setgroups.in 9.82 KB
Newer Older
1
#!/usr/bin/perl -wT
Leigh Stoller's avatar
Leigh Stoller committed
2 3 4

#
# EMULAB-COPYRIGHT
5
# Copyright (c) 2000-2007 University of Utah and the Flux Group.
Leigh Stoller's avatar
Leigh Stoller committed
6 7 8
# All rights reserved.
#

9 10 11 12 13 14 15 16 17 18 19
use English;
use Getopt::Std;

#
# Set groups for users. With just a pid all the users in the group
# are modified. Of course, since we might be removing groups, we actuall
# have to go through the entire set of users in the project. Hence, you
# can provide an optional list of users to operate on; the web interface
# uses this option since it know what users have been changed via the web
# form.
#
20
# Note that this script does not create accounts or groups. That should
21 22 23 24 25
# already have been done with other scripts.
#
sub usage()
{
    print STDOUT
26 27
	"Usage: setgroups -p <pid> [user ...]\n".
        "       setgroups [user ...]\n";
28

29 30
    exit(-1);
}
31 32 33

sub fatal($);

34 35 36
my $optlist = "dp:";
my $debug   = 0;
my $optarg  = "";
37 38 39 40 41 42 43 44

#
# Configure variables
#
my $TB      = "@prefix@";
my $TBOPS   = "@TBOPSEMAIL@";
my $TBLOGS  = "@TBLOGSEMAIL@";
my $CONTROL = "@USERNODE@";
45
my $BOSSNODE= "@BOSSNODE@";
46
my $ADMINGRP= "@TBADMINGROUP@";
47
my $ELABINELAB    = @ELABINELAB@;
48
my $WIKISUPPORT   = @WIKISUPPORT@;
49
my $BUGDBSUPPORT  = @BUGDBSUPPORT@;
50
my $OPSDBSUPPORT  = @OPSDBSUPPORT@;
51
my $SETWIKIGROUPS = "$TB/sbin/setwikigroups";
52
my $SETBUGDBGROUPS= "$TB/sbin/setbugdbgroups";
53
my $OPSDBCONTROL  = "$TB/sbin/opsdb_control";
54 55 56

my $SSH     = "$TB/bin/sshtb";
my $USERMOD = "/usr/sbin/pw usermod";
57
my $SAVEUID = $UID;
58 59

my $dbuid;
60
my @userlist = ();
61
my $pid;
62 63 64 65 66
my $logname;
my @db_row;
my $query_result;

#
67 68
# Note hardwired control node.
#
69 70 71 72
my $control_node = $CONTROL;

#
# Untaint the path
73
#
74 75 76 77 78 79 80 81 82
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
83
# Load the Testbed support stuff.
84 85
#
use lib "@prefix@/lib";
86
use libaudit;
87 88
use libdb;
use libtestbed;
89
use User;
90 91

#
92
# We do not want to run this script unless its the real version.
93 94 95 96 97 98 99 100 101
#
if ($EUID != 0) {
    die("*** $0:\n".
	"    Must be setuid! Maybe its a development version?\n");
}

#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
102
#
103 104 105 106 107 108 109 110 111 112 113 114 115
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root! Its already setuid!\n");
}

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
116 117 118 119
if (defined($options{"d"})) {
    $debug  = 1;
    $optarg = "-d";
}
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
if (defined($options{"p"})) {
    $pid = $options{"p"};

    #
    # Untaint,
    #
    if ($pid =~ /^([-\@\w]+)$/) {
	$pid = $1;
    }
    else {
	die("Bad data in pid: $pid.");
    }
}

#
# See if a userlist was provided. This is an optimization. The web interface
# knows which users actually changed, so its quicker to modify that set
# instead of the entire project set.
#
if (@ARGV) {
    # Untaint the users.
    foreach my $user ( @ARGV ) {
	if ($user =~ /^([\w]+)$/) {
	    $user = $1;
	}
	else {
	    die("Bad user name: $user.");
	}
148

