1 | #!/usr/bin/perl |
---|
2 | use strict; |
---|
3 | use File::Temp qw/ :POSIX /; |
---|
4 | |
---|
5 | # signup-scripts-backend |
---|
6 | # Copyright (C) 2006 Jeff Arnold <jbarnold@mit.edu> |
---|
7 | # |
---|
8 | # This program is free software; you can redistribute it and/or |
---|
9 | # modify it under the terms of the GNU General Public License |
---|
10 | # as published by the Free Software Foundation; either version 2 |
---|
11 | # of the License, or (at your option) any later version. |
---|
12 | # |
---|
13 | # This program is distributed in the hope that it will be useful, |
---|
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
16 | # GNU General Public License for more details. |
---|
17 | # |
---|
18 | # You should have received a copy of the GNU General Public License |
---|
19 | # along with this program; if not, write to the Free Software |
---|
20 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
---|
21 | # |
---|
22 | # See /COPYRIGHT in this repository for more information. |
---|
23 | |
---|
24 | $ENV{PATH} = ''; |
---|
25 | |
---|
26 | my $username = $ARGV[0]; |
---|
27 | |
---|
28 | # Complain unless submitted username contains only valid characters |
---|
29 | complain("bad username") unless($username =~ /^[\w._-]+$/); |
---|
30 | |
---|
31 | open BANNEDUSERS, "</afs/athena.mit.edu/contrib/scripts/admin/users.banned" or |
---|
32 | complain("internal error"); |
---|
33 | while (<BANNEDUSERS>) { |
---|
34 | chomp; |
---|
35 | complain("banned username") if (lc eq lc $username); |
---|
36 | } |
---|
37 | close(BANNEDUSERS); |
---|
38 | |
---|
39 | my %filsys; |
---|
40 | open HESINFO, '-|', '@hesinfo_path@', '--', $username, 'filsys' or |
---|
41 | complain("internal error"); |
---|
42 | while (<HESINFO>) { |
---|
43 | chomp; |
---|
44 | my %f; @f{qw(type path rw mount order)} = split / /; |
---|
45 | %filsys = %f if (($f{order} || 9999) <= ($filsys{order} || 9999)); |
---|
46 | } |
---|
47 | close HESINFO; |
---|
48 | unless (%filsys && |
---|
49 | $filsys{type} eq 'AFS' && |
---|
50 | $filsys{path} =~ /^\/afs\/[\w\._\/-]+/ && |
---|
51 | $filsys{mount} eq "/mit/$username") { |
---|
52 | complain("athena user not found"); |
---|
53 | } |
---|
54 | my $homedir = $filsys{path}; |
---|
55 | |
---|
56 | # Tell AFS that we don't want to trigger fakestat, and confirm user's homedir |
---|
57 | chdir $homedir or complain("athena homedir not found"); |
---|
58 | opendir TEMP, '.'; |
---|
59 | closedir TEMP; |
---|
60 | |
---|
61 | # Obtain user's homedir uid |
---|
62 | my (undef, undef, undef, undef, $uid1, $gid1, undef, undef, undef, undef, undef, undef, undef) = stat '.' or complain("athena homedir could not be examined"); |
---|
63 | |
---|
64 | # Complain if user's uid is too low or too high |
---|
65 | complain("bad uid") unless($uid1 > 110 and $uid1 < (1 << 31)); |
---|
66 | |
---|
67 | # Complain if user's .scripts-signup file does not exist |
---|
68 | #complain("scripts-signup file not found") unless(-e '.scripts-signup'); |
---|
69 | |
---|
70 | # Complain if the user's username is already taken |
---|
71 | complain("username already taken") if(getpwnam $username); |
---|
72 | |
---|
73 | # Complain if user's uid is already taken |
---|
74 | complain("uid already taken") if(getpwuid $uid1); |
---|
75 | |
---|
76 | if($homedir !~ /\/afs\/athena\.mit\.edu\/user\//) { |
