diff --git a/db/GNUmakefile.in b/db/GNUmakefile.in index ddac6eccacc1720f5762d30e1a140b385fb49dc6..9c45fa55e6710d0451a7c5fc0e1d6620e6d59ff6 100644 --- a/db/GNUmakefile.in +++ b/db/GNUmakefile.in @@ -41,6 +41,8 @@ post-install: chmod u+s $(INSTALL_SBINDIR)/genelists chown root $(INSTALL_SBINDIR)/dhcpd_makeconf chmod u+s $(INSTALL_SBINDIR)/dhcpd_makeconf + chown root $(INSTALL_SBINDIR)/elabinelab_bossinit + chmod u+s $(INSTALL_SBINDIR)/elabinelab_bossinit # # Control node installation (okay, plastic) diff --git a/db/elabinelab_bossinit.in b/db/elabinelab_bossinit.in index 7663a4b34dda29dcf3f199bee2f8ce5a47620e4b..52c3b88d8b3c8daa518736964d044df224749a4a 100755 --- a/db/elabinelab_bossinit.in +++ b/db/elabinelab_bossinit.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl -wT # # EMULAB-COPYRIGHT # Copyright (c) 2000-2004 University of Utah and the Flux Group. @@ -25,6 +25,7 @@ my $debug = 0; my $TB = "@prefix@"; my $TBOPS = "@TBOPSEMAIL@"; my $ELABINELAB = @ELABINELAB@; +my $SAVEUID = $UID; # un-taint path $ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin:/usr/local/bin'; @@ -46,6 +47,13 @@ if (!TBAdmin($UID)) { die("*** $0:\n". " Only TB administrators can run this script!\n"); } +# +# We don't want to run this script unless its the real version. +# +if ($EUID != 0) { + die("*** $0:\n". + " Must be root! Maybe its a development version?\n"); +} # # Parse command arguments. Once we return from getopts, all that should @@ -64,40 +72,72 @@ usage() my $pid = shift(); # -# Build the project. +# Untaint the arguments. # -mysystem("$TB/sbin/mkproj $pid"); +if ($pid =~ /^([-\w]+)$/) { + $pid = $1; +} +else { + die("Tainted argument $pid!\n"); +} # -# Get the list of subgroups in the project and create those groups. +# Shift to real user for these scripts. # -my $query_result = - DBQueryFatal("select gid from groups where pid='$pid' and pid!=gid"); -while (my ($gid) = $query_result->fetchrow_array()) { - mysystem("$TB/sbin/mkgroup $pid $gid"); -} +$EUID = $UID; + +# +# Build the project. +# +#mysystem("$TB/sbin/mkproj $pid"); # # Get the list of users and admin status. Admin users get a real shell -# on boss. Create the users, and then set their groups. +# on boss. Create the users, and not that we have to do this before the +# groups are created (tbacct add does not do a setgroups). # -$query_result = +my $users_result = DBQueryFatal("select distinct u.uid,u.admin from group_membership as m ". "left join users as u on u.uid=m.uid ". "where u.status='" . USERSTATUS_ACTIVE() . "'"); -while (my ($uid,$admin) = $query_result->fetchrow_array()) { +while (my ($uid,$admin) = $users_result->fetchrow_array()) { + next + if ($uid eq "elabman"); + mysystem("$TB/sbin/tbacct add $uid"); if ($admin) { # Add admin users to group wheel for convenience. - DBQueryFatal("insert into unixgroup_membership ". + DBQueryFatal("replace into unixgroup_membership ". "values ('$uid','wheel')"); } - mysystem("$TB/sbin/setgroups $uid"); if ($admin) { + # Flip back to root for pw command. + $EUID = 0; mysystem("pw usermod -n $uid -s /bin/tcsh"); + $EUID = $UID; } } +# +# Get the list of subgroups in the project and create those groups. +# +my $query_result = + DBQueryFatal("select gid from groups where pid='$pid' and pid!=gid"); +while (my ($gid) = $query_result->fetchrow_array()) { + mysystem("$TB/sbin/mkgroup $pid $gid"); +} + +# +# Now do a setgroups. +# +$users_result->dataseek(0); +while (my ($uid,$admin) = $users_result->fetchrow_array()) { + next + if ($uid eq "elabman"); + + mysystem("$TB/sbin/setgroups $uid"); +} + # # Run a command string. #