Annotation of loncom/lcnfsoff, revision 1.3

1.1       harris41    1: #!/usr/bin/perl
                      2: 
                      3: use strict;
                      4: 
1.3     ! albertel    5: # $Id: lond,v 1.378 2007/08/08 22:24:36 albertel Exp $
        !             6: 
1.1       harris41    7: # This script is a setuid script (chmod 6755; chown root:root).
                      8: # It disables nfs/portmap services for a specific user at
                      9: # a specific ip address.
                     10: 
                     11: # Exit codes.  0=ok.  Higher than 0 means something went wrong.
                     12: 
                     13: # Usage within code
                     14: #
                     15: # $exitcode=system("/home/httpd/perl/lcnfsoff","NAME","IPADDRESS")/256;
                     16: # print "uh-oh" if $exitcode;
                     17: 
                     18: # Security
                     19: $ENV{'PATH'}=""; # Nullify path information.
                     20: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
                     21: 
                     22: # Do not print error messages if there are command-line arguments
                     23: my $noprint=0;
                     24: if (@ARGV) {
                     25:     $noprint=1;
                     26: }
                     27: 
                     28: # Read in /etc/passwd, and make sure this process is running from user=www
                     29: open (IN, "</etc/passwd");
                     30: my @lines=<IN>;
                     31: close IN;
                     32: my $wwwid;
                     33: for my $l (@lines) {
                     34:     chop $l;
                     35:     my @F=split(/\:/,$l);
                     36:     if ($F[0] eq 'www') {$wwwid=$F[2];}
                     37: }
                     38: if ($wwwid!=$<) {
                     39:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
                     40:     exit 1;
                     41: }
                     42: &disable_root_capability;
                     43: 
                     44: # Handle case of another lcnfs process
                     45: unless (&try_to_lock("/tmp/lock_lcnfs")) {
                     46:     print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint;
                     47:     exit 4;
                     48: }
                     49: # Gather input.  Should be 2 values (user name, numeric ip address).
                     50: my @input;
                     51: if (@ARGV==3) {
                     52:     @input=@ARGV;
                     53: }
                     54: elsif (@ARGV) {
                     55:     print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint;
                     56:     unlink('/tmp/lock_lcnfs');
                     57:     exit 2;
                     58: }
                     59: else {
                     60:     @input=<>;
                     61:     if (@input!=2) {
                     62: 	print("Error. Two lines should be entered into standard input.\n") unless $noprint;
                     63: 	unlink('/tmp/lock_lcnfs');
                     64: 	exit 3;
                     65:     }
                     66:     map {chop} @input;
                     67: }
                     68: 
                     69: my ($username,$ipaddress)=@input;
                     70: $username=~/^(\w+)$/;
                     71: my $safeusername=$1;
                     72: if ($username ne $safeusername) {
                     73:     print "Error. The user name specified has invalid characters.\n";
                     74:     unlink('/tmp/lock_lcnfs');
                     75:     exit 9;
                     76: }
                     77: 
                     78: $ipaddress=~/^([\w|\.]*)$/;
                     79: my $safeipaddress=$1;
                     80: if ($ipaddress ne $safeipaddress) {
                     81:     print "Error. The IP address must be numeric and of the form ##.##.##.##.\n";
                     82:     unlink('/tmp/lock_lcnfs');
                     83:     exit 8;
                     84: }
                     85: 
                     86: &enable_root_capability;
                     87: # Remove entry from /etc/exports
                     88: my $exports=`/bin/cat /etc/exports`;
                     89: $exports=~s/\/home\/${safeusername}\s*${safeipaddress}.*?\n//g;
                     90: # Resynchronize /etc/exports file
                     91: open (OUT,">/etc/exports");
                     92: print OUT $exports;
                     93: close OUT;
                     94: system('/usr/sbin/exportfs','-r');
                     95: 
                     96: # Remove entry from /etc/hosts.allow
                     97: my $hostsallow=`/bin/cat /etc/hosts.allow`;
                     98: $hostsallow=~s/\# $safeusername\nportmap: $safeipaddress\n//g;
                     99: open (OUT,">/etc/hosts.allow");
                    100: print OUT $hostsallow;
                    101: close OUT;
                    102: 
                    103: &disable_root_capability;
                    104: unlink('/tmp/lock_lcnfs');
                    105: exit 0;
                    106: 
                    107: # ----------------------------------------------------------- have setuid script run as root
                    108: sub enable_root_capability {
                    109:     if ($wwwid==$>) {
                    110: 	($<,$>)=($>,$<);
                    111: 	($(,$))=($),$();
                    112:     }
                    113:     else {
                    114: 	# root capability is already enabled
                    115:     }
                    116:     return $>;
                    117: }
                    118: 
                    119: # ----------------------------------------------------------- have setuid script run as www
                    120: sub disable_root_capability {
                    121:     if ($wwwid==$<) {
                    122: 	($<,$>)=($>,$<);
                    123: 	($(,$))=($),$();
                    124:     }
                    125:     else {
                    126: 	# root capability is already disabled
                    127:     }
                    128: }
                    129: 
                    130: # ----------------------------------- make sure that another lcnfs process isn't running
                    131: sub try_to_lock {
                    132:     my ($lockfile)=@_;
                    133:     my $currentpid;
                    134:     my $lastpid;
                    135:     # Do not manipulate lock file as root
                    136:     if ($>==0) {
                    137: 	return 0;
                    138:     }
                    139:     # Try to generate lock file.
                    140:     # Wait 3 seconds.  If same process id is in
                    141:     # lock file, then assume lock file is stale, and
                    142:     # go ahead.  If process id's fluctuate, try
                    143:     # for a maximum of 10 times.
                    144:     for (0..10) {
                    145: 	if (-e $lockfile) {
                    146: 	    open(LOCK,"<$lockfile");
                    147: 	    $currentpid=<LOCK>;
                    148: 	    close LOCK;
                    149: 	    if ($currentpid==$lastpid) {
                    150: 		last;
                    151: 	    }
                    152: 	    sleep 3;
                    153: 	    $lastpid=$currentpid;
                    154: 	}
                    155: 	else {
                    156: 	    last;
                    157: 	}
                    158: 	if ($_==10) {
                    159: 	    return 0;
                    160: 	}
                    161:     }
                    162:     open(LOCK,">$lockfile");
                    163:     print LOCK $$;
                    164:     close LOCK;
                    165:     return 1;
                    166: }
                    167: 
                    168: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>