From 7bf6a597faf653358d83f6c8ca54843ffc43c782 Mon Sep 17 00:00:00 2001
From: Joe Rayhawk <jrayhawk@richardiv.omgwallhack.org>
Date: Mon, 27 Dec 2010 01:23:28 -0800
Subject: Bug: cgi gateway: new

---
 docs/issues/cgi_gateway.mdwn | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 docs/issues/cgi_gateway.mdwn

diff --git a/docs/issues/cgi_gateway.mdwn b/docs/issues/cgi_gateway.mdwn
new file mode 100644
index 0000000..3fe9abc
--- /dev/null
+++ b/docs/issues/cgi_gateway.mdwn
@@ -0,0 +1,27 @@
+* Status: [[!taglink open]]          <!-- Choose one:         open, closed -->
+* Assigned to: [[!taglink jblake]] <!-- Choose one or more: jrayhawk, jblake -->
+* Priority: [[!taglink now]]         <!-- Choose one:         now, soon, later -->
+* Opened by: jrayhawk
+
+### Discussion
+
+In order for CGIs to work with the current paradigm, we'd need some mechanism
+for Apache to execute the various pinyadmin scripts as the involved user. We can
+either do this using sudo, which would require a lot of overhead in making and
+maintaining sudoers rules, or using an suid binary that does exactly what we
+need.
+
+Requirements:
+
+* executable only by www-data
+* takes as arguments
+  * username
+  * pinyadmin command
+  * pinyadmin command arguments
+* exits if username's uid < 1000
+* exits if username violates piny username constraints (specifically git- and
+  ikiwiki- are not allowed)
+* executes with the appropriate uid/gid the specified pinyadmin command and the
+  specified arguments
+
+Obviously any input on this concept is desirable.
-- 
cgit v1.2.3


From 048f2894cc92fe7c6c2f2dabdb8c52d31f4f14d3 Mon Sep 17 00:00:00 2001
From: "jrayhawk+piny.be@omgwallhack.org" <jrayhawk@dev.piny.svcs.cs.pdx.edu>
Date: Mon, 27 Dec 2010 04:48:36 -0800
Subject: Allow username validation to succeed.

---
 pinyadmin/sbin/newuser | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pinyadmin/sbin/newuser b/pinyadmin/sbin/newuser
index c61cdec..ac3a51f 100755
--- a/pinyadmin/sbin/newuser
+++ b/pinyadmin/sbin/newuser
@@ -118,7 +118,7 @@ if ( scalar @ARGV == 3 and $ARGV[0] eq "--batch" ) {
 # don't need friendly error messages; whatever UI got us to this point *should*
 # have already caught these.
 exit 3 if ( not defined $email or $email eq "" );
-exit 3 if ( not defined $username eq "" );
+exit 3 if ( not defined $username or $username eq "" );
 exit 3 if ( $username =~ /^(git|ikiwiki)-/ );
 exit 3 if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ );
 exit 3 if ( not defined $password or $password eq "" );
-- 
cgit v1.2.3


From db75ce911c66b38a70b16f50feeb5a3304e53343 Mon Sep 17 00:00:00 2001
From: "jrayhawk+piny.be@omgwallhack.org" <jrayhawk@dev.piny.svcs.cs.pdx.edu>
Date: Mon, 27 Dec 2010 04:53:19 -0800
Subject: Make failures for newuser more explicit.

---
 pinyadmin/sbin/newuser | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/pinyadmin/sbin/newuser b/pinyadmin/sbin/newuser
index ac3a51f..f2dabc3 100755
--- a/pinyadmin/sbin/newuser
+++ b/pinyadmin/sbin/newuser
@@ -114,14 +114,12 @@ if ( scalar @ARGV == 3 and $ARGV[0] eq "--batch" ) {
 };
 
