[LON-CAPA-cvs] cvs: loncom / lond

foxr lon-capa-cvs@mail.lon-capa.org
Mon, 27 Jun 2005 10:27:05 -0000


foxr		Mon Jun 27 06:27:05 2005 EDT

  Modified files:              
    /loncom	lond 
  Log:
  defect 3271 - Channel changeuserauth where original and final authtypes are
         'unix' into change_unix_passwd, and refactor "passwd" also through that
          change_unix_passwd.
  
  
Index: loncom/lond
diff -u loncom/lond:1.286 loncom/lond:1.287
--- loncom/lond:1.286	Fri Jun 24 14:00:55 2005
+++ loncom/lond	Mon Jun 27 06:27:02 2005
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.286 2005/06/24 18:00:55 albertel Exp $
+# $Id: lond,v 1.287 2005/06/27 10:27:02 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -58,7 +58,7 @@
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.286 $'; #' stupid emacs
+my $VERSION='$Revision: 1.287 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -112,20 +112,20 @@
 #
 my $lastpwderror    = 13;		# Largest error number from lcpasswd.
 my @passwderrors = ("ok",
-		   "lcpasswd must be run as user 'www'",
-		   "lcpasswd got incorrect number of arguments",
-		   "lcpasswd did not get the right nubmer of input text lines",
-		   "lcpasswd too many simultaneous pwd changes in progress",
-		   "lcpasswd User does not exist.",
-		   "lcpasswd Incorrect current passwd",
-		   "lcpasswd Unable to su to root.",
-		   "lcpasswd Cannot set new passwd.",
-		   "lcpasswd Username has invalid characters",
-		   "lcpasswd Invalid characters in password",
-		   "lcpasswd User already exists", 
-                   "lcpasswd Something went wrong with user addition.",
-		    "lcpasswd Password mismatch",
-		    "lcpasswd Error filename is invalid");
+		   "pwchange_failure - lcpasswd must be run as user 'www'",
+		   "pwchange_failure - lcpasswd got incorrect number of arguments",
+		   "pwchange_failure - lcpasswd did not get the right nubmer of input text lines",
+		   "pwchange_failure - lcpasswd too many simultaneous pwd changes in progress",
+		   "pwchange_failure - lcpasswd User does not exist.",
+		   "pwchange_failure - lcpasswd Incorrect current passwd",
+		   "pwchange_failure - lcpasswd Unable to su to root.",
+		   "pwchange_failure - lcpasswd Cannot set new passwd.",
+		   "pwchange_failure - lcpasswd Username has invalid characters",
+		   "pwchange_failure - lcpasswd Invalid characters in password",
+		   "pwchange_failure - lcpasswd User already exists", 
+                   "pwchange_failure - lcpasswd Something went wrong with user addition.",
+		   "pwchange_failure - lcpasswd Password mismatch",
+		   "pwchange_failure - lcpasswd Error filename is invalid");
 
 
 #  The array below are lcuseradd error strings.:
@@ -1701,19 +1701,9 @@
 		&Failure( $client, "non_authorized\n",$userinput);
 	    }
 	} elsif ($howpwd eq 'unix') {
-	    # Unix means we have to access /etc/password
-	    &Debug("auth is unix");
-	    my $execdir=$perlvar{'lonDaemons'};
-	    &Debug("Opening lcpasswd pipeline");
-	    my $pf = IO::File->new("|$execdir/lcpasswd > "
-				   ."$perlvar{'lonDaemons'}"
-				   ."/logs/lcpasswd.log");
-	    print $pf "$uname\n$npass\n$npass\n";
-	    close $pf;
-	    my $err = $?;
-	    my $result = ($err>0 ? 'pwchange_failure' : 'ok');
+	    my $result = &change_unix_password($uname, $npass);
 	    &logthis("Result of password change for $uname: ".
-		     &lcpasswdstrerror($?));
+		     $result);
 	    &Reply($client, "$result\n", $userinput);
 	} else {
 	    # this just means that the current password mode is not
@@ -1812,6 +1802,9 @@
 # Implicit inputs:
 #    The authentication systems describe above have their own forms of implicit
 #    input into the authentication process that are described above.
+# NOTE:
+#   This is also used to change the authentication credential values (e.g. passwd).
+#   
 #
 sub change_authentication_handler {
 
