File:  [LON-CAPA] / loncom / lciptables
Revision 1.8: download - view: text, annotated - select for diffs
Wed Oct 24 15:11:19 2018 UTC (5 years, 5 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Sanity checking.

    1: #!/usr/bin/perl
    2: #
    3: # The Learning Online Network with CAPA
    4: #
    5: # $Id: lciptables,v 1.8 2018/10/24 15:11:19 raeburn Exp $
    6: #
    7: # Copyright Michigan State University Board of Trustees
    8: #
    9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
   10: #
   11: # LON-CAPA is free software; you can redistribute it and/or modify
   12: # it under the terms of the GNU General Public License as published by
   13: # the Free Software Foundation; either version 2 of the License, or
   14: # (at your option) any later version.
   15: #
   16: # LON-CAPA is distributed in the hope that it will be useful,
   17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   19: # GNU General Public License for more details.
   20: #
   21: # You should have received a copy of the GNU General Public License
   22: # along with LON-CAPA; if not, write to the Free Software
   23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   24: #
   25: # /home/httpd/html/adm/gpl.txt
   26: #
   27: # http://www.lon-capa.org/
   28: #
   29: #  lciptables - LONC-CAPA setuid script to:
   30: #              o use iptables commands to update Firewall rules for current
   31: #                list of IPs for LON-CAPA hosts in server's cluster.
   32: #
   33: 
   34: use strict;
   35: use lib '/home/httpd/lib/perl/';
   36: use LONCAPA::Firewall;
   37: 
   38: # ------------------------------------------------------------------ Exit codes
   39: # Exit codes.
   40: # ( (0,"ok"),
   41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
   42: # (2,"Missing argument: Usage: this script takes one argument - ".
   43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
   44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
   45: # (4,"Error. Only one lciptables script can run at any time."),
   46: #
   47: # ------------------------------------------------------------- Initializations
   48: # Security
   49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
   50:                                                                 # information
   51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
   52: 
   53: # Do not print error messages.
   54: my $noprint=1;
   55: 
   56: print "In lciptables\n" unless $noprint;
   57: 
   58: # ----------------------------- Make sure this process is running from user=www
   59: my $wwwid=getpwnam('www');
   60: 
   61: if ($wwwid!=$<) {
   62:     print("User ID mismatch.  This program must be run as user 'www'\n")
   63:         unless $noprint;
   64:     &Exit(1);
   65: }
   66: 
   67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
   68: 
   69: 
   70: my %iphost;
   71: if (@ARGV != 1) {
   72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
   73:     &Exit(2);
   74: }
   75: my $tmpfile = $ARGV[0];
   76: if ($tmpfile =~ m{^\Q/home/httpd/perl/tmp/lciptables_iphost_\E\d+$}) {
   77:     if (-e $tmpfile) {
   78:         if (open(my $fh,"<$tmpfile")) {
   79:             while(<$fh>) {
   80:                 chomp();
   81:                 if (/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
   82:                     if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
   83:                         $iphost{$_} = 1;
   84:                     }
   85:                 }
   86:             }
   87:             close($fh);
   88:         } else {
   89:             &Exit(3);  
   90:         }
   91:     } else {
   92:         print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
   93:         &Exit(3);
   94:     }
   95: } else {
   96:     print "Error. Invalid filename for file containing IP addresses\n" unless $noprint; 
   97:     &Exit(3);
   98: }
   99: 
  100: my ($opened,$closed);
  101: my $lond_port = &LONCAPA::Firewall::get_lond_port();
  102: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
  103:     print "Error. Invalid lond port\n" unless $noprint;
  104:     &Exit(3);
  105: }
  106: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
  107: if ($iptables eq '') {
  108:     print "Error. No path to iptables\n" unless $noprint;
  109:     &Exit(3);
  110: }
  111: 
  112: my $firewalld = &LONCAPA::Firewall::uses_firewalld();
  113: 
  114: &EnableRoot();
  115: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
  116: if ($firewalld) {
  117:     $<=0;
  118: }
  119: $opened =
  120:     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  121: $closed =
  122:     &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  123: if ($firewalld) {
  124:     $<=$wwwid;
  125: }
  126: &DisableRoot();
  127: 
  128: # -------------------------------------------------------- Exit script
  129: if ($opened) {
  130:     print "$opened\n";
  131: }
  132: if ($closed) {
  133:     print "$closed\n";
  134: }
  135: print "lciptables Exiting\n" unless $noprint;
  136: &Exit(0);
  137: 
  138: sub EnableRoot {
  139:     if ($wwwid==$>) {
  140:         ($<,$>)=($>,$<);
  141:         ($(,$))=($),$();
  142:     }
  143:     else {
  144:         # root capability is already enabled
  145:     }
  146:     return $>;
  147: }
  148: 
  149: sub DisableRoot {
  150:     if ($wwwid==$<) {
  151:         ($<,$>)=($>,$<);
  152:         ($(,$))=($),$();
  153:     }
  154:     else {
  155:         # root capability is already disabled
  156:     }
  157: }
  158: 
  159: sub Exit {
  160:     my ($code) = @_;
  161:     &DisableRoot();
  162:     print "Exiting with status $code\n" unless $noprint;
  163:     exit $code;
  164: }
  165: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>