--- loncom/lond 2016/08/11 16:37:54 1.489.2.21
+++ loncom/lond 2012/04/25 21:22:28 1.491
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.489.2.21 2016/08/11 16:37:54 raeburn Exp $
+# $Id: lond,v 1.491 2012/04/25 21:22:28 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -55,16 +55,13 @@ use LONCAPA::lonssl;
use Fcntl qw(:flock);
use Apache::lonnet;
use Mail::Send;
-use Crypt::Eksblowfish::Bcrypt;
-use Digest::SHA;
-use Encode;
my $DEBUG = 0; # Non zero to enable debug log entries.
my $status='';
my $lastlog='';
-my $VERSION='$Revision: 1.489.2.21 $'; #' stupid emacs
+my $VERSION='$Revision: 1.491 $'; #' stupid emacs
my $remoteVERSION;
my $currenthostid="default";
my $currentdomainid;
@@ -133,13 +130,32 @@ my @passwderrors = ("ok",
"pwchange_failure - lcpasswd Error filename is invalid");
+# The array below are lcuseradd error strings.:
+
+my $lastadderror = 13;
+my @adderrors = ("ok",
+ "User ID mismatch, lcuseradd must run as user www",
+ "lcuseradd Incorrect number of command line parameters must be 3",
+ "lcuseradd Incorrect number of stdinput lines, must be 3",
+ "lcuseradd Too many other simultaneous pwd changes in progress",
+ "lcuseradd User does not exist",
+ "lcuseradd Unable to make www member of users's group",
+ "lcuseradd Unable to su to root",
+ "lcuseradd Unable to set password",
+ "lcuseradd Username has invalid characters",
+ "lcuseradd Password has an invalid character",
+ "lcuseradd User already exists",
+ "lcuseradd Could not add user.",
+ "lcuseradd Password mismatch");
+
+
# This array are the errors from lcinstallfile:
my @installerrors = ("ok",
"Initial user id of client not that of www",
"Usage error, not enough command line arguments",
- "Source filename does not exist",
- "Destination filename does not exist",
+ "Source file name does not exist",
+ "Destination file name does not exist",
"Some file operation failed",
"Invalid table filename."
);
@@ -624,7 +640,7 @@ sub ConfigFileFromSelector {
# String to send to client ("ok" or "refused" if bad file).
#
sub PushFile {
- my $request = shift;
+ my $request = shift;
my ($command, $filename, $contents) = split(":", $request, 3);
&Debug("PushFile");
@@ -654,44 +670,6 @@ sub PushFile {
if($filename eq "host") {
$contents = AdjustHostContents($contents);
- } elsif ($filename eq 'dns_host' || $filename eq 'dns_domain') {
- if ($contents eq '') {
- &logthis('<font color="red"> Pushfile: unable to install '
- .$tablefile." - no data received from push. </font>");
- return 'error: push had no data';
- }
- if (&Apache::lonnet::get_host_ip($clientname)) {
- my $clienthost = &Apache::lonnet::hostname($clientname);
- if ($managers{$clientip} eq $clientname) {
- my $clientprotocol = $Apache::lonnet::protocol{$clientname};
- $clientprotocol = 'http' if ($clientprotocol ne 'https');
- my $url = '/adm/'.$filename;
- $url =~ s{_}{/};
- my $ua=new LWP::UserAgent;
- $ua->timeout(60);
- my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url");
- my $response=$ua->request($request);
- if ($response->is_error()) {
- &logthis('<font color="red"> Pushfile: unable to install '
- .$tablefile." - error attempting to pull data. </font>");
- return 'error: pull failed';
- } else {
- my $result = $response->content;
- chomp($result);
- unless ($result eq $contents) {
- &logthis('<font color="red"> Pushfile: unable to install '
- .$tablefile." - pushed data and pulled data differ. </font>");
- my $pushleng = length($contents);
- my $pullleng = length($result);
- if ($pushleng != $pullleng) {
- return "error: $pushleng vs $pullleng bytes";
- } else {
- return "error: mismatch push and pull";
- }
- }
- }
- }
- }
}
# Install the new file:
@@ -1726,14 +1704,8 @@ sub read_lonnet_global {
sub server_devalidatecache_handler {
my ($cmd,$tail,$client) = @_;
my $userinput = "$cmd:$tail";
- my $items = &unescape($tail);
- my @cached = split(/\&/,$items);
- foreach my $key (@cached) {
- if ($key =~ /:/) {
- my ($name,$id) = map { &unescape($_); } split(/:/,$key);
- &Apache::lonnet::devalidate_cache_new($name,$id);
- }
- }
+ my ($name,$id) = map { &unescape($_); } split(/:/,$tail);
+ &Apache::lonnet::devalidate_cache_new($name,$id);
my $result = 'ok';
&Reply($client,\$result,$userinput);
return 1;
@@ -2020,14 +1992,15 @@ sub change_password_handler {
my ($howpwd,$contentpwd)=split(/:/,$realpasswd);
if ($howpwd eq 'internal') {
&Debug("internal auth");
- my $ncpass = &hash_passwd($udom,$npass);
+ my $salt=time;
+ $salt=substr($salt,6,2);
+ my $ncpass=crypt($npass,$salt);
if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
my $msg="Result of password change for $uname: pwchange_success";
if ($lonhost) {
$msg .= " - request originated from: $lonhost";
}
&logthis($msg);
- &update_passwd_history($uname,$udom,$howpwd,$context);
&Reply($client, "ok\n", $userinput);
} else {
&logthis("Unable to open $uname passwd "
@@ -2036,9 +2009,6 @@ sub change_password_handler {
}
} elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') {
my $result = &change_unix_password($uname, $npass);
- if ($result eq 'ok') {
- &update_passwd_history($uname,$udom,$howpwd,$context);
- }
&logthis("Result of password change for $uname: ".