@@ -1831,24 +1824,43 @@
 	my $oldauth = &get_auth_type($udom, $uname); # Get old auth info.
 	my $passfilename = &password_path($udom, $uname);
 	if ($passfilename) {	# Not allowed to create a new user!!
-	    my $result=&make_passwd_file($uname, $umode,$npass,$passfilename);
-	    #
-	    #  If the current auth mode is internal, and the old auth mode was
-	    #  unix, or krb*,  and the user is an author for this domain,
-	    #  re-run manage_permissions for that role in order to be able
-	    #  to take ownership of the construction space back to www:www
-	    #
-
-	    if( (($oldauth =~ /^unix/) && ($umode eq "internal")) ||
-		(($oldauth =~ /^internal/) && ($umode eq "unix")) ) { 
-		if(&is_author($udom, $uname)) {
-		    &Debug(" Need to manage author permissions...");
-		    &manage_permissions("/$udom/_au", $udom, $uname, "$umode:");
+	    # If just changing the unix passwd. need to arrange to run
+	    # passwd since otherwise make_passwd_file will run
+	    # lcuseradd which fails if an account already exists
+	    # (to prevent an unscrupulous LONCAPA admin from stealing
+	    # an existing account by overwriting it as a LonCAPA account).
+
+	    if(($oldauth =~/^unix/) && ($umode eq "unix")) {
+		my $result = &change_unix_password($uname, $npass);
+		&logthis("Result of password change for $uname: ".$result);
+		if ($result eq "ok") {
+		    &Reply($client, "$result\n")
+		}
+		else {
+		    &Failure($client, "$result\n");
 		}
 	    }
+	    else {
+		my $result=&make_passwd_file($uname, $umode,$npass,$passfilename);
+		#
+		#  If the current auth mode is internal, and the old auth mode was
+		#  unix, or krb*,  and the user is an author for this domain,
+		#  re-run manage_permissions for that role in order to be able
+		#  to take ownership of the construction space back to www:www
+		#
+		
+		
+		if( (($oldauth =~ /^unix/) && ($umode eq "internal")) ||
+		    (($oldauth =~ /^internal/) && ($umode eq "unix")) ) { 
+		    if(&is_author($udom, $uname)) {
+			&Debug(" Need to manage author permissions...");
+			&manage_permissions("/$udom/_au", $udom, $uname, "$umode:");
+		    }
+		}
+		&Reply($client, $result, $userinput);
+	    }
 	       
 
-	    &Reply($client, $result, $userinput);
 	} else {	       
 	    &Failure($client, "non_authorized\n", $userinput); # Fail the user now.
 	}
@@ -5503,6 +5515,35 @@
     }
     return $result;
 }
+#  Change the passwd of a unix user.  The caller must have
+#  first verified that the user is a loncapa user.
+#
+# Parameters:
+#    user      - Unix user name to change.
+#    pass      - New password for the user.
+# Returns:
+#    ok    - if success
+#    other - Some meaningfule error message string.
+# NOTE:
+#    invokes a setuid script to change the passwd.
+sub change_unix_password {
+    my ($user, $pass) = @_;
+
+    &Debug("change_unix_password");
+    my $execdir=$perlvar{'lonDaemons'};
+    &Debug("Opening lcpasswd pipeline");
+    my $pf = IO::File->new("|$execdir/lcpasswd > "
+			   ."$perlvar{'lonDaemons'}"
+			   ."/logs/lcpasswd.log");
+    print $pf "$user\n$pass\n$pass\n";
+    close $pf;
+    my $err = $?;
+    return ($err < @passwderrors) ? $passwderrors[$err] : 
+	"pwchange_falure - unknown error";
+
+    
+}
+
 
 sub make_passwd_file {
     my ($uname, $umode,$npass,$passfilename)=@_;