Annotation of loncom/lciptables, revision 1.7

1.1       raeburn     1: #!/usr/bin/perl
                      2: #
                      3: # The Learning Online Network with CAPA
                      4: #
1.7     ! raeburn     5: # $Id: lciptables,v 1.6 2011/05/14 23:38:07 raeburn Exp $
1.1       raeburn     6: #
                      7: # Copyright Michigan State University Board of Trustees
                      8: #
                      9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     10: #
                     11: # LON-CAPA is free software; you can redistribute it and/or modify
                     12: # it under the terms of the GNU General Public License as published by
                     13: # the Free Software Foundation; either version 2 of the License, or
                     14: # (at your option) any later version.
                     15: #
                     16: # LON-CAPA is distributed in the hope that it will be useful,
                     17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     19: # GNU General Public License for more details.
                     20: #
                     21: # You should have received a copy of the GNU General Public License
                     22: # along with LON-CAPA; if not, write to the Free Software
                     23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     24: #
                     25: # /home/httpd/html/adm/gpl.txt
                     26: #
                     27: # http://www.lon-capa.org/
                     28: #
                     29: #  lciptables - LONC-CAPA setuid script to:
                     30: #              o use iptables commands to update Firewall rules for current
                     31: #                list of IPs for LON-CAPA hosts in server's cluster.
                     32: #
                     33: 
                     34: use strict;
                     35: use lib '/home/httpd/lib/perl/';
                     36: use LONCAPA::Firewall;
                     37: 
                     38: # ------------------------------------------------------------------ Exit codes
                     39: # Exit codes.
                     40: # ( (0,"ok"),
                     41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
                     42: # (2,"Missing argument: Usage: this script takes one argument - ".
                     43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
                     44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
                     45: # (4,"Error. Only one lciptables script can run at any time."),
                     46: #
                     47: # ------------------------------------------------------------- Initializations
                     48: # Security
                     49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                     50:                                                                 # information
                     51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
                     52: 
                     53: # Do not print error messages.
                     54: my $noprint=1;
                     55: 
                     56: print "In lciptables\n" unless $noprint;
                     57: 
                     58: # ----------------------------- Make sure this process is running from user=www
                     59: my $wwwid=getpwnam('www');
1.3       foxr       60: 
                     61: if ($wwwid!=$<) {
1.1       raeburn    62:     print("User ID mismatch.  This program must be run as user 'www'\n")
                     63:         unless $noprint;
                     64:     &Exit(1);
                     65: }
                     66: 
                     67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
1.3       foxr       68: 
1.1       raeburn    69: 
                     70: my %iphost;
                     71: if (@ARGV != 1) {
                     72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
                     73:     &Exit(2);
                     74: }
                     75: my $tmpfile = $ARGV[0];
                     76: if (-e $tmpfile) {
                     77:     if (open(my $fh,"<$tmpfile")) {
                     78:         while(<$fh>) {
                     79:             chomp();
                     80:             $iphost{$_} = 1;
                     81:         }
                     82:         close($fh);
                     83:     } else {
                     84:        &Exit(3);  
                     85:     }
                     86: } else {
                     87:     print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
                     88:     &Exit(3);
                     89: }
                     90: 
1.7     ! raeburn    91: my ($opened,$closed);
1.1       raeburn    92: my $lond_port = &LONCAPA::Firewall::get_lond_port();
1.7     ! raeburn    93: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
        !            94:     print "Error. Invalid lond port\n" unless $noprint;
        !            95:     &Exit(3);
        !            96: }
        !            97: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
        !            98: if ($iptables eq '') {
        !            99:     print "Error. No path to iptables\n" unless $noprint;
        !           100:     &Exit(3);
        !           101: }
1.1       raeburn   102: 
1.7     ! raeburn   103: my $firewalld = &LONCAPA::Firewall::uses_firewalld();
1.3       foxr      104: 
1.1       raeburn   105: &EnableRoot();
1.2       raeburn   106: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
1.7     ! raeburn   107: if ($firewalld) {
        !           108:     $<=0;
        !           109: }
        !           110: $opened =
        !           111:     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
        !           112: $closed =
        !           113:     &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
        !           114: if ($firewalld) {
        !           115:     $<=$wwwid;
1.1       raeburn   116: }
1.7     ! raeburn   117: &DisableRoot();
1.1       raeburn   118: 
                    119: # -------------------------------------------------------- Exit script
1.7     ! raeburn   120: if ($opened) {
        !           121:     print "$opened\n";
        !           122: }
        !           123: if ($closed) {
        !           124:     print "$closed\n";
        !           125: }
1.1       raeburn   126: print "lciptables Exiting\n" unless $noprint;
                    127: &Exit(0);
                    128: 
                    129: sub EnableRoot {
                    130:     if ($wwwid==$>) {
                    131:         ($<,$>)=($>,$<);
                    132:         ($(,$))=($),$();
                    133:     }
                    134:     else {
                    135:         # root capability is already enabled
                    136:     }
                    137:     return $>;
                    138: }
                    139: 
                    140: sub DisableRoot {
                    141:     if ($wwwid==$<) {
                    142:         ($<,$>)=($>,$<);
                    143:         ($(,$))=($),$();
                    144:     }
                    145:     else {
                    146:         # root capability is already disabled
                    147:     }
                    148: }
                    149: 
                    150: sub Exit {
                    151:     my ($code) = @_;
                    152:     &DisableRoot();
                    153:     print "Exiting with status $code\n" unless $noprint;
                    154:     exit $code;
                    155: }
                    156: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>