 # All the correctness checks should be repeated here. There are multiple
-# pathways to get to this point, but only a single path from here on down. We
-# don't need friendly error messages; whatever UI got us to this point *should*
-# have already caught these.
-exit 3 if ( not defined $email or $email eq "" );
-exit 3 if ( not defined $username or $username eq "" );
-exit 3 if ( $username =~ /^(git|ikiwiki)-/ );
-exit 3 if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ );
-exit 3 if ( not defined $password or $password eq "" );
+# pathways to get to this point, but only a single path from here on down.
+if ( not defined $email or $email eq "" )            { print "Email address is undefined!\n"; exit 3; };
+if ( not defined $username or $username eq "" )      { print "Username is undefined!\n"; exit 3; };
+if ( $username =~ /^(git|ikiwiki)-/ )                { print "Username must not begin with git- or ikiwiki-!\n"; exit 3; };
+if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ ) { print "Usernames must consist only of letters, digits, underscores, periods, and dashes, and not start with a dash. Usernames are case sensitive.\n" };
+if ( not defined $password or $password eq "" )      { print "Password is undefined!\n"; exit 3; };
 
 # Here on down is the actual creation code.
 
-- 
cgit v1.2.3


From 340b56a463797d6a2acb597de210d6c82fac8c08 Mon Sep 17 00:00:00 2001
From: "jrayhawk+piny.be@omgwallhack.org" <jrayhawk@dev.piny.svcs.cs.pdx.edu>
Date: Mon, 27 Dec 2010 04:56:11 -0800
Subject: Add a tentative newuser cgi.

---
 pinyweb/cgi-bin/piny-newuser.cgi | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/pinyweb/cgi-bin/piny-newuser.cgi b/pinyweb/cgi-bin/piny-newuser.cgi
index d10c6ba..64b6b0a 100644
--- a/pinyweb/cgi-bin/piny-newuser.cgi
+++ b/pinyweb/cgi-bin/piny-newuser.cgi
@@ -1,9 +1,34 @@
 #!/usr/bin/perl
+$| = 1;
 
 use warnings;
 
 use CGI;
 
-print 'Content-type: text/plain
+use IPC::Open2;
 
-hello'
+$q = CGI->new;
+
+print( "Content-type: text/plain
+
+"
+
+if( $q->param('n') && $q->param('a') && $q->param('p') ) {
+  # 03:57:44 omg/jrayhawk: system() lets me specify arguments as an array, and open() lets me work with stdout, but i would like something that does both
+  # 03:59:50 omg/jrayhawk: hahaha they recommend i open(, '-|') and then exec() in the child
+  # 03:59:55 omg/jrayhawk: fuck you, perl
+  $pid = open2( OUT, IN, '-' );
+  # make things flushier
+  select((select(IN), $| = 1)[0]);
+  select((select(OUT), $| = 1)[0]);
+  if( $pid ) {
+    print( IN $q->param('p') . "\n" );
+    while( <OUT> ) {
+      print;
+    };
+  } else {
+    exec( '/usr/bin/sudo', '/usr/sbin/newuser', '--batch', $q->param('a'), $q->param('n') ) || print 'could not execute newuser' && die;
+  };
+} else {
+  print 'Missing parameters.';
+};
-- 
cgit v1.2.3


From 3e9915449ee56f3b3c8106cb8b36ceb117d2d242 Mon Sep 17 00:00:00 2001
From: "jrayhawk+piny.be@omgwallhack.org" <jrayhawk@dev.piny.svcs.cs.pdx.edu>
Date: Mon, 27 Dec 2010 05:00:47 -0800
Subject: Cleaning up syntax in piny-newuser.cgi

---
 pinyweb/cgi-bin/piny-newuser.cgi | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pinyweb/cgi-bin/piny-newuser.cgi b/pinyweb/cgi-bin/piny-newuser.cgi
index 64b6b0a..ad46296 100644
--- a/pinyweb/cgi-bin/piny-newuser.cgi
+++ b/pinyweb/cgi-bin/piny-newuser.cgi
@@ -9,9 +9,7 @@ use IPC::Open2;
 
 $q = CGI->new;
 
-print( "Content-type: text/plain
-
-"
+print( "Content-type: text/plain\n\n" );
 
 if( $q->param('n') && $q->param('a') && $q->param('p') ) {
   # 03:57:44 omg/jrayhawk: system() lets me specify arguments as an array, and open() lets me work with stdout, but i would like something that does both
-- 
cgit v1.2.3