$result);
&Reply($client, \$result, $userinput);
@@ -2061,42 +2031,6 @@ sub change_password_handler {
}
®ister_handler("passwd", \&change_password_handler, 1, 1, 0);
-sub hash_passwd {
- my ($domain,$plainpass,@rest) = @_;
- my ($salt,$cost);
- if (@rest) {
- $cost = $rest[0];
- # salt is first 22 characters, base-64 encoded by bcrypt
- my $plainsalt = substr($rest[1],0,22);
- $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
- } else {
- my $defaultcost;
- my %domconfig =
- &Apache::lonnet::get_dom('configuration',['password'],$domain);
- if (ref($domconfig{'password'}) eq 'HASH') {
- $defaultcost = $domconfig{'password'}{'cost'};
- }
- if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
- $cost = 10;
- } else {
- $cost = $defaultcost;
- }
- # Generate random 16-octet base64 salt
- $salt = "";
- $salt .= pack("C", int rand(256)) for 1..16;
- }
- my $hash = &Crypt::Eksblowfish::Bcrypt::bcrypt_hash({
- key_nul => 1,
- cost => $cost,
- salt => $salt,
- }, Digest::SHA::sha512(Encode::encode('UTF-8',$plainpass)));
-
- my $result = join("!", "", "bcrypt", sprintf("%02d",$cost),
- &Crypt::Eksblowfish::Bcrypt::en_base64($salt).
- &Crypt::Eksblowfish::Bcrypt::en_base64($hash));
- return $result;
-}
-
#
# Create a new user. User in this case means a lon-capa user.
# The user must either already exist in some authentication realm
@@ -2140,8 +2074,7 @@ sub add_user_handler {
."makeuser";
}
unless ($fperror) {
- my $result=&make_passwd_file($uname,$udom,$umode,$npass,
- $passfilename,'makeuser');
+ my $result=&make_passwd_file($uname,$udom,$umode,$npass, $passfilename);
&Reply($client,\$result, $userinput); #BUGBUG - could be fail
} else {
&Failure($client, \$fperror, $userinput);
@@ -2202,30 +2135,36 @@ sub change_authentication_handler {
my $passfilename = &password_path($udom, $uname);
if ($passfilename) { # Not allowed to create a new user!!
# If just changing the unix passwd. need to arrange to run
- # passwd since otherwise make_passwd_file will fail as
- # creation of unix authenticated users is no longer supported
- # except from the command line, when running make_domain_coordinator.pl
+ # passwd since otherwise make_passwd_file will run
+ # lcuseradd which fails if an account already exists
+ # (to prevent an unscrupulous LONCAPA admin from stealing
+ # an existing account by overwriting it as a LonCAPA account).
if(($oldauth =~/^unix/) && ($umode eq "unix")) {
my $result = &change_unix_password($uname, $npass);
&logthis("Result of password change for $uname: ".$result);
if ($result eq "ok") {
- &update_passwd_history($uname,$udom,$umode,'changeuserauth');
&Reply($client, \$result);
} else {
&Failure($client, \$result);
}
} else {
- my $result=&make_passwd_file($uname,$udom,$umode,$npass,
- $passfilename,'changeuserauth');
+ my $result=&make_passwd_file($uname,$udom,$umode,$npass,$passfilename);
#
# If the current auth mode is internal, and the old auth mode was
# unix, or krb*, and the user is an author for this domain,
# re-run manage_permissions for that role in order to be able
# to take ownership of the construction space back to www:www
#
-
-
+
+
+ if( (($oldauth =~ /^unix/) && ($umode eq "internal")) ||
+ (($oldauth =~ /^internal/) && ($umode eq "unix")) ) {
+ if(&is_author($udom, $uname)) {
+ &Debug(" Need to manage author permissions...");
+ &manage_permissions("/$udom/_au", $udom, $uname, "$umode:");
+ }
+ }
&Reply($client, \$result, $userinput);
}
@@ -2238,17 +2177,6 @@ sub change_authentication_handler {
}
®ister_handler("changeuserauth", \&change_authentication_handler, 1,1, 0);
-sub update_passwd_history {
- my ($uname,$udom,$umode,$context) = @_;
- my $proname=&propath($udom,$uname);
- my $now = time;
- if (open(my $fh,">>$proname/passwd.log")) {
- print $fh "$now:$umode:$context\n";
- close($fh);
- }
- return;
-}
-
#
# Determines if this is the home server for a user. The home server
# for a user will have his/her lon-capa passwd file. Therefore all we need
@@ -2446,24 +2374,6 @@ sub fetch_user_file_handler {
unlink($transname);
&Failure($client, "failed\n", $userinput);
} else {
- if ($fname =~ /^default.+\.(page|sequence)$/) {
- my ($major,$minor) = split(/\./,$clientversion);
- if (($major < 2) || ($major == 2 && $minor < 11)) {
- my $now = time;
- &Apache::lonnet::do_cache_new('crschange',$udom.'_'.$uname,$now,600);
- my $key = &escape('internal.contentchange');
- my $what = "$key=$now";
- my $hashref = &tie_user_hash($udom,$uname,'environment',
- &GDBM_WRCREAT(),"P",$what);
- if ($hashref) {
- $hashref->{$key}=$now;
- if (!&untie_user_hash($hashref)) {
- &logthis("error: ".($!+0)." untie (GDBM) failed ".
- "when updating internal.contentchange");
- }
- }
- }
- }
&Reply($client, "ok\n", $userinput);
}
}
@@ -2500,20 +2410,11 @@ sub remove_user_file_handler {
if (-e $file) {
#
# If the file is a regular file unlink is fine...
- # However it's possible the client wants a dir
- # removed, in which case rmdir is more appropriate
- # Note: rmdir will only remove an empty directory.
+ # However it's possible the client wants a dir.
+ # removed, in which case rmdir is more approprate:
#
if (-f $file){
unlink($file);
- # for html files remove the associated .bak file
- # which may have been created by the editor.
- if ($ufile =~ m{^((docs|supplemental)/(?:\d+|default)/\d+(?:|/.+)/)[^/]+\.x?html?$}i) {
- my $path = $1;
- if (-e $file.'.bak') {
- unlink($file.'.bak');
- }
- }
} elsif(-d $file) {
rmdir($file);
}
@@ -2876,10 +2777,6 @@ sub newput_user_profile_entry {
foreach my $pair (@pairs) {
my ($key,$value)=split(/=/,$pair);
if (exists($hashref->{$key})) {
- if (!&untie_user_hash($hashref)) {
- &logthis("error: ".($!+0)." untie (GDBM) failed ".
