diff options
Diffstat (limited to 'bin/svc_acct.export')
-rwxr-xr-x | bin/svc_acct.export | 458 |
1 files changed, 458 insertions, 0 deletions
diff --git a/bin/svc_acct.export b/bin/svc_acct.export new file mode 100755 index 000000000..1c3ffa243 --- /dev/null +++ b/bin/svc_acct.export @@ -0,0 +1,458 @@ +#!/usr/bin/perl -w +# +# $Id: svc_acct.export,v 1.19 2001-05-08 10:44:17 ivan Exp $ +# +# Create and export password files: passwd, passwd.adjunct, shadow, +# acp_passwd, acp_userinfo, acp_dialup, users +# +# ivan@voicenet.com late august/september 96 +# (the password encryption bits were from melody) +# +# use a temporary copy of svc_acct to minimize lock time on the real file, +# and skip blank entries. +# +# ivan@voicenet.com 96-Oct-6 +# +# change users / acp_dialup file formats +# ivan@voicenet.com 97-jan-28-31 +# +# change priority (after copies) to 19, not 10 +# ivan@voicenet.com 97-feb-5 +# +# added exit if stuff is already locked 97-apr-15 +# +# rewrite ivan@sisd.com 98-mar-9 +# +# Changed 'password' to '_password' because Pg6.3 reserves this word +# Added code to create a FreeBSD style master.passwd file +# bmccane@maxbaud.net 98-Apr-3 +# +# don't export non-root 0 UID's, even if they get put in the database +# ivan@sisd.com 98-jul-14 +# +# Uses Idle_Timeout, Port_Limit, Framed_Netmask and Framed_Route if they +# exist; need some way to support arbitrary radius fields. also +# /var/spool/freeside/conf/ ivan@sisd.com 98-jul-26, aug-9 +# +# OOPS! added arbitrary radius fields (pry 98-aug-16) but forgot to say so. +# ivan@sisd.com 98-sep-18 +# +# $Log: svc_acct.export,v $ +# Revision 1.19 2001-05-08 10:44:17 ivan +# fix for OO Net::SCP +# +# Revision 1.18 2001/04/22 01:56:15 ivan +# get rid of FS::SSH.pm (became Net::SSH and Net::SCP on CPAN) +# +# Revision 1.17 2001/02/21 23:48:19 ivan +# add icradius_secrets config file to export to a non-Freeside MySQL database for +# ICRADIUS +# +# Revision 1.16 2000/07/06 13:23:29 ivan +# tyop +# +# Revision 1.15 2000/07/06 08:57:28 ivan +# support for radius check attributes (except importing). poorly documented. +# +# Revision 1.14 2000/06/29 15:01:25 ivan +# another silly typo in svc_acct.export +# +# Revision 1.13 2000/06/28 12:37:28 ivan +# add support for config option textradiusprepend +# +# Revision 1.12 2000/06/15 14:07:02 ivan +# added ICRADIUS radreply table support, courtesy of Kenny Elliott +# +# Revision 1.11 2000/03/06 16:00:39 ivan +# sync up with working versoin +# +# Revision 1.2 1998/12/10 07:23:15 ivan +# use FS::Conf, need user (for datasrc) +# + +use strict; +use vars qw($conf); +use Fcntl qw(:flock); +use IO::Handle; +use DBI; +use FS::Conf; +use Net::SSH qw(ssh); +use Net::SCP qw(scp); +use FS::UID qw(adminsuidsetup datasrc dbh); +use FS::Record qw(qsearch fields); +use FS::svc_acct; + +my $user = shift or die &usage; +adminsuidsetup $user; + +$conf = new FS::Conf; + +my @shellmachines = $conf->config('shellmachines') + if $conf->exists('shellmachines'); + +my @bsdshellmachines = $conf->config('bsdshellmachines') + if $conf->exists('bsdshellmachines'); + +my @nismachines = $conf->config('nismachines') + if $conf->exists('nismachines'); + +my @erpcdmachines = $conf->config('erpcdmachines') + if $conf->exists('erpcdmachines'); + +my @radiusmachines = $conf->config('radiusmachines') + if $conf->exists('radiusmachines'); + +my $icradiusmachines = $conf->exists('icradiusmachines'); +my @icradiusmachines = $conf->config('icradiusmachines') if $icradiusmachines; +my $icradius_mysqldest = + $conf->config('icradius_mysqldest') || "/usr/local/var/" + if $icradiusmachines; +my $icradius_mysqlsource = + $conf->config('icradius_mysqlsource') || "/usr/local/var/freeside" + if $icradiusmachines; +my $icradius_dbh; +if ( $icradiusmachines && $conf->exists('icradius_secrets') ) { + $icradius_dbh = DBI->connect($conf->config('icradius_secrets')) + or die $DBI::errstr;; +} else { + $icradius_dbh = dbh; +} + +my $textradiusprepend = $conf->config('textradiusprepend'); + +my(@saltset)= ( 'a'..'z' , 'A'..'Z' , '0'..'9' , '.' , '/' ); +require 5.004; #srand(time|$$); + +my $spooldir = "/usr/local/etc/freeside/export.". datasrc; +my $spoollock = "/usr/local/etc/freeside/svc_acct.export.lock.". datasrc; + +open(EXPORT,"+>>$spoollock") or die "Can't open $spoollock: $!"; +select(EXPORT); $|=1; select(STDOUT); +unless ( flock(EXPORT,LOCK_EX|LOCK_NB) ) { + seek(EXPORT,0,0); + my($pid)=<EXPORT>; + chop($pid); + #no reason to start loct of blocking processes + die "Is another export process running under pid $pid?\n"; +} +seek(EXPORT,0,0); +print EXPORT $$,"\n"; + +my(@svc_acct)=qsearch('svc_acct',{}); + +( open(MASTER,">$spooldir/master.passwd") + and flock(MASTER,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/master.passwd: $!"; +( open(PASSWD,">$spooldir/passwd") + and flock(PASSWD,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/passwd: $!"; +( open(SHADOW,">$spooldir/shadow") + and flock(SHADOW,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/shadow: $!"; +( open(ACP_PASSWD,">$spooldir/acp_passwd") + and flock (ACP_PASSWD,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/acp_passwd: $!"; +( open (ACP_DIALUP,">$spooldir/acp_dialup") + and flock(ACP_DIALUP,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/acp_dialup: $!"; +( open (USERS,">$spooldir/users") + and flock(USERS,LOCK_EX|LOCK_NB) +) or die "Can't open $spooldir/users: $!"; + +chmod 0644, "$spooldir/passwd", + "$spooldir/acp_dialup", +; +chmod 0600, "$spooldir/master.passwd", + "$spooldir/acp_passwd", + "$spooldir/shadow", + "$spooldir/users", +; + +if ( $icradiusmachines ) { + my $sth = $icradius_dbh->prepare("DELETE FROM radcheck"); + $sth->execute or die "Can't reset radcheck table: ". $sth->errstr; + my $sth2 = $icradius_dbh->prepare("DELETE FROM radreply"); + $sth2->execute or die "Can't reset radreply table: ". $sth2->errstr; +} + +setpriority(0,0,10); + +my($svc_acct); +foreach $svc_acct (@svc_acct) { + + my($password)=$svc_acct->getfield('_password'); + my($cpassword,$rpassword); + if ( ( length($password) <= 8 ) + && ( $password ne '*' ) + && ( $password ne '' ) + ) { + $cpassword=crypt($password, + $saltset[int(rand(64))].$saltset[int(rand(64))] + ); + $rpassword=$password; + } else { + $cpassword=$password; + $rpassword='UNIX'; + } + + if ( $svc_acct->uid =~ /^(\d+)$/ ) { + + die "Non-root user ". $svc_acct->username. " has 0 UID!" + if $svc_acct->uid == 0 && $svc_acct->username ne 'root'; + + ### + # FORMAT OF FreeBSD MASTER PASSWD FILE HERE + print MASTER join(":", + $svc_acct->username, # User name + $cpassword, # Encrypted password + $svc_acct->uid, # User ID + $svc_acct->gid, # Group ID + "", # Login Class + "0", # Password Change Time + "0", # Password Expiration Time + $svc_acct->finger, # Users name + $svc_acct->dir, # Users home directory + $svc_acct->shell, # shell + ), "\n" ; + + ### + # FORMAT OF THE PASSWD FILE HERE + print PASSWD join(":", + $svc_acct->username, + 'x', # "##". $svc_acct->$username, + $svc_acct->uid, + $svc_acct->gid, + $svc_acct->finger, + $svc_acct->dir, + $svc_acct->shell, + ), "\n"; + + ### + # FORMAT OF THE SHADOW FILE HERE + print SHADOW join(":", + $svc_acct->username, + $cpassword, + '', + '', + '', + '', + '', + '', + '', + ), "\n"; + + } + + if ( $svc_acct->slipip ne '' ) { + + ### + # FORMAT OF THE ACP_* FILES HERE + print ACP_PASSWD join(":", + $svc_acct->username, + $cpassword, + "0", + "0", + "", + "", + "", + ), "\n"; + + my($ip)=$svc_acct->slipip; + + unless ( $ip eq '0.0.0.0' || $svc_acct->slipip eq '0e0' ) { + print ACP_DIALUP $svc_acct->username, "\t*\t", $svc_acct->slipip, "\n"; + } + + my %radreply = $svc_acct->radius_reply; + my %radcheck = $svc_acct->radius_check; + + my $radcheck = join ", ", map { qq($_ = "$radcheck{$_}") } keys %radcheck; + $radcheck .= ", " if $radcheck; + + ### + # FORMAT OF THE USERS FILE HERE + print USERS + $svc_acct->username, + qq(\t${textradiusprepend}), + $radcheck, + qq(Password = "$rpassword"\n\t), + join ",\n\t", map { qq($_ = "$radreply{$_}") } keys %radreply; + + if ( $ip && $ip ne '0e0' ) { + #print USERS qq(,\n\tFramed-Address = "$ip"\n\n); + print USERS qq(,\n\tFramed-IP-Address = "$ip"\n\n); + } else { + print USERS qq(\n\n); + } + + ### + # ICRADIUS export + if ( $icradiusmachines ) { + + my $sth = $icradius_dbh->prepare( + "INSERT INTO radcheck ( id, UserName, Attribute, Value ) VALUES ( ". + join(", ", map { $icradius_dbh->quote( $_ ) } ( + '', + $svc_acct->username, + "Password", + $svc_acct->_password, + ) ). " )" + ); + $sth->execute or die "Can't insert into radcheck table: ". $sth->errstr; + + foreach my $attribute ( keys %radcheck ) { + my $sth = $icradius_dbh->prepare( + "INSERT INTO radcheck ( id, UserName, Attribute, Value ) VALUES ( ". + join(", ", map { $icradius_dbh->quote( $_ ) } ( + '', + $svc_acct->username, + $attribute, + $radcheck{$attribute}, + ) ). " )" + ); + $sth->execute or die "Can't insert into radcheck table: ". $sth->errstr; + } + + foreach my $attribute ( keys %radreply ) { + my $sth = $icradius_dbh->prepare( + "INSERT INTO radreply (id, UserName, Attribute, Value) VALUES ( ". + join(", ", map { $icradius_dbh->quote( $_ ) } ( + '', + $svc_acct->username, + $attribute, + $radreply{$attribute}, + ) ). " )" + ); + $sth->execute or die "Can't insert into radreply table: ". $sth->errstr; + } + + } + + } + +} + +flock(MASTER,LOCK_UN); +flock(PASSWD,LOCK_UN); +flock(SHADOW,LOCK_UN); +flock(ACP_DIALUP,LOCK_UN); +flock(ACP_PASSWD,LOCK_UN); +flock(USERS,LOCK_UN); + +close MASTER; +close PASSWD; +close SHADOW; +close ACP_DIALUP; +close ACP_PASSWD; +close USERS; + +### +# export stuff +# + +my($shellmachine); +foreach $shellmachine (@shellmachines) { + my $scp = new Net::SCP; + $scp->scp("$spooldir/passwd","root\@$shellmachine:/etc/passwd.new") + or die "scp error: ". $scp->{errstr}; + $scp->scp("$spooldir/shadow","root\@$shellmachine:/etc/shadow.new") + or die "scp error: ". $scp->{errstr}; + ssh("root\@$shellmachine", + "( ". + "mv /etc/passwd.new /etc/passwd; ". + "mv /etc/shadow.new /etc/shadow; ". + " )" + ) + == 0 or die "ssh error: $!"; +} + +my($bsdshellmachine); +foreach $bsdshellmachine (@bsdshellmachines) { + my $scp = new Net::SCP; + $scp->scp("$spooldir/passwd","root\@$bsdshellmachine:/etc/passwd.new") + or die "scp error: ". $scp->{errstr}; + $scp->scp("$spooldir/master.passwd","root\@$bsdshellmachine:/etc/master.passwd.new") + or die "scp error: ". $scp->{errstr}; + ssh("root\@$bsdshellmachine", + "( ". + "mv /etc/passwd.new /etc/passwd; ". + "mv /etc/master.passwd.new /etc/master.passwd; ". + " )" + ) + == 0 or die "ssh error: $!"; +} + +my($nismachine); +foreach $nismachine (@nismachines) { + my $scp = new Net::SCP; + $scp->scp("$spooldir/passwd","root\@$nismachine:/etc/global/passwd") + or die "scp error: ". $scp->{errstr}; + $scp->scp("$spooldir/shadow","root\@$nismachine:/etc/global/shadow") + or die "scp error: ". $scp->{errstr}; + ssh("root\@$nismachine", + "( ". + "cd /var/yp; make; ". + " )" + ) + == 0 or die "ssh error: $!"; +} + +my($erpcdmachine); +foreach $erpcdmachine (@erpcdmachines) { + my $scp = new Net::SCP; + $scp->scp("$spooldir/acp_passwd","root\@$erpcdmachine:/usr/annex/acp_passwd") + or die "scp error: ". $scp->{errstr}; + $scp->scp("$spooldir/acp_dialup","root\@$erpcdmachine:/usr/annex/acp_dialup") + or die "scp error: ". $scp->{errstr}; + ssh("root\@$erpcdmachine", + "( ". + "kill -USR1 \`cat /usr/annex/erpcd.pid\'". + " )" + ) + == 0 or die "ssh error: $!"; +} + +my($radiusmachine); +foreach $radiusmachine (@radiusmachines) { + my $scp = new Net::SCP; + $scp->scp("$spooldir/users","root\@$radiusmachine:/etc/raddb/users") + or die "scp error: ". $scp->{errstr}; + ssh("root\@$radiusmachine", + "( ". + "builddbm". + " )" + ) + == 0 or die "ssh error: $!"; +} + +foreach my $icradiusmachine ( @icradiusmachines ) { + my( $machine, $db, $user, $pass ) = split(/\s+/, $icradiusmachine); + chdir $icradius_mysqlsource or die "Can't cd $icradius_mysqlsource: $!"; + open(WRITER,"|ssh root\@$machine mysql -v --user=$user -p $db"); + my $oldfh = select WRITER; $|=1; select $oldfh; + print WRITER "$pass\n"; + sleep 2; + print WRITER "LOCK TABLES radcheck WRITE, radreply WRITE;\n"; + foreach my $file ( glob("radcheck.*") ) { + my $scp = new Net::SCP; + $scp->scp($file,"root\@$machine:$icradius_mysqldest/$db/$file") + or die "scp error: ". $scp->{errstr}; + } + foreach my $file ( glob("radreply.*") ) { + my $scp = new Net::SCP; + $scp->scp($file,"root\@$machine:$icradius_mysqldest/$db/$file") + or die "scp error: ". $scp->{errstr}; + } + close WRITER; +} + +unlink $spoollock; +flock(EXPORT,LOCK_UN); +close EXPORT; + +# + +sub usage { + die "Usage:\n\n svc_acct.export user\n"; +} + |