setgroups.in 9.01 KB
Newer Older
1
#!/usr/bin/perl -wT
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
3
4

#
# EMULAB-COPYRIGHT
5
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6
7
8
# All rights reserved.
#

9
10
11
12
13
14
15
16
17
18
19
use English;
use Getopt::Std;

#
# Set groups for users. With just a pid all the users in the group
# are modified. Of course, since we might be removing groups, we actuall
# have to go through the entire set of users in the project. Hence, you
# can provide an optional list of users to operate on; the web interface
# uses this option since it know what users have been changed via the web
# form.
#
20
# Note that this script does not create accounts or groups. That should
21
22
23
24
25
# already have been done with other scripts.
#
sub usage()
{
    print STDOUT
26
27
	"Usage: setgroups -p <pid> [user ...]\n".
        "       setgroups [user ...]\n";
28

29
30
    exit(-1);
}
31
my  $optlist = "p:";
32
33
34
35
36
37
38
39

#
# Configure variables
#
my $TB      = "@prefix@";
my $TBOPS   = "@TBOPSEMAIL@";
my $TBLOGS  = "@TBLOGSEMAIL@";
my $CONTROL = "@USERNODE@";
40
my $BOSSNODE= "@BOSSNODE@";
41
my $ADMINGRP= "@TBADMINGROUP@";
42
43

my $SSH     = "$TB/bin/sshtb";
44
my $GENELISTS="$TB/sbin/genelists";
45
46
47
48
my $USERMOD = "/usr/sbin/pw usermod";

my $dbuid;
my @userlist;
49
my $pid;
50
51
52
53
54
55
56
my $user_name;
my $user_email;
my $logname;
my @db_row;
my $query_result;

#
57
58
# Note hardwired control node.
#
59
60
61
62
my $control_node = $CONTROL;

#
# Untaint the path
63
#
64
65
66
67
68
69
70
71
72
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
73
# Load the Testbed support stuff.
74
75
#
use lib "@prefix@/lib";
76
use libaudit;
77
78
79
80
81
82
83
84
85
86
87
88
89
90
use libdb;
use libtestbed;

#
# We don't want to run this script unless its the real version.
#
if ($EUID != 0) {
    die("*** $0:\n".
	"    Must be setuid! Maybe its a development version?\n");
}

#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
91
#
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root! Its already setuid!\n");
}

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{"p"})) {
    $pid = $options{"p"};

    #
    # Untaint,
    #
    if ($pid =~ /^([-\@\w]+)$/) {
	$pid = $1;
    }
    else {
	die("Bad data in pid: $pid.");
    }
}

#
# See if a userlist was provided. This is an optimization. The web interface
# knows which users actually changed, so its quicker to modify that set
# instead of the entire project set.
#
if (@ARGV) {
    # Untaint the users.
    foreach my $user ( @ARGV ) {
	if ($user =~ /^([\w]+)$/) {
	    $user = $1;
	}
	else {
	    die("Bad user name: $user.");
	}
133

134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
	push(@userlist, $user);
    }
}

if (!defined($pid) && !defined(@userlist)) {
    usage();
}

#
# Get user DB uid.
#
if (! UNIX2DBUID($UID, \$dbuid)) {
    die("*** $0:\n".
        "    You do not exist in the Emulab Database!\n");
}

#
# Get email info.
#
if (! UserDBInfo($dbuid, \$user_name, \$user_email)) {
    die("*** $0:\n".
        "    Cannot determine email info for you!\n");
}

#
# This script always does the right thing, so it does not matter who
160
# calls it.
161
#
162
163
164
# This script is always audited. Mail is sent automatically upon exit.
#
if (AuditStart(0)) {
165
    #
166
    # Parent exits normally
167
    #
168
    exit(0);
169
170
}

171
#
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
# All this stuff must be done as root (ssh).
#
$UID = $EUID;

#
# If no user list provided, we have to do this for the entire project
# member list since we have no idea who got changed.
#
if (! defined(@userlist)) {
    $query_result =
	DBQueryFatal("select uid from group_membership ".
		     "where pid='$pid' and pid=gid");

    $query_result->numrows ||
	fatal("No project members for $pid!\n");

    while (@db_row = $query_result->fetchrow_array() ) {
	push(@userlist, $db_row[0]);
    }
}

#
# Loop through user set, building up the group set and issuing commands.
#
foreach my $uid (@userlist) {
    my @groupnames;
    my @grouplist;
    my $groupargument;
    my $project;

    #
    # Form a list of project (group) membership names. We do this in two
    # steps to ensure that we get the default group membership since we
    # want that to be the user's primary group. Not sure this really matters
206
207
    # all that much, but might as well.
    #
208
209
210
211
212
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
		     "where m.uid='$uid' and m.pid=m.gid and m.trust!='none'");

