setgroups.in 11.3 KB
Newer Older
1
#!/usr/bin/perl -wT
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2 3

#
4
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
24 25
#

26 27 28 29 30
use English;
use Getopt::Std;

#
# Set groups for users. With just a pid all the users in the group
31
# are modified. Of course, since we might be removing groups, we actually
32 33 34 35 36
# have to go through the entire set of users in the project. Hence, you
# can provide an optional list of users to operate on; the web interface
# uses this option since it know what users have been changed via the web
# form.
#
37
# Note that this script does not create accounts or groups. That should
38 39 40 41 42
# already have been done with other scripts.
#
sub usage()
{
    print STDOUT
43 44
	"Usage: setgroups -p <pid> [user ...]\n".
        "       setgroups [user ...]\n";
45

46 47
    exit(-1);
}
48 49 50

sub fatal($);

51 52 53
my $optlist = "dp:";
my $debug   = 0;
my $optarg  = "";
54 55 56 57 58 59 60 61

#
# Configure variables
#
my $TB      = "@prefix@";
my $TBOPS   = "@TBOPSEMAIL@";
my $TBLOGS  = "@TBLOGSEMAIL@";
my $CONTROL = "@USERNODE@";
62
my $BOSSNODE= "@BOSSNODE@";
63
my $ADMINGRP= "@TBADMINGROUP@";
64
my $ELABINELAB    = @ELABINELAB@;
65
my $WIKISUPPORT   = @WIKISUPPORT@;
66
my $BUGDBSUPPORT  = @BUGDBSUPPORT@;
67
my $OPSDBSUPPORT  = @OPSDBSUPPORT@;
68 69
my $WITHZFS       = @WITHZFS@;
my $ZFS_NOEXPORT  = @ZFS_NOEXPORT@;
70
my $SETWIKIGROUPS = "$TB/sbin/setwikigroups";
71
my $SETBUGDBGROUPS= "$TB/sbin/setbugdbgroups";
72
my $OPSDBCONTROL  = "$TB/sbin/opsdb_control";
73
my $EXPORTSSETUP  = "$TB/sbin/exports_setup";
74
my $ACCOUNTPROXY  = "$TB/sbin/accountsetup";
75 76 77

my $SSH     = "$TB/bin/sshtb";
my $USERMOD = "/usr/sbin/pw usermod";
78
my $CHOWN   = "/usr/sbin/chown";
79
my $SAVEUID = $UID;
80 81

my $dbuid;
82
my @userlist = ();
83
my @modusers = ();
84
my $pid;
85 86 87 88 89
my $logname;
my @db_row;
my $query_result;

#
90 91
# Note hardwired control node.
#
92 93 94 95
my $control_node = $CONTROL;

#
# Untaint the path
96
#
97 98 99 100 101 102 103 104 105
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
106
# Load the Testbed support stuff.
107 108
#
use lib "@prefix@/lib";
109
use libaudit;
110 111
use libdb;
use libtestbed;
112
use User;
113
use emutil;
114 115

#
116
# We do not want to run this script unless its the real version.
117 118 119 120 121 122 123 124 125
#
if ($EUID != 0) {
    die("*** $0:\n".
	"    Must be setuid! Maybe its a development version?\n");
}

#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
126
#
127 128 129 130 131 132 133 134 135 136 137 138 139
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root! Its already setuid!\n");
}

#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
140 141 142 143
if (defined($options{"d"})) {
    $debug  = 1;
    $optarg = "-d";
}
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171
if (defined($options{"p"})) {
    $pid = $options{"p"};

    #
    # Untaint,
    #
    if ($pid =~ /^([-\@\w]+)$/) {
	$pid = $1;
    }
    else {
	die("Bad data in pid: $pid.");
    }
}

#
# See if a userlist was provided. This is an optimization. The web interface
# knows which users actually changed, so its quicker to modify that set
# instead of the entire project set.
#
if (@ARGV) {
    # Untaint the users.
    foreach my $user ( @ARGV ) {
	if ($user =~ /^([\w]+)$/) {
	    $user = $1;
	}
	else {
	    die("Bad user name: $user.");
	}
172

173 174 175 176
	push(@userlist, $user);
    }
}

177
if (!defined($pid) && !scalar(@userlist)) {
178 179 180
    usage();
}

181 182 183 184
# Map invoking user to object.
my $this_user = User->ThisUser();
if (! defined($this_user)) {
    fatal("You ($UID) do not exist!");
185
}
186 187
my $user_name  = $this_user->name();
my $user_email = $this_user->email();
188 189 190

