[BACK]Return to lcuserdel CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom
File:  [LON-CAPA] / loncom / lcuserdel
Revision 1.12: download - view: text, annotated - select for diffs
Mon Oct 30 03:37:51 2000 UTC (23 years, 7 months ago) by harris41
Branches: MAIN
CVS tags: version_0_5_1, version_0_5, version_0_4, stable_2002_spring, stable_2002_july, stable_2002_april, stable_2001_fall, STABLE, HEAD
removed 2>/dev/null from lcuserdel to get it working.  solidified file
creation permissions. -Scott

    1: #!/usr/bin/perl
    2: #
    3: # lcuserdel
    4: #
    5: # Scott Harrison
    6: # SH: October 27, 2000
    7: # SH: October 28, 2000
    8: # SH: October 29, 2000
    9: 
   10: use strict;
   11: 
   12: # This script is a setuid script (chmod 6755) that should
   13: # be run by user 'www'.  It DOES NOT delete directories.
   14: # All it does is remove a user's entries from
   15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
   16: # It also disables user directory access by making the directory
   17: # to be owned by user=www (as opposed to the former "username").
   18: # This command only returns an error if it is
   19: # invoked incorrectly (by passing bad command-line arguments, etc).
   20: 
   21: # This script works under the same process control mechanism
   22: # as lcuseradd and lcpasswd, to make sure that only one of these
   23: # processes is running at any one time on the system.
   24: 
   25: # Standard input usage
   26: # First line is USERNAME
   27: 
   28: # Valid user names must consist of ascii
   29: # characters that are alphabetical characters
   30: # (A-Z,a-z), numeric (0-9), or the underscore
   31: # mark (_). (Essentially, the perl regex \w).
   32: 
   33: # Command-line arguments [USERNAME]
   34: # Yes, but be very careful here (don't pass shell commands)
   35: # and this is only supported to allow perl-system calls.
   36: 
   37: # Usage within code
   38: #
   39: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
   40: # print "uh-oh" if $exitcode;
   41: 
   42: # These are the exit codes.
   43: # ( (0,"ok"),
   44: #   (1,"User ID mismatch.  This program must be run as user 'www'"),
   45: #   (2,"Error. This program needs just 1 command-line argument (username).") )
   46: #   (3,"Error. Only one line should be entered into standard input."),
   47: #   (4,"Error. Too many other simultaneous password change requests being made."),
   48: #   (5,"Error. The user name specified has invalid characters.") )
   49: 
   50: # Security
   51: $ENV{'PATH'}=""; # Nullify path information.
   52: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   53: 
   54: # Do not print error messages if there are command-line arguments
   55: my $noprint=0;
   56: if (@ARGV) {
   57:     $noprint=1;
   58: }
   59: 
   60: # Read in /etc/passwd, and make sure this process is running from user=www
   61: open (IN, "</etc/passwd");
   62: my @lines=<IN>;
   63: close IN;
   64: my $wwwid;
   65: for my $l (@lines) {
   66:     chop $l;
   67:     my @F=split(/\:/,$l);
   68:     if ($F[0] eq 'www') {$wwwid=$F[2];}
   69: }
   70: if ($wwwid!=$<) {
   71:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
   72:     exit 1;
   73: }
   74: &disable_root_capability;
   75: 
   76: # Handle case of another lcpasswd process
   77: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
   78:     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
   79:     exit 4;
   80: }
   81: 
   82: # Gather input.  Should only be 1 value (user name).
   83: my @input;
   84: if (@ARGV==1) {
   85:     @input=@ARGV;
   86: }
   87: elsif (@ARGV) {
   88:     print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
   89:     unlink('/tmp/lock_lcpasswd');
   90:     exit 2;
   91: }
   92: else {
   93:     @input=<>;
   94:     if (@input!=1) {
   95: 	print("Error. Only one line should be entered into standard input.\n") unless $noprint;
   96: 	unlink('/tmp/lock_lcpasswd');
   97: 	exit 3;
   98:     }
   99:     map {chop} @input;
  100: }
  101: 
  102: my ($username)=@input;
  103: $username=~/^(\w+)$/;
  104: my $safeusername=$1;
  105: if ($username ne $safeusername) {
  106:     print "Error. The user name specified has invalid characters.\n";
  107:     unlink('/tmp/lock_lcpasswd');
  108:     exit 5;
  109: }
  110: 
  111: &enable_root_capability;
  112: 
  113: # By using the system userdel command:
  114: # Remove entry from /etc/passwd if it exists
  115: # Remove entry from /etc/groups if it exists
  116: # I surround with groupdel command to make absolutely sure the group definition disappears.
  117: system('/usr/sbin/groupdel',$safeusername); # ignore error message
  118: system('/usr/sbin/userdel',$safeusername); # ignore error message
  119: system('/usr/sbin/groupdel',$safeusername); # ignore error message
  120: 
  121: # Remove entry from /etc/smbpasswd if it exists
  122: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
  123: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
  124: 
  125: if ($oldsmbpasswd ne $newsmbpasswd) {
  126:     open OUT,">/etc/smbpasswd";
  127:     print OUT $newsmbpasswd;
  128:     close OUT;
  129: }
  130: 
  131: # Change ownership on directory from username:username to www:www
  132: # This prevents subsequently added users from having access.
  133: 
  134: system('/bin/chown','-R','www:www',"/home/$safeusername");
  135: 
  136: &disable_root_capability;
  137: unlink("/tmp/lock_lcpasswd");
  138: exit 0;
  139: 
  140: # ----------------------------------------------------------- have setuid script run as root
  141: sub enable_root_capability {
  142:     if ($wwwid==$>) {
  143: 	($<,$>)=($>,$<);
  144: 	($(,$))=($),$();
  145:     }
  146:     else {
  147: 	# root capability is already enabled
  148:     }
  149:     return $>;
  150: }
  151: 
  152: # ----------------------------------------------------------- have setuid script run as www
  153: sub disable_root_capability {
  154:     if ($wwwid==$<) {
  155: 	($<,$>)=($>,$<);
  156: 	($(,$))=($),$();
  157:     }
  158:     else {
  159: 	# root capability is already disabled
  160:     }
  161: }
  162: 
  163: # ----------------------------------- make sure that another lcpasswd process isn't running
  164: sub try_to_lock {
  165:     my ($lockfile)=@_;
  166:     my $currentpid;
  167:     my $lastpid;
  168:     # Do not manipulate lock file as root
  169:     if ($>==0) {
  170: 	return 0;
  171:     }
  172:     # Try to generate lock file.
  173:     # Wait 3 seconds.  If same process id is in
  174:     # lock file, then assume lock file is stale, and
  175:     # go ahead.  If process id's fluctuate, try
  176:     # for a maximum of 10 times.
  177:     for (0..10) {
  178: 	if (-e $lockfile) {
  179: 	    open(LOCK,"<$lockfile");
  180: 	    $currentpid=<LOCK>;
  181: 	    close LOCK;
  182: 	    if ($currentpid==$lastpid) {
  183: 		last;
  184: 	    }
  185: 	    sleep 3;
  186: 	    $lastpid=$currentpid;
  187: 	}
  188: 	else {
  189: 	    last;
  190: 	}
  191: 	if ($_==10) {
  192: 	    return 0;
  193: 	}
  194:     }
  195:     open(LOCK,">$lockfile");
  196:     print LOCK $$;
  197:     close LOCK;
  198:     return 1;
  199: }
  200: 
  201:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.