File:  [LON-CAPA] / loncom / apachereload
Revision 1.5: download - view: text, annotated - select for diffs
Fri Jan 27 21:21:05 2006 UTC (18 years, 2 months ago) by albertel
Branches: MAIN
CVS tags: HEAD
- taint issue which the perlvar

    1: #!/usr/bin/perl
    2: # The Learning Online Network with CAPA
    3: #
    4: # apachereload - setuid script that reloads the apache daemon.
    5: #
    6: # $Id: apachereload,v 1.5 2006/01/27 21:21:05 albertel Exp $
    7: #
    8: # Copyright Michigan State University Board of Trustees
    9: #
   10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
   11: #
   12: # LON-CAPA is free software; you can redistribute it and/or modify
   13: # it under the terms of the GNU General Public License as published by
   14: # the Free Software Foundation; either version 2 of the License, or 
   15: # (at your option) any later version.
   16: #
   17: # LON-CAPA is distributed in the hope that it will be useful,
   18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   20: # GNU General Public License for more details.
   21: #
   22: # You should have received a copy of the GNU General Public License
   23: # along with LON-CAPA; if not, write to the Free Software
   24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   25: #
   26: # /home/httpd/html/adm/gpl.txt
   27: #
   28: # http://www.lon-capa.org/
   29: #
   30: 
   31: 
   32: use strict;
   33: #
   34: #  This script is a setuid script that must be run as user www
   35: #  it effectively just executes /etc/init.d/httpd reload.
   36: #  causing the apache daemon to get HUP'd.  The script is
   37: #  run by lond after re-initing it's host information.
   38: 
   39: $ENV{'PATH'}='/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
   40:                                                                # information
   41: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
   42: 
   43: my $command = "/etc/init.d/httpd reload";
   44: 
   45: use lib '/home/httpd/lib/perl/';
   46: use LONCAPA::Configuration;
   47: my %perlvar= %{&LONCAPA::Configuration::read_conf('loncapa.conf')};
   48: 
   49: my $execdir = ($perlvar{'lonDaemons'} =~/(.*)/);
   50: my $dist=`$execdir/distprobe`;
   51: if ($dist =~ /^(suse|sles)/) {
   52:     $command = "/etc/init.d/apache reload";
   53: }
   54: # Do not print error messages
   55: my $noprint=1;
   56: 
   57: print "In apachereload" unless $noprint;
   58: 
   59: # ----------------------------- Make sure this process is running from user=www
   60: my $wwwid=getpwnam('www');
   61: &disable_root_capability;
   62: if ($wwwid!=$>) {
   63:     print("User ID mismatch.  This program must be run as user 'www'\n")
   64: 	unless $noprint;
   65:     exit 1;
   66: }
   67: 
   68: # ----------------------------------- Start running script with www permissions
   69: &disable_root_capability;
   70: 
   71: # --------------------------- Handle case of another apachereload process (locking)
   72: unless (&try_to_lock('/tmp/lock_apachereload')) {
   73:     print "Error. Too many other simultaneous password change requests being ".
   74: 	"made.\n" unless $noprint;
   75:     exit 4;
   76: }
   77: 
   78: 
   79: &enable_root_capability;
   80: ($>,$<)=(0,0);
   81: 
   82: 
   83: #  Now run the reload:
   84: #
   85: 
   86: system($command);
   87: 
   88: #  Remove the lock file.
   89: 
   90: 
   91: 
   92: &disable_root_capability;
   93: unlink('/tmp/lock_apachereload');
   94: exit 0;
   95: 
   96: # ---------------------------------------------- have setuid script run as root
   97: sub enable_root_capability {
   98:     if ($wwwid==$>) {
   99: 	($<,$>)=($>,0);
  100: 	($(,$))=($),0);
  101:     }
  102:     else {
  103: 	# root capability is already enabled
  104:     }
  105:     return $>;
  106: }
  107: 
  108: # ----------------------------------------------- have setuid script run as www
  109: sub disable_root_capability {
  110:     if ($wwwid==$<) {
  111: 	($<,$>)=($>,$<);
  112: 	($(,$))=($),$();
  113:     }
  114:     else {
  115: 	# root capability is already disabled
  116:     }
  117: }
  118: 
  119: # ----------------------- make sure that another apachereload process isn't running
  120: sub try_to_lock {
  121:     my ($lockfile)=@_;
  122:     my $currentpid;
  123:     my $lastpid;
  124:     # Do not manipulate lock file as root
  125:     if ($>==0) {
  126: 	return 0;
  127:     }
  128:     # Try to generate lock file.
  129:     # Wait 3 seconds.  If same process id is in
  130:     # lock file, then assume lock file is stale, and
  131:     # go ahead.  If process id's fluctuate, try
  132:     # for a maximum of 10 times.
  133:     for (0..10) {
  134: 	if (-e $lockfile) {
  135: 	    open(LOCK,"<$lockfile");
  136: 	    $currentpid=<LOCK>;
  137: 	    close LOCK;
  138: 	    if ($currentpid==$lastpid) {
  139: 		last;
  140: 	    }
  141: 	    sleep 3;
  142: 	    $lastpid=$currentpid;
  143: 	}
  144: 	else {
  145: 	    last;
  146: 	}
  147: 	if ($_==10) {
  148: 	    return 0;
  149: 	}
  150:     }
  151:     open(LOCK,">$lockfile");
  152:     print LOCK $$;
  153:     close LOCK;
  154:     return 1;
  155: }
  156: 
  157: =head1 NAME
  158: 
  159: apachereload -setuid script to reload the apache web server.
  160: 
  161: =head1 DESCRIPTION
  162: 
  163: LON-CAPA - setuid script to reload the apache web server.
  164: 
  165: =head1 README
  166: 
  167: LON-CAPA  setuid script to reload the apache web server.
  168: 
  169: =head1 PREREQUISITES
  170: 
  171: =head1 COREQUISITES
  172: 
  173: =pod OSNAMES
  174: 
  175: linux
  176: 
  177: =pod SCRIPT CATEGORIES
  178: 
  179: LONCAPA/Administrative
  180: 
  181: =cut

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>