- "while attempting newput - early out as key exists");
- }
&Failure($client, "key_exists: ".$key."\n",$userinput);
return 1;
}
@@ -3361,12 +3258,129 @@ sub dump_profile_database {
sub dump_with_regexp {
my ($cmd, $tail, $client) = @_;
- my $res = LONCAPA::Lond::dump_with_regexp($tail, $clientversion);
-
+ #TODO encapsulate $clientname and $clientversion in a object.
+ my $res = LONCAPA::Lond::dump_with_regexp($cmd, $tail, $clientname, $clientversion);
+
if ($res =~ /^error:/) {
- &Failure($client, \$res, "$cmd:$tail");
+ Failure($client, \$res, "$cmd:$tail");
} else {
- &Reply($client, \$res, "$cmd:$tail");
+ Reply($client, \$res, "$cmd:$tail");
+ }
+ return 1;
+
+ my $userinput = "$cmd:$tail";
+
+ my ($udom,$uname,$namespace,$regexp,$range)=split(/:/,$tail);
+ if (defined($regexp)) {
+ $regexp=&unescape($regexp);
+ } else {
+ $regexp='.';
+ }
+ my ($start,$end);
+ if (defined($range)) {
+ if ($range =~/^(\d+)\-(\d+)$/) {
+ ($start,$end) = ($1,$2);
+ } elsif ($range =~/^(\d+)$/) {
+ ($start,$end) = (0,$1);
+ } else {
+ undef($range);
+ }
+ }
+ my $hashref = &tie_user_hash($udom, $uname, $namespace,
+ &GDBM_READER());
+ if ($hashref) {
+ my $qresult='';
+ my $count=0;
+#
+# When dump is for roles.db, determine if LON-CAPA version checking is needed.
+# Sessions on 2.10 and later do not require version checking, as that occurs
+# on the server hosting the user session, when constructing the roles/courses
+# screen).
+#
+ my $skipcheck;
+ my @ids = &Apache::lonnet::current_machine_ids();
+ my (%homecourses,$major,$minor,$now);
+#
+# If dump is for roles.db from a pre-2.10 server, determine the LON-CAPA
+# version on the server which requested the data. For LON-CAPA 2.9, the
+# client session will have sent its LON-CAPA version when initiating the
+# connection. For LON-CAPA 2.8 and older, the version is retrieved from
+# the global %loncaparevs in lonnet.pm.
+#
+ if ($namespace eq 'roles') {
+ my $loncaparev = $clientversion;
+ if ($loncaparev eq '') {
+ $loncaparev = $Apache::lonnet::loncaparevs{$clientname};
+ }
+ if ($loncaparev =~ /^\'?(\d+)\.(\d+)\.[\w.\-]+\'?/) {
+ $major = $1;
+ $minor = $2;
+ }
+ if (($major > 2) || (($major == 2) && ($minor > 9))) {
+ $skipcheck = 1;
+ }
+ $now = time;
+ }
+ while (my ($key,$value) = each(%$hashref)) {
+ if (($namespace eq 'roles') && (!$skipcheck)) {
+ if ($key =~ m{^/($LONCAPA::match_domain)/($LONCAPA::match_courseid)(/?[^_]*)_(cc|co|in|ta|ep|ad|st|cr)$}) {
+ my $cdom = $1;
+ my $cnum = $2;
+ my ($role,$roleend,$rolestart) = split(/\_/,$value);
+ if (!$roleend || $roleend > $now) {
+#
+# For active course roles, check that requesting server is running a LON-CAPA
+# version which meets any version requirements for the course. Do not include
+# the role amongst the results returned if the requesting server's version is
+# too old.
+#
+# This determination is handled differently depending on whether the course's
+# homeserver is the current server, or whether it is a different server.
+# In both cases, the course's version requirement needs to be retrieved.
+#
+ next unless (&releasereqd_check($cnum,$cdom,$key,$value,$major,
+ $minor,\%homecourses,\@ids));
+ }
+ }
+ }
+ if ($regexp eq '.') {
+ $count++;
+ if (defined($range) && $count >= $end) { last; }
+ if (defined($range) && $count < $start) { next; }
+ $qresult.=$key.'='.$value.'&';
+ } else {
+ my $unescapeKey = &unescape($key);
+ if (eval('$unescapeKey=~/$regexp/')) {
+ $count++;
+ if (defined($range) && $count >= $end) { last; }
+ if (defined($range) && $count < $start) { next; }
+ $qresult.="$key=$value&";
+ }
+ }
+ }
+ if (&untie_user_hash($hashref)) {
+#
+# If dump is for roles.db from a pre-2.10 server, check if the LON-CAPA
+# version requirements for courses for which the current server is the home
+# server permit course roles to be usable on the client server hosting the
+# user's session. If so, include those role results in the data returned to
+# the client server.
+#
+ if (($namespace eq 'roles') && (!$skipcheck)) {
+ if (keys(%homecourses) > 0) {
+ $qresult .= &check_homecourses(\%homecourses,$regexp,$count,
+ $range,$start,$end,$major,$minor);
+ }
+ }
+ chop($qresult);
+ &Reply($client, \$qresult, $userinput);
+ } else {
+ &Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".
+ "while attempting dump\n", $userinput);
+ }
+ } else {
+ &Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".
+ "while attempting dump\n", $userinput);
}
return 1;
@@ -3383,9 +3397,6 @@ sub dump_with_regexp {
# namespace - Name of the database being modified
# rid - Resource keyword to modify.
# what - new value associated with rid.
-# laststore - (optional) version=timestamp
-# for most recent transaction for rid
-# in namespace, when cstore was called
#
# $client - Socket open on the client.
#
@@ -3394,47 +3405,23 @@ sub dump_with_regexp {
# 1 (keep on processing).
# Side-Effects:
# Writes to the client
-# Successful storage will cause either 'ok', or, if $laststore was included
-# in the tail of the request, and the version number for the last transaction
-# is larger than the version in $laststore, delay:$numtrans , where $numtrans
-# is the number of store evevnts recorded for rid in namespace since
-# lonnet::store() was called by the client.
