77: elsif (@ARGV) {
1.3 harris41 78: print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
1.2 harris41 79: exit 2;
80: }
81: else {
82: @input=<>;
1.3 harris41 83: if (@input!=1) {
84: print("Error. Only one line should be entered into standard input.\n") unless $noprint;
1.2 harris41 85: exit 3;
86: }
87: map {chop} @input;
88: }
1.4 harris41 89:
90: my ($username)=@input;
91: $username=~/^(\w+)$/;
92: my $safeusername=$1;
93:
1.5 harris41 94: &enable_root_capability;
95:
1.4 harris41 96: # By using the system userdel command:
97: # Remove entry from /etc/passwd if it exists
98: # Remove entry from /etc/groups if it exists
1.7 ! harris41 99: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
1.6 harris41 100: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
1.4 harris41 101:
102: # Remove entry from /etc/smbpasswd if it exists
1.5 harris41 103: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
104: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
1.4 harris41 105:
1.5 harris41 106: if ($oldsmbpasswd ne $newsmbpasswd) {
1.6 harris41 107: open OUT,">/etc/smbpasswd";
108: print OUT $newsmbpasswd;
109: close OUT;
110: }
1.4 harris41 111:
112: # Change ownership on directory from username:username to www:www
113: # This prevents subsequently added users from having access.
114:
1.5 harris41 115: system('/bin/chown','-R','www:www',"/home/$safeusername");
1.3 harris41 116:
117: &disable_root_capability;
118: unlink("/tmp/lock_lcpasswd");
119: exit 0;
120:
121: # ----------------------------------------------------------- have setuid script run as root
122: sub enable_root_capability {
123: if ($wwwid==$>) {
124: ($<,$>)=($>,$<);
125: ($(,$))=($),$();
126: }
127: else {
128: # root capability is already enabled
129: }
130: return $>;
131: }
132:
133: # ----------------------------------------------------------- have setuid script run as www
134: sub disable_root_capability {
135: if ($wwwid==$<) {
136: ($<,$>)=($>,$<);
137: ($(,$))=($),$();
138: }
139: else {
140: # root capability is already disabled
141: }
1.2 harris41 142: }
143:
1.3 harris41 144: # ----------------------------------- make sure that another lcpasswd process isn't running
145: sub try_to_lock {
146: my ($lockfile)=@_;
147: my $currentpid;
148: my $lastpid;
149: # Do not manipulate lock file as root
150: if ($>==0) {
151: return 0;
152: }
153: # Try to generate lock file.
154: # Wait 3 seconds. If same process id is in
155: # lock file, then assume lock file is stale, and
156: # go ahead. If process id's fluctuate, try
157: # for a maximum of 10 times.
158: for (0..10) {
159: if (-e $lockfile) {
160: open(LOCK,"<$lockfile");
161: $currentpid=<LOCK>;
162: close LOCK;
163: if ($currentpid==$lastpid) {
164: last;
165: }
166: sleep 3;
167: $lastpid=$currentpid;
168: }
169: else {
170: last;
171: }
172: if ($_==10) {
173: return 0;
174: }
175: }
176: open(LOCK,">$lockfile");
177: print LOCK $$;
178: close LOCK;
179: return 1;
180: }
1.2 harris41 181:
1.1 harris41 182:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcuserdel CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom