File:  [LON-CAPA] / loncom / lciptables
Revision 1.5: download - view: text, annotated - select for diffs
Sat May 14 16:12:53 2011 UTC (12 years, 10 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_10_0, HEAD
- Duplicated &try_to_lock() routine moved to one location (in LONCAPA.pm).
- Try to get locks for lock_apachereload and lock_lciptables before
  making system calls (in lond and loncron respectively).

    1: #!/usr/bin/perl
    2: #
    3: # The Learning Online Network with CAPA
    4: #
    5: # $Id: lciptables,v 1.5 2011/05/14 16:12:53 raeburn Exp $
    6: #
    7: # Copyright Michigan State University Board of Trustees
    8: #
    9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
   10: #
   11: # LON-CAPA is free software; you can redistribute it and/or modify
   12: # it under the terms of the GNU General Public License as published by
   13: # the Free Software Foundation; either version 2 of the License, or
   14: # (at your option) any later version.
   15: #
   16: # LON-CAPA is distributed in the hope that it will be useful,
   17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   19: # GNU General Public License for more details.
   20: #
   21: # You should have received a copy of the GNU General Public License
   22: # along with LON-CAPA; if not, write to the Free Software
   23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   24: #
   25: # /home/httpd/html/adm/gpl.txt
   26: #
   27: # http://www.lon-capa.org/
   28: #
   29: #  lciptables - LONC-CAPA setuid script to:
   30: #              o use iptables commands to update Firewall rules for current
   31: #                list of IPs for LON-CAPA hosts in server's cluster.
   32: #
   33: 
   34: use strict;
   35: use lib '/home/httpd/lib/perl/';
   36: use LONCAPA::Firewall;
   37: 
   38: # ------------------------------------------------------------------ Exit codes
   39: # Exit codes.
   40: # ( (0,"ok"),
   41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
   42: # (2,"Missing argument: Usage: this script takes one argument - ".
   43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
   44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
   45: # (4,"Error. Only one lciptables script can run at any time."),
   46: #
   47: # ------------------------------------------------------------- Initializations
   48: # Security
   49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
   50:                                                                 # information
   51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
   52: 
   53: # Do not print error messages.
   54: my $noprint=1;
   55: 
   56: print "In lciptables\n" unless $noprint;
   57: 
   58: # ----------------------------- Make sure this process is running from user=www
   59: my $wwwid=getpwnam('www');
   60: 
   61: if ($wwwid!=$<) {
   62:     print("User ID mismatch.  This program must be run as user 'www'\n")
   63:         unless $noprint;
   64:     &Exit(1);
   65: }
   66: 
   67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
   68: 
   69: 
   70: my %iphost;
   71: if (@ARGV != 1) {
   72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
   73:     &Exit(2);
   74: }
   75: my $tmpfile = $ARGV[0];
   76: if (-e $tmpfile) {
   77:     if (open(my $fh,"<$tmpfile")) {
   78:         while(<$fh>) {
   79:             chomp();
   80:             $iphost{$_} = 1;
   81:         }
   82:         close($fh);
   83:     } else {
   84:        &Exit(3);  
   85:     }
   86: } else {
   87:     print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
   88:     &Exit(3);
   89: }
   90: 
   91: my $lond_port = &LONCAPA::Firewall::get_lond_port();
   92: 
   93: 
   94: &EnableRoot();
   95: 
   96: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
   97: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
   98: my $firewall_result = 
   99:      &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  100: if ($firewall_result) {
  101:     print "$firewall_result\n";
  102: }
  103: my $firewall_result = &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  104: if ($firewall_result) {
  105:     print "$firewall_result\n";
  106: }
  107: 
  108: # -------------------------------------------------------- Exit script
  109: print "lciptables Exiting\n" unless $noprint;
  110: &DisableRoot;
  111: &Exit(0);
  112: 
  113: 
  114: sub EnableRoot {
  115:     if ($wwwid==$>) {
  116:         ($<,$>)=($>,$<);
  117:         ($(,$))=($),$();
  118:     }
  119:     else {
  120:         # root capability is already enabled
  121:     }
  122:     return $>;
  123: }
  124: 
  125: sub DisableRoot {
  126:     if ($wwwid==$<) {
  127:         ($<,$>)=($>,$<);
  128:         ($(,$))=($),$();
  129:     }
  130:     else {
  131:         # root capability is already disabled
  132:     }
  133: }
  134: 
  135: sub Exit {
  136:     my ($code) = @_;
  137:     &DisableRoot();
  138:     print "Exiting with status $code\n" unless $noprint;
  139:     exit $code;
  140: }
  141: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>