149 150 151 152
	push(@userlist, $user);
    }
}

153
if (!defined($pid) && !scalar(@userlist)) {
154 155 156
    usage();
}

157 158 159 160
# Map invoking user to object.
my $this_user = User->ThisUser();
if (! defined($this_user)) {
    fatal("You ($UID) do not exist!");
161
}
162 163
my $user_name  = $this_user->name();
my $user_email = $this_user->email();
164 165 166

#
# This script always does the right thing, so it does not matter who
167
# calls it.
168
#
169 170 171
# This script is always audited. Mail is sent automatically upon exit.
#
if (AuditStart(0)) {
172
    #
173
    # Parent exits normally
174
    #
175
    exit(0);
176 177
}

178
#
179 180 181 182 183 184 185 186
# All this stuff must be done as root (ssh).
#
$UID = $EUID;

#
# If no user list provided, we have to do this for the entire project
# member list since we have no idea who got changed.
#
187
if (! scalar(@userlist)) {
188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208
    $query_result =
	DBQueryFatal("select uid from group_membership ".
		     "where pid='$pid' and pid=gid");

    $query_result->numrows ||
	fatal("No project members for $pid!\n");

    while (@db_row = $query_result->fetchrow_array() ) {
	push(@userlist, $db_row[0]);
    }
}

#
# Loop through user set, building up the group set and issuing commands.
#
foreach my $uid (@userlist) {
    my @groupnames;
    my @grouplist;
    my $groupargument;
    my $project;

209 210 211 212 213 214
    my $user = User->Lookup($uid);
    fatal("Could not map user $uid to object")
	if (!defined($user));
    my $uid_idx = $user->uid_idx();

    if ($user->webonly()) {
215 216 217 218
	print "Skipping $uid; webonly account!\n";
	next;
    }

219 220 221
    #
    # Form a list of project (group) membership names. We do this in two
    # steps to ensure that we get the default group membership since we
222
    # want that to be the users primary group. Not sure this really matters
223 224
    # all that much, but might as well.
    #
225 226 227
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
228 229
		     "where m.uid_idx='$uid_idx' and m.pid=m.gid and ".
		     "      m.trust!='none'");
230

231 232
    if (!$query_result->numrows) {
	#
233 234 235
	# See if an active user with no project membership. If so, then
	# set groups to just the guest group. If not active, skip
	# (non-fatal) since there can be group members not approved,
236
	# and this is called from the editgroups web page.
237
	#
238 239
	if ($user->status() ne USERSTATUS_ACTIVE()) {
	    print "Skipping $uid; not an active user yet!\n";
240 241 242
	    next;
	}
	push(@groupnames, "guest");
243
	goto nogroups;
244
    }
245 246
    else {
	while (@db_row = $query_result->fetchrow_array() ) {
247 248 249 250 251 252
	    my $groupname = $db_row[0];

	    next
		if ($ELABINELAB && !getgrnam($groupname));

	    push(@groupnames, $groupname);
253
	}
254 255
    }

256 257
    #
    # Okay, pick up subgroup (pid!=gid) membership.
258
    #
259 260 261
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
262 263
		     "where m.uid_idx='$uid_idx' and m.pid!=m.gid and ".
		     "      m.trust!='none'");
264 265

    while (@db_row = $query_result->fetchrow_array() ) {
Leigh Stoller's avatar
Leigh Stoller committed
266 267 268 269 270 271
	    my $groupname = $db_row[0];

	    next
		if ($ELABINELAB && !getgrnam($groupname));

	    push(@groupnames, $groupname);
272 273
    }

274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303
    if (0) {
    #
    # Okay, this join looks for project/group roots in the pid, and finds
    # any subgroups they are not members of. The intent is that project
    # and group roots in the pid, should be able to read files in the
    # subgroups, even if they are not actual members of the group in the DB.
    # The reason they do not want to be actual members in the DB is cause
    # we do *not* want to export home dirs to experimental nodes, or otherwise
    # hand out sensitive info.
    #
    # XXX Not in use cause NGROUPS=16. Too Low!
    #
    $query_result =
	DBQueryFatal("select distinct gn.pid,gn.gid,g.unix_name ".
		     "  from group_membership as gp ".
		     "left join group_membership as gn on ".
		     "     gn.pid=gp.pid and gn.pid!=gn.gid ".
		     "left join group_membership as go on go.uid=gp.uid and ".
		     "     go.pid=gn.pid and go.gid=gn.gid ".
		     "left join groups as g on gn.pid=g.pid and gn.gid=g.gid ".
		     "where go.uid is null and gn.uid is not null and ".
		     "      gp.uid='$uid' and gp.pid=gp.gid and ".
		     "      (gp.trust='group_root' or ".
		     "       gp.trust='project_root')");

