source: server/common/oursrc/accountadm/admof.in @ 58

Last change on this file since 58 was 22, checked in by jbarnold, 18 years ago
Fixed potential security problem identified by glasser
File size: 2.8 KB
Line 
1#!/usr/bin/perl
2use strict;
3
4# admof
5# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of the GNU General Public License
9# as published by the Free Software Foundation; either version 2
10# of the License, or (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
20#
21# See /COPYRIGHT in this repository for more information.
22
23$ENV{PATH} = '';
24
25my $targetuser;
26unless(($targetuser) = ($ARGV[0] =~ /^([\w._-]+)$/)) {
27  error("Invalid locker name: <$ARGV[0]>.");
28}
29my $curuser;
30unless(($curuser) = ($ARGV[1] =~ /^([\w._-]+)\@ATHENA\.MIT\.EDU$/)) {
31  error("An internal error has occurred.\nContact scripts\@mit.edu for assistance.");
32}
33
34my $fs = `@fs_path@ 2>/dev/null la /mit/$targetuser/`;
35my @fs = split(/\n/, $fs);
36
37#Access list for . is
38#Normal rights:
39#  system:scripts-root rlidwka
40#  system:anyuser rl
41
42unless($fs[0] =~ /^Access list for \/mit\/$targetuser\/ is$/ &&
43       $fs[1] =~ /^Normal rights:$/) {
44  error("Cannot find locker <$targetuser>.");
45}
46
47if($ARGV[2] && !getpwnam($targetuser)) {
48  error("Locker <$targetuser> does not have a scripts.mit.edu account.");
49}
50
51for(my $i = 2; $i < @fs; $i++) {
52  my ($id) = ($fs[$i] =~ /^  ([\w:_-]+) rlidwka$/);
53  if($id eq "") { next; }
54  my $group;
55  if($id eq $curuser) { success(); }
56  elsif(($group) = ($id =~ /^(system:.+)/)) {
57    my $mems = `@pts_path@ 2>/dev/null membership $group`;
58    my @mems = split(/\n/, $mems);
59
60#Members of system:scripts-root (id: -56104) are:
61#  hartmans
62#  jbarnold
63#  presbrey
64#  tabbott
65#  hartmans.root
66
67    next if($mems[0] !~ /^Members of $group \(id: \S+\) are:$/);
68   
69    if($mems =~ /\s+\Q$curuser\E\s+/) {
70        success();
71    }
72  }
73}
74
75print <<END;
76
77ERROR:
78It appears as though you are not an administrator of locker <$targetuser>.
79In order to be able to su to <$targetuser>, you must have full AFS access
80to the root directory of locker <$targetuser>.  Try running the command
81fs sa /mit/$targetuser $curuser all
82on Athena in order to explicitly grant yourself full AFS access.
83Contact scripts\@mit.edu if you are unable to solve the problem.
84
85END
86
87exit(1);
88
89sub error {
90  print STDERR "\nERROR:\n$_[0]\n\n";
91  exit(1);
92}
93
94sub success {
95  print STDERR "\n== SUCCESS ==\nYou are now logged in as user <$targetuser>.\n";
96  print STDERR "To return to being <$curuser>, type \"exit\".\n\n";
97  exit(33);
98}
Note: See TracBrowser for help on using the repository browser.