#
# This script always does the right thing, so it does not matter who
191
# calls it.
192
#
193 194 195
# This script is always audited. Mail is sent automatically upon exit.
#
if (AuditStart(0)) {
196
    #
197
    # Parent exits normally
198
    #
199
    exit(0);
200 201 202 203 204 205
}

#
# If no user list provided, we have to do this for the entire project
# member list since we have no idea who got changed.
#
206
if (! scalar(@userlist)) {
207
    $query_result =
208
	DBQueryFatal("select uid_idx from group_membership ".
209 210 211 212 213 214 215 216 217 218
		     "where pid='$pid' and pid=gid");

    $query_result->numrows ||
	fatal("No project members for $pid!\n");

    while (@db_row = $query_result->fetchrow_array() ) {
	push(@userlist, $db_row[0]);
    }
}

219 220 221 222 223
#
# All this stuff must be done as root (ssh).
#
$UID = $EUID;

224 225 226
#
# Loop through user set, building up the group set and issuing commands.
#
227
foreach my $token (@userlist) {
228 229 230 231 232
    my @groupnames;
    my @grouplist;
    my $groupargument;
    my $project;

233 234
    my $user = User->Lookup($token);
    fatal("Could not map user $token to object")
235 236
	if (!defined($user));
    my $uid_idx = $user->uid_idx();
237
    my $uid     = $user->uid();
238 239

    if ($user->webonly()) {
240 241 242
	print "Skipping $uid; webonly account!\n";
	next;
    }
243 244 245 246 247 248
    if ($user->IsNonLocal()) {
	print "Skipping $uid; nonlocal account!\n";
	next;
    }
    # want to skip nonlocal/webonly in second loop below.
    push(@modusers, $user);
249

250 251 252
    #
    # Form a list of project (group) membership names. We do this in two
    # steps to ensure that we get the default group membership since we
253
    # want that to be the users primary group. Not sure this really matters
254 255
    # all that much, but might as well.
    #
256 257 258
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
259 260
		     "where m.uid_idx='$uid_idx' and m.pid=m.gid and ".
		     "      m.trust!='none'");
261

262 263
    if (!$query_result->numrows) {
	#
264 265 266
	# See if an active user with no project membership. If so, then
	# set groups to just the guest group. If not active, skip
	# (non-fatal) since there can be group members not approved,
267
	# and this is called from the editgroups web page.
268
	#
269 270
	if ($user->status() ne USERSTATUS_ACTIVE()) {
	    print "Skipping $uid; not an active user yet!\n";
271 272 273
	    next;
	}
	push(@groupnames, "guest");
274
	goto nogroups;
275
    }
276 277
    else {
	while (@db_row = $query_result->fetchrow_array() ) {
278 279 280 281 282 283
	    my $groupname = $db_row[0];

	    next
		if ($ELABINELAB && !getgrnam($groupname));

	    push(@groupnames, $groupname);
284
	}
285 286
    }

287 288
    #
    # Okay, pick up subgroup (pid!=gid) membership.
289
    #
290 291 292
    $query_result =
	DBQueryFatal("select g.unix_name from group_membership as m ".
		     "left join groups as g on m.pid=g.pid and m.gid=g.gid ".
293 294
		     "where m.uid_idx='$uid_idx' and m.pid!=m.gid and ".
		     "      m.trust!='none'");
295 296

    while (@db_row = $query_result->fetchrow_array() ) {
Leigh B. Stoller's avatar
Ditto  
Leigh B. Stoller committed
297 298 299 300 301 302
	    my $groupname = $db_row[0];

	    next
		if ($ELABINELAB && !getgrnam($groupname));

	    push(@groupnames, $groupname);
303 304
    }

305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334
    if (0) {
    #
    # Okay, this join looks for project/group roots in the pid, and finds
    # any subgroups they are not members of. The intent is that project
    # and group roots in the pid, should be able to read files in the
    # subgroups, even if they are not actual members of the group in the DB.
    # The reason they do not want to be actual members in the DB is cause
    # we do *not* want to export home dirs to experimental nodes, or otherwise
    # hand out sensitive info.
    #
    # XXX Not in use cause NGROUPS=16. Too Low!
    #
    $query_result =
	DBQueryFatal("select distinct gn.pid,gn.gid,g.unix_name ".
		     "  from group_membership as gp ".
		     "left join group_membership as gn on ".
		     "     gn.pid=gp.pid and gn.pid!=gn.gid ".
		     "left join group_membership as go on go.uid=gp.uid and ".
		     "     go.pid=gn.pid and go.gid=gn.gid ".
		     "left join groups as g on gn.pid=g.pid and gn.gid=g.gid ".
		     "where go.uid is null and gn.uid is not null and ".
		     "      gp.uid='$uid' and gp.pid=gp.gid and ".
		     "      (gp.trust='group_root' or ".
		     "       gp.trust='project_root')");

    while (@db_row = $query_result->fetchrow_array() ) {
	print "Would also add $uid to $db_row[0]/$db_row[1]\n";
#	push(@groupnames, $db_row[0]);
    }
    }
335

