3 # $Id: svc_acct.export,v 1.21 2001-07-30 06:07:46 ivan Exp $
5 # Create and export password files: passwd, passwd.adjunct, shadow,
6 # acp_passwd, acp_userinfo, acp_dialup, users
8 # ivan@voicenet.com late august/september 96
9 # (the password encryption bits were from melody)
11 # use a temporary copy of svc_acct to minimize lock time on the real file,
12 # and skip blank entries.
14 # ivan@voicenet.com 96-Oct-6
16 # change users / acp_dialup file formats
17 # ivan@voicenet.com 97-jan-28-31
19 # change priority (after copies) to 19, not 10
20 # ivan@voicenet.com 97-feb-5
22 # added exit if stuff is already locked 97-apr-15
24 # rewrite ivan@sisd.com 98-mar-9
26 # Changed 'password' to '_password' because Pg6.3 reserves this word
27 # Added code to create a FreeBSD style master.passwd file
28 # bmccane@maxbaud.net 98-Apr-3
30 # don't export non-root 0 UID's, even if they get put in the database
31 # ivan@sisd.com 98-jul-14
33 # Uses Idle_Timeout, Port_Limit, Framed_Netmask and Framed_Route if they
34 # exist; need some way to support arbitrary radius fields. also
35 # /var/spool/freeside/conf/ ivan@sisd.com 98-jul-26, aug-9
37 # OOPS! added arbitrary radius fields (pry 98-aug-16) but forgot to say so.
38 # ivan@sisd.com 98-sep-18
40 # $Log: svc_acct.export,v $
41 # Revision 1.21 2001-07-30 06:07:46 ivan
42 # allow !! for locked accounts instead of changing to *SUSPENDED*
44 # Revision 1.20 2001/06/20 08:33:42 ivan
45 # > Use of uninitialized value in concatenation (.) at svc_acct.export line
48 # Revision 1.19 2001/05/08 10:44:17 ivan
51 # Revision 1.18 2001/04/22 01:56:15 ivan
52 # get rid of FS::SSH.pm (became Net::SSH and Net::SCP on CPAN)
54 # Revision 1.17 2001/02/21 23:48:19 ivan
55 # add icradius_secrets config file to export to a non-Freeside MySQL database for
58 # Revision 1.16 2000/07/06 13:23:29 ivan
61 # Revision 1.15 2000/07/06 08:57:28 ivan
62 # support for radius check attributes (except importing). poorly documented.
64 # Revision 1.14 2000/06/29 15:01:25 ivan
65 # another silly typo in svc_acct.export
67 # Revision 1.13 2000/06/28 12:37:28 ivan
68 # add support for config option textradiusprepend
70 # Revision 1.12 2000/06/15 14:07:02 ivan
71 # added ICRADIUS radreply table support, courtesy of Kenny Elliott
73 # Revision 1.11 2000/03/06 16:00:39 ivan
74 # sync up with working versoin
76 # Revision 1.2 1998/12/10 07:23:15 ivan
77 # use FS::Conf, need user (for datasrc)
88 use FS::UID qw(adminsuidsetup datasrc dbh);
89 use FS::Record qw(qsearch fields);
92 my $user = shift or die &usage;
97 my @shellmachines = $conf->config('shellmachines')
98 if $conf->exists('shellmachines');
100 my @bsdshellmachines = $conf->config('bsdshellmachines')
101 if $conf->exists('bsdshellmachines');
103 my @nismachines = $conf->config('nismachines')
104 if $conf->exists('nismachines');
106 my @erpcdmachines = $conf->config('erpcdmachines')
107 if $conf->exists('erpcdmachines');
109 my @radiusmachines = $conf->config('radiusmachines')
110 if $conf->exists('radiusmachines');
112 my $icradiusmachines = $conf->exists('icradiusmachines');
113 my @icradiusmachines = $conf->config('icradiusmachines') if $icradiusmachines;
114 my $icradius_mysqldest =
115 $conf->config('icradius_mysqldest') || "/usr/local/var/"
116 if $icradiusmachines;
117 my $icradius_mysqlsource =
118 $conf->config('icradius_mysqlsource') || "/usr/local/var/freeside"
119 if $icradiusmachines;
121 if ( $icradiusmachines && $conf->exists('icradius_secrets') ) {
122 $icradius_dbh = DBI->connect($conf->config('icradius_secrets'))
123 or die $DBI::errstr;;
128 my $textradiusprepend =
129 $conf->exists('textradiusprepend')
130 ? $conf->config('textradiusprepend')
133 my(@saltset)= ( 'a'..'z' , 'A'..'Z' , '0'..'9' , '.' , '/' );
134 require 5.004; #srand(time|$$);
136 my $spooldir = "/usr/local/etc/freeside/export.". datasrc;
137 my $spoollock = "/usr/local/etc/freeside/svc_acct.export.lock.". datasrc;
139 open(EXPORT,"+>>$spoollock") or die "Can't open $spoollock: $!";
140 select(EXPORT); $|=1; select(STDOUT);
141 unless ( flock(EXPORT,LOCK_EX|LOCK_NB) ) {
145 #no reason to start loct of blocking processes
146 die "Is another export process running under pid $pid?\n";
149 print EXPORT $$,"\n";
151 my(@svc_acct)=qsearch('svc_acct',{});
153 ( open(MASTER,">$spooldir/master.passwd")
154 and flock(MASTER,LOCK_EX|LOCK_NB)
155 ) or die "Can't open $spooldir/master.passwd: $!";
156 ( open(PASSWD,">$spooldir/passwd")
157 and flock(PASSWD,LOCK_EX|LOCK_NB)
158 ) or die "Can't open $spooldir/passwd: $!";
159 ( open(SHADOW,">$spooldir/shadow")
160 and flock(SHADOW,LOCK_EX|LOCK_NB)
161 ) or die "Can't open $spooldir/shadow: $!";
162 ( open(ACP_PASSWD,">$spooldir/acp_passwd")
163 and flock (ACP_PASSWD,LOCK_EX|LOCK_NB)
164 ) or die "Can't open $spooldir/acp_passwd: $!";
165 ( open (ACP_DIALUP,">$spooldir/acp_dialup")
166 and flock(ACP_DIALUP,LOCK_EX|LOCK_NB)
167 ) or die "Can't open $spooldir/acp_dialup: $!";
168 ( open (USERS,">$spooldir/users")
169 and flock(USERS,LOCK_EX|LOCK_NB)
170 ) or die "Can't open $spooldir/users: $!";
172 chmod 0644, "$spooldir/passwd",
173 "$spooldir/acp_dialup",
175 chmod 0600, "$spooldir/master.passwd",
176 "$spooldir/acp_passwd",
181 if ( $icradiusmachines ) {
182 my $sth = $icradius_dbh->prepare("DELETE FROM radcheck");
183 $sth->execute or die "Can't reset radcheck table: ". $sth->errstr;
184 my $sth2 = $icradius_dbh->prepare("DELETE FROM radreply");
185 $sth2->execute or die "Can't reset radreply table: ". $sth2->errstr;
191 foreach $svc_acct (@svc_acct) {
193 my($password)=$svc_acct->getfield('_password');
194 my($cpassword,$rpassword);
195 if ( ( length($password) <= 8 )
196 && ( $password ne '*' )
197 && ( $password ne '!!' )
198 && ( $password ne '' )
200 $cpassword=crypt($password,
201 $saltset[int(rand(64))].$saltset[int(rand(64))]
203 $rpassword=$password;
205 $cpassword=$password;
209 if ( $svc_acct->uid =~ /^(\d+)$/ ) {
211 die "Non-root user ". $svc_acct->username. " has 0 UID!"
212 if $svc_acct->uid == 0 && $svc_acct->username ne 'root';
215 # FORMAT OF FreeBSD MASTER PASSWD FILE HERE
216 print MASTER join(":",
217 $svc_acct->username, # User name
218 $cpassword, # Encrypted password
219 $svc_acct->uid, # User ID
220 $svc_acct->gid, # Group ID
222 "0", # Password Change Time
223 "0", # Password Expiration Time
224 $svc_acct->finger, # Users name
225 $svc_acct->dir, # Users home directory
226 $svc_acct->shell, # shell
230 # FORMAT OF THE PASSWD FILE HERE
231 print PASSWD join(":",
233 'x', # "##". $svc_acct->$username,
242 # FORMAT OF THE SHADOW FILE HERE
243 print SHADOW join(":",
257 if ( $svc_acct->slipip ne '' ) {
260 # FORMAT OF THE ACP_* FILES HERE
261 print ACP_PASSWD join(":",
271 my($ip)=$svc_acct->slipip;
273 unless ( $ip eq '0.0.0.0' || $svc_acct->slipip eq '0e0' ) {
274 print ACP_DIALUP $svc_acct->username, "\t*\t", $svc_acct->slipip, "\n";
277 my %radreply = $svc_acct->radius_reply;
278 my %radcheck = $svc_acct->radius_check;
280 my $radcheck = join ", ", map { qq($_ = "$radcheck{$_}") } keys %radcheck;
281 $radcheck .= ", " if $radcheck;
284 # FORMAT OF THE USERS FILE HERE
287 qq(\t${textradiusprepend}),
289 qq(Password = "$rpassword"\n\t),
290 join ",\n\t", map { qq($_ = "$radreply{$_}") } keys %radreply;
292 if ( $ip && $ip ne '0e0' ) {
293 #print USERS qq(,\n\tFramed-Address = "$ip"\n\n);
294 print USERS qq(,\n\tFramed-IP-Address = "$ip"\n\n);
296 print USERS qq(\n\n);
301 if ( $icradiusmachines ) {
303 my $sth = $icradius_dbh->prepare(
304 "INSERT INTO radcheck ( id, UserName, Attribute, Value ) VALUES ( ".
305 join(", ", map { $icradius_dbh->quote( $_ ) } (
309 $svc_acct->_password,
312 $sth->execute or die "Can't insert into radcheck table: ". $sth->errstr;
314 foreach my $attribute ( keys %radcheck ) {
315 my $sth = $icradius_dbh->prepare(
316 "INSERT INTO radcheck ( id, UserName, Attribute, Value ) VALUES ( ".
317 join(", ", map { $icradius_dbh->quote( $_ ) } (
321 $radcheck{$attribute},
324 $sth->execute or die "Can't insert into radcheck table: ". $sth->errstr;
327 foreach my $attribute ( keys %radreply ) {
328 my $sth = $icradius_dbh->prepare(
329 "INSERT INTO radreply (id, UserName, Attribute, Value) VALUES ( ".
330 join(", ", map { $icradius_dbh->quote( $_ ) } (
334 $radreply{$attribute},
337 $sth->execute or die "Can't insert into radreply table: ". $sth->errstr;
346 flock(MASTER,LOCK_UN);
347 flock(PASSWD,LOCK_UN);
348 flock(SHADOW,LOCK_UN);
349 flock(ACP_DIALUP,LOCK_UN);
350 flock(ACP_PASSWD,LOCK_UN);
351 flock(USERS,LOCK_UN);
365 foreach $shellmachine (@shellmachines) {
366 my $scp = new Net::SCP;
367 $scp->scp("$spooldir/passwd","root\@$shellmachine:/etc/passwd.new")
368 or die "scp error: ". $scp->{errstr};
369 $scp->scp("$spooldir/shadow","root\@$shellmachine:/etc/shadow.new")
370 or die "scp error: ". $scp->{errstr};
371 ssh("root\@$shellmachine",
373 "mv /etc/passwd.new /etc/passwd; ".
374 "mv /etc/shadow.new /etc/shadow; ".
377 == 0 or die "ssh error: $!";
380 my($bsdshellmachine);
381 foreach $bsdshellmachine (@bsdshellmachines) {
382 my $scp = new Net::SCP;
383 $scp->scp("$spooldir/passwd","root\@$bsdshellmachine:/etc/passwd.new")
384 or die "scp error: ". $scp->{errstr};
385 $scp->scp("$spooldir/master.passwd","root\@$bsdshellmachine:/etc/master.passwd.new")
386 or die "scp error: ". $scp->{errstr};
387 ssh("root\@$bsdshellmachine",
389 "mv /etc/passwd.new /etc/passwd; ".
390 "mv /etc/master.passwd.new /etc/master.passwd; ".
393 == 0 or die "ssh error: $!";
397 foreach $nismachine (@nismachines) {
398 my $scp = new Net::SCP;
399 $scp->scp("$spooldir/passwd","root\@$nismachine:/etc/global/passwd")
400 or die "scp error: ". $scp->{errstr};
401 $scp->scp("$spooldir/shadow","root\@$nismachine:/etc/global/shadow")
402 or die "scp error: ". $scp->{errstr};
403 ssh("root\@$nismachine",
405 "cd /var/yp; make; ".
408 == 0 or die "ssh error: $!";
412 foreach $erpcdmachine (@erpcdmachines) {
413 my $scp = new Net::SCP;
414 $scp->scp("$spooldir/acp_passwd","root\@$erpcdmachine:/usr/annex/acp_passwd")
415 or die "scp error: ". $scp->{errstr};
416 $scp->scp("$spooldir/acp_dialup","root\@$erpcdmachine:/usr/annex/acp_dialup")
417 or die "scp error: ". $scp->{errstr};
418 ssh("root\@$erpcdmachine",
420 "kill -USR1 \`cat /usr/annex/erpcd.pid\'".
423 == 0 or die "ssh error: $!";
427 foreach $radiusmachine (@radiusmachines) {
428 my $scp = new Net::SCP;
429 $scp->scp("$spooldir/users","root\@$radiusmachine:/etc/raddb/users")
430 or die "scp error: ". $scp->{errstr};
431 ssh("root\@$radiusmachine",
436 == 0 or die "ssh error: $!";
439 foreach my $icradiusmachine ( @icradiusmachines ) {
440 my( $machine, $db, $user, $pass ) = split(/\s+/, $icradiusmachine);
441 chdir $icradius_mysqlsource or die "Can't cd $icradius_mysqlsource: $!";
442 open(WRITER,"|ssh root\@$machine mysql -v --user=$user -p $db");
443 my $oldfh = select WRITER; $|=1; select $oldfh;
444 print WRITER "$pass\n";
446 print WRITER "LOCK TABLES radcheck WRITE, radreply WRITE;\n";
447 foreach my $file ( glob("radcheck.*") ) {
448 my $scp = new Net::SCP;
449 $scp->scp($file,"root\@$machine:$icradius_mysqldest/$db/$file")
450 or die "scp error: ". $scp->{errstr};
452 foreach my $file ( glob("radreply.*") ) {
453 my $scp = new Net::SCP;
454 $scp->scp($file,"root\@$machine:$icradius_mysqldest/$db/$file")
455 or die "scp error: ". $scp->{errstr};
461 flock(EXPORT,LOCK_UN);
467 die "Usage:\n\n svc_acct.export user\n";