[LON-CAPA-cvs] cvs: loncom(Refactoring) / lond

foxr lon-capa-cvs@mail.lon-capa.org
Wed, 07 Apr 2004 09:39:19 -0000 

foxr		Wed Apr  7 05:39:19 2004 EDT

  Modified files:              (Branch: Refactoring)
    /loncom	lond 
  Log:
  Close security hole in make_passwd_file
  
  
Index: loncom/lond
diff -u loncom/lond:1.178.2.13 loncom/lond:1.178.2.14
--- loncom/lond:1.178.2.13	Tue Mar 23 06:50:12 2004
+++ loncom/lond	Wed Apr  7 05:39:18 2004
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.178.2.13 2004/03/23 11:50:12 foxr Exp $
+# $Id: lond,v 1.178.2.14 2004/04/07 09:39:18 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -53,7 +53,7 @@
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.178.2.13 $'; #' stupid emacs
+my $VERSION='$Revision: 1.178.2.14 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid;
 my $currentdomainid;
@@ -890,6 +890,7 @@
 	    for (my $i=3;$i<= ($#fpparts-1);$i++) {
 		$fpnow.='/'.$fpparts[$i]; 
 		unless (-e $fpnow) {
+		    &logthis("mkdir $fpnow");
 		    unless (mkdir($fpnow,0777)) {
 			$fperror="error: ".($!+0)." mkdir failed while attempting "
 			    ."makeuser";
@@ -989,7 +990,7 @@
    
     my ($udom,$uname)=split(/:/,$tail);
     chomp($uname);
-    my $passfile = PasswordPath($udom, $uname);
+    my $passfile = PasswordFilename($udom, $uname);
     if($passfile) {
 	Reply( $client, "found\n", $userinput);
     } else {
@@ -4185,7 +4186,7 @@
 	    $validated = (crypt($password, $contentpwd) eq $contentpwd);
 	}
 	elsif ($howpwd eq "unix") { # User is a normal unix user.
-	    $contentpwd = (getpwname($user))[1];
+	    $contentpwd = (getpwnam($user))[1];
 	    if($contentpwd) {
 		if($contentpwd eq 'x') { # Shadow password file...
 		    my $pwauth_path = "/usr/local/sbin/pwauth";
@@ -4487,23 +4488,32 @@
 	    print $pf "localauth:$npass\n";
 	}
     } elsif ($umode eq 'unix') {
-	{
-	    my $execpath="$perlvar{'lonDaemons'}/"."lcuseradd";
-	    {
-		&Debug("Executing external: ".$execpath);
-		&Debug("user  = ".$uname.", Password =". $npass);
-		my $se = IO::File->new("|$execpath > $perlvar{'lonDaemons'}/logs/lcuseradd.log");
-		print $se "$uname\n";
-		print $se "$npass\n";
-		print $se "$npass\n";
-	    }
-	    my $useraddok = $?;
-	    if($useraddok > 0) {
-		&logthis("Failed lcuseradd: ".&lcuseraddstrerror($useraddok));
-	    }
-	    my $pf = IO::File->new(">$passfilename");
-	    print $pf "unix:\n";
+	#
+	#  Don't allow the creation of privileged accounts!!! that would
+	#  be real bad!!!
+	#
+	my $uid = getpwnam($uname);
+	if((defined $uid) && ($uid == 0)) {
+	    return "no_priv_account_error\n";
 	}
+
+	#
+	my $execpath="$perlvar{'lonDaemons'}/"."lcuseradd";
+	
+	&Debug("Executing external: ".$execpath);
+	&Debug("user  = ".$uname.", Password =". $npass);
+	my $se = IO::File->new("|$execpath > $perlvar{'lonDaemons'}/logs/lcuseradd.log");
+	print $se "$uname\n";
+	print $se "$npass\n";
+	print $se "$npass\n";
+	
+	my $useraddok = $?;
+	if($useraddok > 0) {
+	    &logthis("Failed lcuseradd: ".&lcuseraddstrerror($useraddok));
+	}
+	my $pf = IO::File->new(">$passfilename");
+	print $pf "unix:\n";
+ 
     } elsif ($umode eq 'none') {
 	{
 	    my $pf = IO::File->new(">$passfilename");