    while (@db_row = $query_result->fetchrow_array() ) {
	print "Would also add $uid to $db_row[0]/$db_row[1]\n";
#	push(@groupnames, $db_row[0]);
    }
    }
304

305 306
  nogroups:
    print "Processing user $uid: @groupnames\n";
307 308 309 310 311 312 313 314 315 316 317 318
    #
    # Construct an appropriate group list for the pw commands. Main project
    # is the first on the list, and that becomes the primary group. The rest
    # (if any) of the groups become a comma separated list for the -G option.
    #
    $groupargument = " ";
    $project       = shift @groupnames;
    $grouplist     = join(",",@groupnames);

    #
    # Add special groups. These are listed in the DB so that special local
    # users can have more unix groups than just the projects/groups they are
319
    # in. These groups must already exist.
320
    #
321 322 323 324 325 326 327 328 329 330 331 332
    my @extragrouplist = TBUnixGroupList($uid);

    #
    # Add special admin group. Check to make sure that its not a dup
    # since the above mechanism could cause a duplicate entry. No big
    # deal to catch it.
    #
    if (TBAdmin($uid)) {
	if (! grep(/^${ADMINGRP}$/, @extragrouplist)) {
	    push(@extragrouplist, $ADMINGRP);
	}
    }
333

334
    if (@extragrouplist) {
335
	print "Adding extra groups to list: @extragrouplist\n";
336

337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362
	if ($grouplist) {
	    $grouplist = "$grouplist," . join(",", @extragrouplist);
	}
	else {
	    $grouplist = join(",", @extragrouplist);
	}
    }

    if ($grouplist) {
	$groupargument = "-G $grouplist";
    }
    else {
	$groupargument = "-G \"\"";
    }

    print "Updating user $uid record on local node.\n";

    #
    # MAKE SURE not to update anything else!
    #
    if (system("$USERMOD $uid -g $project $groupargument")) {
	fatal("Could not modify user $uid on local node.");
    }

    print "Updating user $uid record on $control_node.\n";

363 364 365 366 367
    if ($control_node ne $BOSSNODE) {
        if (system("$SSH -host $control_node ".
	           "'$USERMOD $uid -g $project $groupargument'")) {
	    fatal("Could not modify user $uid record on $control_node.");
	}
368
    }
369 370 371 372 373 374

    #
    # Now schedule account updates on all the nodes that this person has
    # an account on.
    #
    TBNodeUpdateAccountsByUID($uid);
375 376
}

377 378 379
$UID  = $SAVEUID;
$EUID = $UID;

380
# and the twiki.
381
if ($WIKISUPPORT || $BUGDBSUPPORT || $OPSDBSUPPORT) {
382
    foreach $user (@userlist) {
383
	if ($WIKISUPPORT) {
384
	    system("$SETWIKIGROUPS $optarg $user") == 0 or
385 386 387
		fatal("$SETWIKIGROUPS $user failed!");
	}
	if ($BUGDBSUPPORT) {
388
	    system("$SETBUGDBGROUPS $optarg $user") == 0 or
389 390
		fatal("$SETBUGDBGROUPS $user failed!");
	}
391 392 393 394 395
	if ($OPSDBSUPPORT) {
	    system("$OPSDBCONTROL $optarg setgroups $user") == 0 or
		fatal("$OPSDBCONTROL setgroups $user failed!");
	}
	
396 397 398
    }
}

399 400 401
print "Group Update Completed!\n";
exit(0);

402
sub fatal($) {
403 404
    my($mesg) = $_[0];

405 406
    die("*** $0:\n".
	"    $mesg\n");
407
}