-#
sub store_handler {
my ($cmd, $tail, $client) = @_;
my $userinput = "$cmd:$tail";
- chomp($tail);
- my ($udom,$uname,$namespace,$rid,$what,$laststore) =split(/:/,$tail);
+ my ($udom,$uname,$namespace,$rid,$what) =split(/:/,$tail);
if ($namespace ne 'roles') {
+ chomp($what);
my @pairs=split(/\&/,$what);
my $hashref = &tie_user_hash($udom, $uname, $namespace,
&GDBM_WRCREAT(), "S",
"$rid:$what");
if ($hashref) {
my $now = time;
- my $numtrans;
- if ($laststore) {
- my ($previousversion,$previoustime) = split(/\=/,$laststore);
- my ($lastversion,$lasttime) = (0,0);
- $lastversion = $hashref->{"version:$rid"};
- if ($lastversion) {
- $lasttime = $hashref->{"$lastversion:$rid:timestamp"};
- }
- if (($previousversion) && ($previousversion !~ /\D/)) {
- if (($lastversion > $previousversion) && ($lasttime >= $previoustime)) {
- $numtrans = $lastversion - $previousversion;
- }
- } elsif ($lastversion) {
- $numtrans = $lastversion;
- }
- if ($numtrans) {
- $numtrans =~ s/D//g;
- }
- }
-
+ my @previouskeys=split(/&/,$hashref->{"keys:$rid"});
+ my $key;
$hashref->{"version:$rid"}++;
my $version=$hashref->{"version:$rid"};
my $allkeys='';
@@ -3447,11 +3434,7 @@ sub store_handler {
$allkeys.='timestamp';
$hashref->{"$version:keys:$rid"}=$allkeys;
if (&untie_user_hash($hashref)) {
- my $msg = 'ok';
- if ($numtrans) {
- $msg = 'delay:'.$numtrans;
- }
- &Reply($client, "$msg\n", $userinput);
+ &Reply($client, "ok\n", $userinput);
} else {
&Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
"while attempting store\n", $userinput);
@@ -3967,9 +3950,7 @@ sub put_course_id_hash_handler {
# creationcontext - include courses created in specified context
#
# domcloner - flag to indicate if user can create CCs in course's domain.
-# If so, ability to clone course is automatic.
-# hasuniquecode - filter by courses for which a six character unique code has
-# been set.
+# If so, ability to clone course is automatic.
#
# $client - The socket open on the client.
# Returns:
@@ -3983,7 +3964,7 @@ sub dump_course_id_handler {
my ($udom,$since,$description,$instcodefilter,$ownerfilter,$coursefilter,
$typefilter,$regexp_ok,$rtn_as_hash,$selfenrollonly,$catfilter,$showhidden,
$caller,$cloner,$cc_clone_list,$cloneonly,$createdbefore,$createdafter,
- $creationcontext,$domcloner,$hasuniquecode) =split(/:/,$tail);
+ $creationcontext,$domcloner) =split(/:/,$tail);
my $now = time;
my ($cloneruname,$clonerudom,%cc_clone);
if (defined($description)) {
@@ -4056,9 +4037,6 @@ sub dump_course_id_handler {
} else {
$creationcontext = '.';
}
- unless ($hasuniquecode) {
- $hasuniquecode = '.';
- }
my $unpack = 1;
if ($description eq '.' && $instcodefilter eq '.' && $ownerfilter eq '.' &&
$typefilter eq '.') {
@@ -4147,9 +4125,6 @@ sub dump_course_id_handler {
$selfenroll_end = $items->{'selfenroll_end_date'};
$created = $items->{'created'};
$context = $items->{'context'};
- if ($hasuniquecode ne '.') {
- next unless ($items->{'uniquecode'});
- }
if ($selfenrollonly) {
next if (!$selfenroll_types);
if (($selfenroll_end > 0) && ($selfenroll_end <= $now)) {
@@ -4572,49 +4547,6 @@ sub get_id_handler {
}
®ister_handler("idget", \&get_id_handler, 0, 1, 0);
-# Deletes one or more ids in a domain's id database.
-#
-# Parameters:
-# $cmd - Command keyword (iddel).
-# $tail - Command tail. In this case a colon
-# separated list containing:
-# The domain for which we are deleting the id(s).
-# &-separated list of id(s) to delete.
-# $client - File open on client socket.
-# Returns:
-# 1 - Continue processing
-# 0 - Exit server.
-#
-#
-
-sub del_id_handler {
- my ($cmd,$tail,$client) = @_;
-
- my $userinput = "$cmd:$tail";
-
- my ($udom,$what)=split(/:/,$tail);
- chomp($what);
- my $hashref = &tie_domain_hash($udom, "ids", &GDBM_WRCREAT(),
- "D", $what);
- if ($hashref) {
- my @keys=split(/\&/,$what);
- foreach my $key (@keys) {
- delete($hashref->{$key});
- }
- if (&untie_user_hash($hashref)) {
- &Reply($client, "ok\n", $userinput);
- } else {
- &Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
- "while attempting iddel\n", $userinput);
- }
- } else {
- &Failure( $client, "error: ".($!+0)." tie(GDBM) Failed ".
- "while attempting iddel\n", $userinput);
- }
- return 1;
-}
-®ister_handler("iddel", \&del_id_handler, 0, 1, 0);
-
#
# Puts broadcast e-mail sent by Domain Coordinator in nohist_dcmail database
#
@@ -5163,10 +5095,9 @@ sub validate_instcode_handler {
my ($dom,$instcode,$owner) = split(/:/, $tail);
$instcode = &unescape($instcode);
$owner = &unescape($owner);
- my ($outcome,$description,$credits) =
+ my ($outcome,$description) =
&localenroll::validate_instcode($dom,$instcode,$owner);
- my $result = &escape($outcome).'&'.&escape($description).'&'.
- &escape($credits);
+ my $result = &escape($outcome).'&'.&escape($description);
&Reply($client, \$result, $userinput);
return 1;
@@ -5350,9 +5281,7 @@ sub retrieve_auto_file_handler {
my ($filename) = split(/:/, $tail);
my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
- if ($filename =~m{/\.\./}) {
- &Failure($client, "refused\n", $userinput);
- } elsif ( (-e $source) && ($filename ne '') ) {
+ if ( (-e $source) && ($filename ne '') ) {
my $reply = '';
if (open(my $fh,$source)) {
while (<$fh>) {
@@ -5384,7 +5313,7 @@ sub crsreq_checks_handler {
my $userinput = "$cmd:$tail";
my $dom = $tail;
my $result;
- my @reqtypes = ('official','unofficial','community','textbook');
+ my @reqtypes = ('official','unofficial','community');
eval {
local($SIG{__DIE__})='DEFAULT';
my %validations;
@@ -5411,20 +5340,19 @@ sub crsreq_checks_handler {
sub validate_crsreq_handler {
my ($cmd, $tail, $client) = @_;
my $userinput = "$cmd:$tail";
- my ($dom,$owner,$crstype,$inststatuslist,$instcode,$instseclist,$customdata) = split(/:/, $tail);
+ my ($dom,$owner,$crstype,$inststatuslist,$instcode,$instseclist) = split(/:/, $tail);
$instcode = &unescape($instcode);
$owner = &unescape($owner);
$crstype = &unescape($crstype);
$inststatuslist = &unescape($inststatuslist);
$instcode = &unescape($instcode);
$instseclist = &unescape($instseclist);
- my $custominfo = &Apache::lonnet::thaw_unescape($customdata);
my $outcome;
eval {
local($SIG{__DIE__})='DEFAULT';
$outcome = &localenroll::validate_crsreq($dom,$owner,$crstype,
$inststatuslist,$instcode,
- $instseclist,$custominfo);
+ $instseclist);
};
if (!$@) {
&Reply($client, \$outcome, $userinput);
@@ -5435,53 +5363,6 @@ sub validate_crsreq_handler {
}
®ister_handler("autocrsreqvalidation", \&validate_crsreq_handler, 0, 1, 0);
-sub crsreq_update_handler {
- my ($cmd, $tail, $client) = @_;
- my $userinput = "$cmd:$tail";
- my ($cdom,$cnum,$crstype,$action,$ownername,$ownerdomain,$fullname,$title,$code,
- $accessstart,$accessend,$infohashref) =
- split(/:/, $tail);
- $crstype = &unescape($crstype);
- $action = &unescape($action);
- $ownername = &unescape($ownername);
- $ownerdomain = &unescape($ownerdomain);
- $fullname = &unescape($fullname);
- $title = &unescape($title);
- $code = &unescape($code);
- $accessstart = &unescape($accessstart);
- $accessend = &unescape($accessend);
- my $incoming = &Apache::lonnet::thaw_unescape($infohashref);
- my ($result,$outcome);
- eval {
- local($SIG{__DIE__})='DEFAULT';
- my %rtnhash;
- $outcome = &localenroll::crsreq_updates($cdom,$cnum,$crstype,$action,
- $ownername,$ownerdomain,$fullname,
- $title,$code,$accessstart,$accessend,
- $incoming,\%rtnhash);
- if ($outcome eq 'ok') {
- my @posskeys = qw(createdweb createdmsg createdcustomized createdactions queuedweb queuedmsg formitems reviewweb validationjs onload javascript);
- foreach my $key (keys(%rtnhash)) {
- if (grep(/^\Q$key\E/,@posskeys)) {
- $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($rtnhash{$key}).'&';
- }
- }
- $result =~ s/\&$//;
- }
- };
- if (!$@) {
- if ($outcome eq 'ok') {
- &Reply($client, \$result, $userinput);
- } else {
- &Reply($client, "format_error\n", $userinput);
- }
- } else {
- &Failure($client,"unknown_cmd\n",$userinput);
- }
- return 1;
-}
-®ister_handler("autocrsrequpdate", \&crsreq_update_handler, 0, 1, 0);
-
#
# Read and retrieve institutional code format (for support form).
# Formal Parameters:
@@ -6189,6 +6070,18 @@ sub lcpasswdstrerror {
}
}
+#
+# Convert an error return code from lcuseradd to a string value:
+#
+sub lcuseraddstrerror {
+ my $ErrorCode = shift;
+ if(($ErrorCode < 0) || ($ErrorCode > $lastadderror)) {
+ return "lcuseradd - Unrecognized error code: ".$ErrorCode;
+ } else {
+ return $adderrors[$ErrorCode];
+ }
+}
+
# grabs exception and records it to log before exiting
sub catchexception {
my ($error)=@_;
@@ -6429,6 +6322,9 @@ sub Debug {
# reply - Text to send to client.
# request - Original request from client.
#
+#NOTE $reply must be terminated by exactly *one* \n. If $reply is a reference
+#this is done automatically ($$reply must not contain any \n in this case).
+#If $reply is a string the caller has to ensure this.
sub Reply {
my ($fd, $reply, $request) = @_;
if (ref($reply)) {
@@ -6674,28 +6570,10 @@ sub make_new_child {
# my $tmpsnum=0; # Now global
#---------------------------------------------------- kerberos 5 initialization
&Authen::Krb5::init_context();
-
- my $no_ets;
- if ($dist =~ /^(?:centos|rhes|scientific)(\d+)$/) {
- if ($1 >= 7) {
- $no_ets = 1;
- }
- } elsif ($dist =~ /^suse(\d+\.\d+)$/) {
- if (($1 eq '9.3') || ($1 >= 12.2)) {
- $no_ets = 1;
- }
- } elsif ($dist =~ /^sles(\d+)$/) {
- if ($1 > 11) {
- $no_ets = 1;
- }
- } elsif ($dist =~ /^fedora(\d+)$/) {
- if ($1 < 7) {
- $no_ets = 1;
- }
- }
- unless ($no_ets) {
- &Authen::Krb5::init_ets();
- }
+ unless (($dist eq 'fedora5') || ($dist eq 'fedora4') ||
+ ($dist eq 'fedora6') || ($dist eq 'suse9.3')) {
+ &Authen::Krb5::init_ets();
+ }
&status('Accepted connection');
# =============================================================================
@@ -6739,12 +6617,6 @@ sub make_new_child {
# If the remote is attempting a local init... give that a try:
#
(my $i, my $inittype, $clientversion) = split(/:/, $remotereq);
- # For LON-CAPA 2.9, the client session will have sent its LON-CAPA
- # version when initiating the connection. For LON-CAPA 2.8 and older,
- # the version is retrieved from the global %loncaparevs in lonnet.pm.
