#!/usr/bin/perl

use strict;

# This script is a setuid script (chmod 6755; chown root:root).
# It disables nfs/portmap services for a specific user at
# a specific ip address.

# Exit codes.  0=ok.  Higher than 0 means something went wrong.

# Usage within code
#
# $exitcode=system("/home/httpd/perl/lcnfsoff","NAME","IPADDRESS")/256;
# print "uh-oh" if $exitcode;

# Security
$ENV{'PATH'}=""; # Nullify path information.
$ENV{'BASH_ENV'}=""; # Nullify shell environment information.

# Do not print error messages if there are command-line arguments
my $noprint=0;
if (@ARGV) {
    $noprint=1;
}

# Read in /etc/passwd, and make sure this process is running from user=www
open (IN, "</etc/passwd");
my @lines=<IN>;
close IN;
my $wwwid;
for my $l (@lines) {
    chop $l;
    my @F=split(/\:/,$l);
    if ($F[0] eq 'www') {$wwwid=$F[2];}
}
if ($wwwid!=$<) {
    print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
    exit 1;
}
&disable_root_capability;

# Handle case of another lcnfs process
unless (&try_to_lock("/tmp/lock_lcnfs")) {
    print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint;
    exit 4;
}
# Gather input.  Should be 2 values (user name, numeric ip address).
my @input;
if (@ARGV==3) {
    @input=@ARGV;
}
elsif (@ARGV) {
    print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint;
    unlink('/tmp/lock_lcnfs');
    exit 2;
}
else {
    @input=<>;
    if (@input!=2) {
	print("Error. Two lines should be entered into standard input.\n") unless $noprint;
	unlink('/tmp/lock_lcnfs');
	exit 3;
    }
    map {chop} @input;
}

my ($username,$ipaddress)=@input;
$username=~/^(\w+)$/;
my $safeusername=$1;
if ($username ne $safeusername) {
    print "Error. The user name specified has invalid characters.\n";
    unlink('/tmp/lock_lcnfs');
    exit 9;
}

$ipaddress=~/^([\w|\.]*)$/;
my $safeipaddress=$1;
if ($ipaddress ne $safeipaddress) {
    print "Error. The IP address must be numeric and of the form ##.##.##.##.\n";
    unlink('/tmp/lock_lcnfs');
    exit 8;
}

&enable_root_capability;
# Remove entry from /etc/exports
my $exports=`/bin/cat /etc/exports`;
$exports=~s/\/home\/${safeusername}\s*${safeipaddress}.*?\n//g;
# Resynchronize /etc/exports file
open (OUT,">/etc/exports");
print OUT $exports;
close OUT;
system('/usr/sbin/exportfs','-r');

# Remove entry from /etc/hosts.allow
my $hostsallow=`/bin/cat /etc/hosts.allow`;
$hostsallow=~s/\# $safeusername\nportmap: $safeipaddress\n//g;
open (OUT,">/etc/hosts.allow");
print OUT $hostsallow;
close OUT;

&disable_root_capability;
unlink('/tmp/lock_lcnfs');
exit 0;

# ----------------------------------------------------------- have setuid script run as root
sub enable_root_capability {
    if ($wwwid==$>) {
	($<,$>)=($>,$<);
	($(,$))=($),$();
    }
    else {
	# root capability is already enabled
    }
    return $>;
}

# ----------------------------------------------------------- have setuid script run as www
sub disable_root_capability {
    if ($wwwid==$<) {
	($<,$>)=($>,$<);
	($(,$))=($),$();
    }
    else {
	# root capability is already disabled
    }
}

# ----------------------------------- make sure that another lcnfs process isn't running
sub try_to_lock {
    my ($lockfile)=@_;
    my $currentpid;
    my $lastpid;
    # Do not manipulate lock file as root
    if ($>==0) {
	return 0;
    }
    # Try to generate lock file.
    # Wait 3 seconds.  If same process id is in
    # lock file, then assume lock file is stale, and
    # go ahead.  If process id's fluctuate, try
    # for a maximum of 10 times.
    for (0..10) {
	if (-e $lockfile) {
	    open(LOCK,"<$lockfile");
	    $currentpid=<LOCK>;
	    close LOCK;
	    if ($currentpid==$lastpid) {
		last;
	    }
	    sleep 3;
	    $lastpid=$currentpid;
	}
	else {
	    last;
	}
	if ($_==10) {
	    return 0;
	}
    }
    open(LOCK,">$lockfile");
    print LOCK $$;
    close LOCK;
    return 1;
}