336 337
  nogroups:
    print "Processing user $uid: @groupnames\n";
338 339 340 341 342 343 344 345 346 347 348 349
    #
    # Construct an appropriate group list for the pw commands. Main project
    # is the first on the list, and that becomes the primary group. The rest
    # (if any) of the groups become a comma separated list for the -G option.
    #
    $groupargument = " ";
    $project       = shift @groupnames;
    $grouplist     = join(",",@groupnames);

    #
    # Add special groups. These are listed in the DB so that special local
    # users can have more unix groups than just the projects/groups they are
350
    # in. These groups must already exist.
351
    #
Leigh B. Stoller's avatar
Leigh B. Stoller committed
352 353 354 355
    my @extragrouplist = ();
    if ($user->UnixGroupList(\@extragrouplist) != 0) {
	fatal("Could not extra group list for $user");
    }
356 357

    #
358 359 360 361
    # Add special admin group. Also add wheel and mysql cause once
    # you become an admin and have a local shell, might as well just
    # do this too. Watch for dups though, since the above mechanism
    # could cause a duplicate entry. No big deal to catch it.
362
    #
363 364 365 366
    if ($user->admin()) {
	foreach my $extragroup ($ADMINGRP, "wheel", "mysql") {
	    push(@extragrouplist, $extragroup)
		if (! grep(/^${extragroup}$/, @extragrouplist));
367 368
	}
    }
369

370
    if (@extragrouplist) {
371 372
	push @groupnames, @extragrouplist;

373
	print "Adding extra groups to list: @extragrouplist\n";
374

375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400
	if ($grouplist) {
	    $grouplist = "$grouplist," . join(",", @extragrouplist);
	}
	else {
	    $grouplist = join(",", @extragrouplist);
	}
    }

    if ($grouplist) {
	$groupargument = "-G $grouplist";
    }
    else {
	$groupargument = "-G \"\"";
    }

    print "Updating user $uid record on local node.\n";

    #
    # MAKE SURE not to update anything else!
    #
    if (system("$USERMOD $uid -g $project $groupargument")) {
	fatal("Could not modify user $uid on local node.");
    }

    print "Updating user $uid record on $control_node.\n";

401
    if ($control_node ne $BOSSNODE) {
402
	$groupargument = join(' ', @groupnames);
403
        if (system("$SSH -host $control_node ".
404
		   "$ACCOUNTPROXY moduser $uid $project $groupargument")) {
405 406
	    fatal("Could not modify user $uid record on $control_node.");
	}
407
    }
408 409 410 411 412 413

    #
    # Now schedule account updates on all the nodes that this person has
    # an account on.
    #
    TBNodeUpdateAccountsByUID($uid);
414 415
}

416 417 418
$UID  = $SAVEUID;
$EUID = $UID;

419
# and the twiki.
420
if ($WIKISUPPORT || $BUGDBSUPPORT || $OPSDBSUPPORT) {
421 422 423 424 425 426
    foreach $user (@modusers) {
	next
	    if ($user->nocollabtools());
	
	my $uid_idx = $user->uid_idx();
	
427
	if ($WIKISUPPORT) {
428
	    system("$SETWIKIGROUPS $optarg $uid_idx") == 0 or
429 430 431
		fatal("$SETWIKIGROUPS $user failed!");
	}
	if ($BUGDBSUPPORT) {
432
	    system("$SETBUGDBGROUPS $optarg $uid_idx") == 0 or
433 434
		fatal("$SETBUGDBGROUPS $user failed!");
	}
435
	if ($OPSDBSUPPORT) {
436
	    system("$OPSDBCONTROL $optarg setgroups $uid_idx") == 0 or
437 438
		fatal("$OPSDBCONTROL setgroups $user failed!");
	}
439 440 441
    }
}

442 443 444
print "Group Update Completed!\n";
exit(0);

445
sub fatal($) {
446 447
    my($mesg) = $_[0];

448 449
    die("*** $0:\n".
	"    $mesg\n");
450
}