- # $clientversion contains path to keyfile if $inittype eq 'local'
- # it's overridden below in this case
- $clientversion ||= $Apache::lonnet::loncaparevs{$clientname};
# If the connection type is ssl, but I didn't get my
# certificate files yet, then I'll drop back to
@@ -7078,18 +6950,7 @@ sub validate_user {
}
if ($howpwd ne 'nouser') {
if($howpwd eq "internal") { # Encrypted is in local password file.
- if (length($contentpwd) == 13) {
- $validated = (crypt($password,$contentpwd) eq $contentpwd);
- if ($validated) {
- my $ncpass = &hash_passwd($domain,$password);
- if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) {
- &update_passwd_history($user,$domain,$howpwd,'conversion');
- &logthis("Validated password hashed with bcrypt for $user:$domain");
- }
- }
- } else {
- $validated = &check_internal_passwd($password,$contentpwd,$domain);
- }
+ $validated = (crypt($password, $contentpwd) eq $contentpwd);
}
elsif ($howpwd eq "unix") { # User is a normal unix user.
$contentpwd = (getpwnam($user))[1];
@@ -7157,39 +7018,6 @@ sub validate_user {
return $validated;
}
-sub check_internal_passwd {
- my ($plainpass,$stored,$domain) = @_;
- my (undef,$method,@rest) = split(/!/,$stored);
- if ($method eq "bcrypt") {
- my $result = &hash_passwd($domain,$plainpass,@rest);
- if ($result ne $stored) {
- return 0;
- }
- # Upgrade to a larger number of rounds if necessary
- my $defaultcost;
- my %domconfig =
- &Apache::lonnet::get_dom('configuration',['password'],$domain);
- if (ref($domconfig{'password'}) eq 'HASH') {
- $defaultcost = $domconfig{'password'}{'cost'};
- }
- if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
- $defaultcost = 10;
- }
- return 1 unless($rest[0]<$defaultcost);
- }
- return 0;
-}
-
-sub get_last_authchg {
- my ($domain,$user) = @_;
- my $lastmod;
- my $logname = &propath($domain,$user).'/passwd.log';
- if (-e "$logname") {
- $lastmod = (stat("$logname"))[9];
- }
- return $lastmod;
-}
-
sub krb4_authen {
my ($password,$null,$user,$contentpwd) = @_;
my $validated = 0;
@@ -7505,26 +7333,26 @@ sub change_unix_password {
sub make_passwd_file {
- my ($uname,$udom,$umode,$npass,$passfilename,$action)=@_;
+ my ($uname,$udom,$umode,$npass,$passfilename)=@_;
my $result="ok";
if ($umode eq 'krb4' or $umode eq 'krb5') {
{
my $pf = IO::File->new(">$passfilename");
if ($pf) {
print $pf "$umode:$npass\n";
- &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
}
} elsif ($umode eq 'internal') {
- my $ncpass = &hash_passwd($udom,$npass);
+ my $salt=time;
+ $salt=substr($salt,6,2);
+ my $ncpass=crypt($npass,$salt);
{
&Debug("Creating internal auth");
my $pf = IO::File->new(">$passfilename");
if($pf) {
print $pf "internal:$ncpass\n";
- &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
@@ -7534,14 +7362,61 @@ sub make_passwd_file {
my $pf = IO::File->new(">$passfilename");
if($pf) {
print $pf "localauth:$npass\n";
- &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
}
} elsif ($umode eq 'unix') {
- &logthis(">>>Attempt to create unix account blocked -- unix auth not available for new users.");
- $result="no_new_unix_accounts";
+ {
+ #
+ # Don't allow the creation of privileged accounts!!! that would
+ # be real bad!!!
+ #
+ my $uid = getpwnam($uname);
+ if((defined $uid) && ($uid == 0)) {
+ &logthis(">>>Attempt to create privileged account blocked");
+ return "no_priv_account_error\n";
+ }
+
+ my $execpath ="$perlvar{'lonDaemons'}/"."lcuseradd";
+
+ my $lc_error_file = $execdir."/tmp/lcuseradd".$$.".status";
+ {
+ &Debug("Executing external: ".$execpath);
+ &Debug("user = ".$uname.", Password =". $npass);
+ my $se = IO::File->new("|$execpath > $perlvar{'lonDaemons'}/logs/lcuseradd.log");
+ print $se "$uname\n";
+ print $se "$udom\n";
+ print $se "$npass\n";
+ print $se "$npass\n";
+ print $se "$lc_error_file\n"; # Status -> unique file.
+ }
+ if (-r $lc_error_file) {
+ &Debug("Opening error file: $lc_error_file");
+ my $error = IO::File->new("< $lc_error_file");
+ my $useraddok = <$error>;
+ $error->close;
+ unlink($lc_error_file);
+
+ chomp $useraddok;
+
+ if($useraddok > 0) {
+ my $error_text = &lcuseraddstrerror($useraddok);
+ &logthis("Failed lcuseradd: $error_text");
+ $result = "lcuseradd_failed:$error_text";
+ } else {
+ my $pf = IO::File->new(">$passfilename");
+ if($pf) {
+ print $pf "unix:\n";
+ } else {
+ $result = "pass_file_failed_error";
+ }
+ }
+ } else {
+ &Debug("Could not locate lcuseradd error: $lc_error_file");
+ $result="bug_lcuseradd_no_output_file";
+ }
+ }
} elsif ($umode eq 'none') {
{
my $pf = IO::File->new("> $passfilename");
@@ -7605,6 +7480,234 @@ sub get_usersession_config {
return;
}
+#
+# releasereqd_check() will determine if a LON-CAPA version (defined in the
+# $major,$minor args passed) is not too old to allow use of a role in a
+# course ($cnum,$cdom args passed), if at least one of the following applies:
+# (a) the course is a Community, (b) the course's home server is *not* the
+# current server, or (c) cached course information is not stale.
