[BACK]Return to lciptables CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom
File:  [LON-CAPA] / loncom / lciptables
Revision 1.7: download - view: text, annotated - select for diffs
Wed Oct 24 04:19:27 2018 UTC (5 years, 5 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Dynamic management of LON-CAPA port 5663 compatible with firewalld.

    1: #!/usr/bin/perl
    2: #
    3: # The Learning Online Network with CAPA
    4: #
    5: # $Id: lciptables,v 1.7 2018/10/24 04:19:27 raeburn Exp $
    6: #
    7: # Copyright Michigan State University Board of Trustees
    8: #
    9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
   10: #
   11: # LON-CAPA is free software; you can redistribute it and/or modify
   12: # it under the terms of the GNU General Public License as published by
   13: # the Free Software Foundation; either version 2 of the License, or
   14: # (at your option) any later version.
   15: #
   16: # LON-CAPA is distributed in the hope that it will be useful,
   17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   19: # GNU General Public License for more details.
   20: #
   21: # You should have received a copy of the GNU General Public License
   22: # along with LON-CAPA; if not, write to the Free Software
   23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   24: #
   25: # /home/httpd/html/adm/gpl.txt
   26: #
   27: # http://www.lon-capa.org/
   28: #
   29: #  lciptables - LONC-CAPA setuid script to:
   30: #              o use iptables commands to update Firewall rules for current
   31: #                list of IPs for LON-CAPA hosts in server's cluster.
   32: #
   33: 
   34: use strict;
   35: use lib '/home/httpd/lib/perl/';
   36: use LONCAPA::Firewall;
   37: 
   38: # ------------------------------------------------------------------ Exit codes
   39: # Exit codes.
   40: # ( (0,"ok"),
   41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
   42: # (2,"Missing argument: Usage: this script takes one argument - ".
   43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
   44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
   45: # (4,"Error. Only one lciptables script can run at any time."),
   46: #
   47: # ------------------------------------------------------------- Initializations
   48: # Security
   49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
   50:                                                                 # information
   51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
   52: 
   53: # Do not print error messages.
   54: my $noprint=1;
   55: 
   56: print "In lciptables\n" unless $noprint;
   57: 
   58: # ----------------------------- Make sure this process is running from user=www
   59: my $wwwid=getpwnam('www');
   60: 
   61: if ($wwwid!=$<) {
   62:     print("User ID mismatch.  This program must be run as user 'www'\n")
   63:         unless $noprint;
   64:     &Exit(1);
   65: }
   66: 
   67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
   68: 
   69: 
   70: my %iphost;
   71: if (@ARGV != 1) {
   72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
   73:     &Exit(2);
   74: }
   75: my $tmpfile = $ARGV[0];
   76: if (-e $tmpfile) {
   77:     if (open(my $fh,"<$tmpfile")) {
   78:         while(<$fh>) {
   79:             chomp();
   80:             $iphost{$_} = 1;
   81:         }
   82:         close($fh);
   83:     } else {
   84:        &Exit(3);  
   85:     }
   86: } else {
   87:     print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
   88:     &Exit(3);
   89: }
   90: 
   91: my ($opened,$closed);
   92: my $lond_port = &LONCAPA::Firewall::get_lond_port();
   93: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
   94:     print "Error. Invalid lond port\n" unless $noprint;
   95:     &Exit(3);
   96: }
   97: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
   98: if ($iptables eq '') {
   99:     print "Error. No path to iptables\n" unless $noprint;
  100:     &Exit(3);
  101: }
  102: 
  103: my $firewalld = &LONCAPA::Firewall::uses_firewalld();
  104: 
  105: &EnableRoot();
  106: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
  107: if ($firewalld) {
  108:     $<=0;
  109: }
  110: $opened =
  111:     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  112: $closed =
  113:     &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
  114: if ($firewalld) {
  115:     $<=$wwwid;
  116: }
  117: &DisableRoot();
  118: 
  119: # -------------------------------------------------------- Exit script
  120: if ($opened) {
  121:     print "$opened\n";
  122: }
  123: if ($closed) {
  124:     print "$closed\n";
  125: }
  126: print "lciptables Exiting\n" unless $noprint;
  127: &Exit(0);
  128: 
  129: sub EnableRoot {
  130:     if ($wwwid==$>) {
  131:         ($<,$>)=($>,$<);
  132:         ($(,$))=($),$();
  133:     }
  134:     else {
  135:         # root capability is already enabled
  136:     }
  137:     return $>;
  138: }
  139: 
  140: sub DisableRoot {
  141:     if ($wwwid==$<) {
  142:         ($<,$>)=($>,$<);
  143:         ($(,$))=($),$();
  144:     }
  145:     else {
  146:         # root capability is already disabled
  147:     }
  148: }
  149: 
  150: sub Exit {
  151:     my ($code) = @_;
  152:     &DisableRoot();
  153:     print "Exiting with status $code\n" unless $noprint;
  154:     exit $code;
  155: }
  156:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>