213
214
    if (!$query_result->numrows) {
	#
215
216
217
	# See if an active user with no project membership. If so, then
	# set groups to just the guest group. If not active, skip
	# (non-fatal) since there can be group members not approved,
218
	# and this is called from the editgroups web page.
219
220
	#
	$query_result =
221
222
223
	    DBQueryFatal("select status from users ".
			 "where uid='$uid' and webonly=0 ".
			 " and status='" . USERSTATUS_ACTIVE . "'");
224
225
226
227
228
229

	if (!$query_result->numrows) {
	    print "Skipping $uid; not in any groups!\n";
	    next;
	}
	push(@groupnames, "guest");
230
	goto nogroups;
231
    }
232
233
234
235
    else {
	while (@db_row = $query_result->fetchrow_array() ) {
	    push(@groupnames, $db_row[0]);
	}
236
237
    }

238
239
    #
    # Okay, pick up subgroup (pid!=gid) membership.
240
    #
241
242
243
244
245
246
247
248
249
250
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
		     "where m.uid='$uid' and m.pid!=m.gid ".
		     " and m.trust!='none'");

    while (@db_row = $query_result->fetchrow_array() ) {
	push(@groupnames, $db_row[0]);
    }

251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
    if (0) {
    #
    # Okay, this join looks for project/group roots in the pid, and finds
    # any subgroups they are not members of. The intent is that project
    # and group roots in the pid, should be able to read files in the
    # subgroups, even if they are not actual members of the group in the DB.
    # The reason they do not want to be actual members in the DB is cause
    # we do *not* want to export home dirs to experimental nodes, or otherwise
    # hand out sensitive info.
    #
    # XXX Not in use cause NGROUPS=16. Too Low!
    #
    $query_result =
	DBQueryFatal("select distinct gn.pid,gn.gid,g.unix_name ".
		     "  from group_membership as gp ".
		     "left join group_membership as gn on ".
		     "     gn.pid=gp.pid and gn.pid!=gn.gid ".
		     "left join group_membership as go on go.uid=gp.uid and ".
		     "     go.pid=gn.pid and go.gid=gn.gid ".
		     "left join groups as g on gn.pid=g.pid and gn.gid=g.gid ".
		     "where go.uid is null and gn.uid is not null and ".
		     "      gp.uid='$uid' and gp.pid=gp.gid and ".
		     "      (gp.trust='group_root' or ".
		     "       gp.trust='project_root')");

    while (@db_row = $query_result->fetchrow_array() ) {
	print "Would also add $uid to $db_row[0]/$db_row[1]\n";
#	push(@groupnames, $db_row[0]);
    }
    }
281

282
283
  nogroups:
    print "Processing user $uid: @groupnames\n";
284
285
286
287
288
289
290
291
292
293
294
295
    #
    # Construct an appropriate group list for the pw commands. Main project
    # is the first on the list, and that becomes the primary group. The rest
    # (if any) of the groups become a comma separated list for the -G option.
    #
    $groupargument = " ";
    $project       = shift @groupnames;
    $grouplist     = join(",",@groupnames);

    #
    # Add special groups. These are listed in the DB so that special local
    # users can have more unix groups than just the projects/groups they are
296
    # in. These groups must already exist.
297
    #
298
299
300
301
302
303
304
305
306
307
308
309
    my @extragrouplist = TBUnixGroupList($uid);

    #
    # Add special admin group. Check to make sure that its not a dup
    # since the above mechanism could cause a duplicate entry. No big
    # deal to catch it.
    #
    if (TBAdmin($uid)) {
	if (! grep(/^${ADMINGRP}$/, @extragrouplist)) {
	    push(@extragrouplist, $ADMINGRP);
	}
    }
310

311
    if (@extragrouplist) {
312
	print "Adding extra groups to list: @extragrouplist\n";
313

314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
	if ($grouplist) {
	    $grouplist = "$grouplist," . join(",", @extragrouplist);
	}
	else {
	    $grouplist = join(",", @extragrouplist);
	}
    }

    if ($grouplist) {
	$groupargument = "-G $grouplist";
    }
    else {
	$groupargument = "-G \"\"";
    }

    print "Updating user $uid record on local node.\n";

    #
    # MAKE SURE not to update anything else!
    #
    if (system("$USERMOD $uid -g $project $groupargument")) {
	fatal("Could not modify user $uid on local node.");
    }

    print "Updating user $uid record on $control_node.\n";

340
    if ($control_node ne $BOSSNODE) {
341
342
	$groupargument =~ s/\"/\\"/g; #"

343
344
345
346
        if (system("$SSH -host $control_node ".
	           "'$USERMOD $uid -g $project $groupargument'")) {
	    fatal("Could not modify user $uid record on $control_node.");
	}
347
    }
348
349
350
351
352
353

    #
    # Now schedule account updates on all the nodes that this person has
    # an account on.
    #
    TBNodeUpdateAccountsByUID($uid);
354
355
}

356
357
358
359
360
361
if (defined($pid)) {
    print "Updating email lists for project $pid\n";
    system("$GENELISTS -p $pid");
}
else {
    print "Updating email lists for: ".join(" ",@userlist)."\n";
362

363
    foreach $u (@userlist) {
364
	system("$GENELISTS -u $u");
365
366
    }
}
367

368
369
370
print "Group Update Completed!\n";
exit(0);

371
sub fatal($) {
372
373
    my($mesg) = $_[0];

374
375
    die("*** $0:\n".
	"    $mesg\n");
376
}