+#
+# For the case where none of these apply, the course is added to the
+# $homecourse hash ref (keys = courseIDs, values = array of a hash of roles).
+# The $homecourse hash ref is for courses for which the current server is the
+# home server. LON-CAPA version requirements are checked elsewhere for the
+# items in $homecourse.
+#
+
+sub releasereqd_check {
+ my ($cnum,$cdom,$key,$value,$major,$minor,$homecourses,$ids) = @_;
+ my $home = &Apache::lonnet::homeserver($cnum,$cdom);
+ return if ($home eq 'no_host');
+ my ($reqdmajor,$reqdminor,$displayrole);
+ if ($cnum =~ /$LONCAPA::match_community/) {
+ if ($major eq '' && $minor eq '') {
+ return unless ((ref($ids) eq 'ARRAY') &&
+ (grep(/^\Q$home\E$/,@{$ids})));
+ } else {
+ $reqdmajor = 2;
+ $reqdminor = 9;
+ return unless (&useable_role($reqdmajor,$reqdminor,$major,$minor));
+ }
+ }
+ my $hashid = $cdom.':'.$cnum;
+ my ($courseinfo,$cached) =
+ &Apache::lonnet::is_cached_new('courseinfo',$hashid);
+ if (defined($cached)) {
+ if (ref($courseinfo) eq 'HASH') {
+ if (exists($courseinfo->{'releaserequired'})) {
+ my ($reqdmajor,$reqdminor) = split(/\./,$courseinfo->{'releaserequired'});
+ return unless (&useable_role($reqdmajor,$reqdminor,$major,$minor));
+ }
+ }
+ } else {
+ if (ref($ids) eq 'ARRAY') {
+ if (grep(/^\Q$home\E$/,@{$ids})) {
+ if (ref($homecourses) eq 'HASH') {
+ if (ref($homecourses->{$cdom}) eq 'HASH') {
+ if (ref($homecourses->{$cdom}{$cnum}) eq 'HASH') {
+ if (ref($homecourses->{$cdom}{$cnum}) eq 'ARRAY') {
+ push(@{$homecourses->{$cdom}{$cnum}},{$key=>$value});
+ } else {
+ $homecourses->{$cdom}{$cnum} = [{$key=>$value}];
+ }
+ } else {
+ $homecourses->{$cdom}{$cnum} = [{$key=>$value}];
+ }
+ } else {
+ $homecourses->{$cdom}{$cnum} = [{$key=>$value}];
+ }
+ }
+ return;
+ }
+ }
+ my $courseinfo = &get_courseinfo_hash($cnum,$cdom,$home);
+ if (ref($courseinfo) eq 'HASH') {
+ if (exists($courseinfo->{'releaserequired'})) {
+ my ($reqdmajor,$reqdminor) = split(/\./,$courseinfo->{'releaserequired'});
+ return unless (&useable_role($reqdmajor,$reqdminor,$major,$minor));
+ }
+ } else {
+ return;
+ }
+ }
+ return 1;
+}
+
+#
+# get_courseinfo_hash() is used to retrieve course information from the db
+# file: nohist_courseids.db for a course for which the current server is *not*
+# the home server.
+#
+# A hash of a hash will be retrieved. The outer hash contains a single key --
+# courseID -- for the course for which the data are being requested.
+# The contents of the inner hash, for that single item in the outer hash
+# are returned (and cached in memcache for 10 minutes).
+#
+
+sub get_courseinfo_hash {
+ my ($cnum,$cdom,$home) = @_;
+ my %info;
+ eval {
+ local($SIG{ALRM}) = sub { die "timeout\n"; };
+ local($SIG{__DIE__})='DEFAULT';
+ alarm(3);
+ %info = &Apache::lonnet::courseiddump($cdom,'.',1,'.','.',$cnum,1,[$home],'.');
+ alarm(0);
+ };
+ if ($@) {
+ if ($@ eq "timeout\n") {
+ &logthis("<font color='blue'>WARNING courseiddump for $cnum:$cdom from $home timedout</font>");
+ } else {
+ &logthis("<font color='yellow'>WARNING unexpected error during eval of call for courseiddump from $home</font>");
+ }
+ } else {
+ if (ref($info{$cdom.'_'.$cnum}) eq 'HASH') {
+ my $hashid = $cdom.':'.$cnum;
+ return &Apache::lonnet::do_cache_new('courseinfo',$hashid,$info{$cdom.'_'.$cnum},600);
+ }
+ }
+ return;
+}
+
+#
+# check_homecourses() will retrieve course information for those courses which
+# are keys of the $homecourses hash ref (first arg). The nohist_courseids.db
+# GDBM file is tied and course information for each course retrieved. Last
+# visit (lasttime key) is also retrieved for each, and cached values updated
+# for any courses last visited less than 24 hours ago. Cached values are also
+# updated for any courses included in the $homecourses hash ref.
+#
+# The reason for the 24 hours constraint is that the cron entry in
+# /etc/cron.d/loncapa for /home/httpd/perl/refresh_courseids_db.pl causes
+# cached course information to be updated nightly for courses with activity
+# within the past 24 hours.
+#
+# Role information for the user (included in a ref to an array of hashes as the
+# value for each key in $homecourses) is appended to the result returned by the
+# routine, which will in turn be appended to the string returned to the client
+# hosting the user's session.