---|
77 | $gid1 = $uid1; |
---|
78 | } |
---|
79 | |
---|
80 | # Complain if user's gid is already taken |
---|
81 | complain("gid already taken") if(getgrgid $gid1); |
---|
82 | |
---|
83 | my $disabledmsg = "scripts.mit.edu signups are currently disabled"; |
---|
84 | if(-e "/afs/athena.mit.edu/contrib/scripts/admin/nosignup") { |
---|
85 | open NOSIGNUP, "</afs/athena.mit.edu/contrib/scripts/admin/nosignup" or |
---|
86 | complain("internal error"); |
---|
87 | while (<NOSIGNUP>) { |
---|
88 | chomp; |
---|
89 | $disabledmsg .= "\n$_"; |
---|
90 | } |
---|
91 | close NOSIGNUP; |
---|
92 | complain($disabledmsg); |
---|
93 | } |
---|
94 | elsif(-e "/etc/nosignup") { |
---|
95 | $disabledmsg .= " on this server"; |
---|
96 | open NOSIGNUP, "</etc/nosignup" or complain("internal error"); |
---|
97 | while (<NOSIGNUP>) { |
---|
98 | chomp; |
---|
99 | $disabledmsg .= "\n$_"; |
---|
100 | } |
---|
101 | close NOSIGNUP; |
---|
102 | complain($disabledmsg); |
---|
103 | } |
---|
104 | |
---|
105 | # Get credentials |
---|
106 | my $ccache = tmpnam(); |
---|
107 | $ENV{'KRB5CCNAME'} = $ccache; |
---|
108 | my $exit_status = system("/usr/bin/kinit", "-k", "-t", "/etc/signup.keytab", "daemon/scripts-signup.mit.edu"); |
---|
109 | if (($exit_status >> 8) != 0) { |
---|
110 | die "Couldn't get Kerberos credentials for account creation!"; |
---|
111 | } |
---|
112 | my $pid; |
---|
113 | my @ldap_servers = ('doppelganger', 'alter-ego', 'body-double'); |
---|
114 | my $selected_server = $ldap_servers[int(rand(3))]; |
---|
115 | defined ($pid = open LDAP, '|-') or complain("internal error"); |
---|
116 | if (!$pid) { |
---|
117 | close STDOUT; |
---|
118 | open STDOUT, '>/dev/null'; |
---|
119 | exec '@ldapadd_path@', '-c', '-Y', 'gssapi', '-H', "ldap://$selected_server.mit.edu"; |
---|
120 | exit 1; |
---|
121 | } |
---|
122 | print LDAP <<EOF; |
---|
123 | dn: uid=$username,ou=People,dc=scripts,dc=mit,dc=edu |
---|
124 | objectClass: posixAccount |
---|
125 | cn: $username |
---|
126 | uid: $username |
---|
127 | uidNumber: $uid1 |
---|
128 | gidNumber: $gid1 |
---|
129 | homeDirectory: $homedir |
---|
130 | loginShell: /usr/local/bin/mbash |
---|
131 | |
---|
132 | dn: cn=$username,ou=Groups,dc=scripts,dc=mit,dc=edu |
---|
133 | objectClass: posixGroup |
---|
134 | cn: $username |
---|
135 | gidNumber: $gid1 |
---|
136 | |
---|
137 | dn: scriptsVhostName=$username.scripts.mit.edu,ou=VirtualHosts,dc=scripts,dc=mit,dc=edu |
---|
138 | objectClass: scriptsVhost |
---|
139 | scriptsVhostName: $username.scripts.mit.edu |
---|
140 | scriptsVhostAlias: $username.scripts |
---|
141 | scriptsVhostAccount: uid=$username,ou=People,dc=scripts,dc=mit,dc=edu |
---|
142 | scriptsVhostDirectory: . |
---|
143 | |
---|
144 | EOF |
---|
145 | close LDAP or complain("internal error"); |
---|
146 | # Add disk quota for user |
---|
147 | #system('@sudo_path@', '-u', 'root', '/usr/sbin/setquota', $username, '0', '25000', '0', '10000', '-a'); |
---|
148 | |
---|
149 | system("kdestroy"); |
---|
150 | |
---|
151 | printexit("done", 0); |
---|
152 | |
---|
153 | sub complain { |
---|
154 | my ($complaint) = @_; |
---|
155 | printexit($complaint, 1); |
---|
156 | } |
---|
157 | |
---|
158 | sub printexit { |
---|
159 | my ($msg, $status) = @_; |
---|
160 | print $msg; |
---|
161 | exit($status); |
---|
162 | } |
---|