+#
+
+sub check_homecourses {
+ my ($homecourses,$regexp,$count,$range,$start,$end,$major,$minor) = @_;
+ my ($result,%addtocache);
+ my $yesterday = time - 24*3600;
+ if (ref($homecourses) eq 'HASH') {
+ my (%okcourses,%courseinfo,%recent);
+ foreach my $domain (keys(%{$homecourses})) {
+ my $hashref =
+ &tie_domain_hash($domain, "nohist_courseids", &GDBM_WRCREAT());
+ if (ref($hashref) eq 'HASH') {
+ while (my ($key,$value) = each(%$hashref)) {
+ my $unesc_key = &unescape($key);
+ if ($unesc_key =~ /^lasttime:(\w+)$/) {
+ my $cid = $1;
+ $cid =~ s/_/:/;
+ if ($value > $yesterday ) {
+ $recent{$cid} = 1;
+ }
+ next;
+ }
+ my $items = &Apache::lonnet::thaw_unescape($value);
+ if (ref($items) eq 'HASH') {
+ my ($cdom,$cnum) = split(/_/,$unesc_key);
+ my $hashid = $cdom.':'.$cnum;
+ $courseinfo{$hashid} = $items;
+ if (ref($homecourses->{$cdom}{$cnum}) eq 'ARRAY') {
+ my ($reqdmajor,$reqdminor) = split(/\./,$items->{'releaserequired'});
+ if (&useable_role($reqdmajor,$reqdminor,$major,$minor)) {
+ $okcourses{$hashid} = 1;
+ }
+ }
+ }
+ }
+ unless (&untie_domain_hash($hashref)) {
+ &logthis("Failed to untie tied hash for nohist_courseids.db for $domain");
+ }
+ } else {
+ &logthis("Failed to tie hash for nohist_courseids.db for $domain");
+ }
+ }
+ foreach my $hashid (keys(%recent)) {
+ my ($result,$cached)=&Apache::lonnet::is_cached_new('courseinfo',$hashid);
+ unless ($cached) {
+ &Apache::lonnet::do_cache_new('courseinfo',$hashid,$courseinfo{$hashid},600);
+ }
+ }
+ foreach my $cdom (keys(%{$homecourses})) {
+ if (ref($homecourses->{$cdom}) eq 'HASH') {
+ foreach my $cnum (keys(%{$homecourses->{$cdom}})) {
+ my $hashid = $cdom.':'.$cnum;
+ next if ($recent{$hashid});
+ &Apache::lonnet::do_cache_new('courseinfo',$hashid,$courseinfo{$hashid},600);
+ }
+ }
+ }
+ foreach my $hashid (keys(%okcourses)) {
+ my ($cdom,$cnum) = split(/:/,$hashid);
+ if ((ref($homecourses->{$cdom}) eq 'HASH') &&
+ (ref($homecourses->{$cdom}{$cnum}) eq 'ARRAY')) {
+ foreach my $role (@{$homecourses->{$cdom}{$cnum}}) {
+ if (ref($role) eq 'HASH') {
+ while (my ($key,$value) = each(%{$role})) {
+ if ($regexp eq '.') {
+ $count++;
+ if (defined($range) && $count >= $end) { last; }
+ if (defined($range) && $count < $start) { next; }
+ $result.=$key.'='.$value.'&';
+ } else {
+ my $unescapeKey = &unescape($key);
+ if (eval('$unescapeKey=~/$regexp/')) {
+ $count++;
+ if (defined($range) && $count >= $end) { last; }
+ if (defined($range) && $count < $start) { next; }
+ $result.="$key=$value&";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ return $result;
+}
+
+#
+# useable_role() will compare the LON-CAPA version required by a course with
+# the version available on the client server. If the client server's version
+# is compatible, 1 will be returned.
+#
+
+sub useable_role {
+ my ($reqdmajor,$reqdminor,$major,$minor) = @_;
+ if ($reqdmajor ne '' && $reqdminor ne '') {
+ return if (($major eq '' && $minor eq '') ||
+ ($major < $reqdmajor) ||
+ (($major == $reqdmajor) && ($minor < $reqdminor)));
+ }
+ return 1;
+}
sub distro_and_arch {
return $dist.':'.$arch;
@@ -7817,7 +7920,7 @@ Place in B<logs/lond.log>
stores hash in namespace
-=item rolesput
+=item rolesputy
put a role into a user's environment
@@ -7934,6 +8037,8 @@ Authen::Krb5
=head1 COREQUISITES
+none
+
=head1 OSNAMES
linux
@@ -8021,9 +8126,9 @@ or the CA's certificate in the call to l
<error> is the textual reason this failed. Usual reasons:
=over 2
-
+
=item Apache config file for loncapa incorrect:
-
+
one of the variables
lonCertificateDirectory, lonnetCertificateAuthority, or lonnetCertificate
undefined or incorrect
@@ -8142,7 +8247,7 @@ Could not rewrite the
internal password file for a user
=item Result of password change for <user> : <result>
-
+
A unix password change for <user> was attempted
and the pipe returned <result>
@@ -8171,7 +8276,7 @@ lond has been asked to exit by its clien
client systemand <input> is the full exit command sent to the server.
=item Red CRITICAL: ABNORMAL EXIT. child <pid> for server <hostname> died through a crass with this error->[<message>].
-
+
A lond child terminated. NOte that this termination can also occur when the
child receives the QUIT or DIE signals. <pid> is the process id of the child,
<hostname> the host lond is working for, and <message> the reason the child died
@@ -8255,7 +8360,7 @@ file when sent it's USR1 signal. That p
assumed to be hung in some un-fixable way.
=item Finished checking children
-
+
Master processs's USR1 processing is cojmplete.
=item (Red) CRITICAL: ------- Starting ------
@@ -8269,7 +8374,7 @@ Started a new child process for <client>
connected to the child. This was as a result of a TCP/IP connection from a client.
=item Unable to determine who caller was, getpeername returned nothing
-
+
In child process initialization. either getpeername returned undef or
a zero sized object was returned. Processing continues, but in my opinion,
this should be cause for the child to exit.
@@ -8280,7 +8385,7 @@ In child process initialization. The pe
The client address is stored as "Unavailable" and processing continues.
=item (Yellow) INFO: Connection <ip> <name> connection type = <type>
-
+
In child initialization. A good connectionw as received from <ip>.
=over 2
@@ -8330,7 +8435,7 @@ The client (<client> is the peer's name
negotiated an SSL connection with this child process.
=item (Green) Successful insecure authentication with <client>
-
+
The client has successfully negotiated an insecure connection withthe child process.