File:  [LON-CAPA] / loncom / lcnfsoff
Revision 1.4: download - view: text, annotated - select for diffs
Tue Oct 12 10:19:18 2010 UTC (13 years, 5 months ago) by foxr
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, version_2_11_1, version_2_11_0_RC3, version_2_11_0_RC2, version_2_11_0_RC1, version_2_11_0, version_2_10_X, version_2_10_1, version_2_10_0_RC2, version_2_10_0, loncapaMITrelate_1, language_hyphenation_merge, language_hyphenation, HEAD, BZ4492-merge, BZ4492-feature_horizontal_radioresponse, BZ4492-feature_Support_horizontal_radioresponse, BZ4492-Support_horizontal_radioresponse
Make this usable on FC13

    1: #!/usr/bin/perl
    2: 
    3: use strict;
    4: 
    5: # $Id: lcnfsoff,v 1.4 2010/10/12 10:19:18 foxr Exp $
    6: 
    7: # This script is a setuid script (chmod 6755; chown root:root).
    8: # It disables nfs/portmap services for a specific user at
    9: # a specific ip address.
   10: 
   11: # Exit codes.  0=ok.  Higher than 0 means something went wrong.
   12: 
   13: # Usage within code
   14: #
   15: # $exitcode=system("/home/httpd/perl/lcnfsoff","NAME","IPADDRESS")/256;
   16: # print "uh-oh" if $exitcode;
   17: 
   18: # Security
   19: $ENV{'PATH'}=""; # Nullify path information.
   20: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
   21: 
   22: # Do not print error messages if there are command-line arguments
   23: my $noprint=0;
   24: if (@ARGV) {
   25:     $noprint=1;
   26: }
   27: 
   28: # Read in /etc/passwd, and make sure this process is running from user=www
   29: open (IN, "</etc/passwd");
   30: my @lines=<IN>;
   31: close IN;
   32: my $wwwid;
   33: for my $l (@lines) {
   34:     chop $l;
   35:     my @F=split(/\:/,$l);
   36:     if ($F[0] eq 'www') {$wwwid=$F[2];}
   37: }
   38: if ($wwwid!=$<) {
   39:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
   40:     exit 1;
   41: }
   42: 
   43: 
   44: # Handle case of another lcnfs process
   45: unless (&try_to_lock("/tmp/lock_lcnfs")) {
   46:     print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint;
   47:     exit 4;
   48: }
   49: # Gather input.  Should be 2 values (user name, numeric ip address).
   50: my @input;
   51: if (@ARGV==3) {
   52:     @input=@ARGV;
   53: }
   54: elsif (@ARGV) {
   55:     print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint;
   56:     unlink('/tmp/lock_lcnfs');
   57:     exit 2;
   58: }
   59: else {
   60:     @input=<>;
   61:     if (@input!=2) {
   62: 	print("Error. Two lines should be entered into standard input.\n") unless $noprint;
   63: 	unlink('/tmp/lock_lcnfs');
   64: 	exit 3;
   65:     }
   66:     map {chop} @input;
   67: }
   68: 
   69: my ($username,$ipaddress)=@input;
   70: $username=~/^(\w+)$/;
   71: my $safeusername=$1;
   72: if ($username ne $safeusername) {
   73:     print "Error. The user name specified has invalid characters.\n";
   74:     unlink('/tmp/lock_lcnfs');
   75:     exit 9;
   76: }
   77: 
   78: $ipaddress=~/^([\w|\.]*)$/;
   79: my $safeipaddress=$1;
   80: if ($ipaddress ne $safeipaddress) {
   81:     print "Error. The IP address must be numeric and of the form ##.##.##.##.\n";
   82:     unlink('/tmp/lock_lcnfs');
   83:     exit 8;
   84: }
   85: 
   86: &enable_root_capability;
   87: # Remove entry from /etc/exports
   88: my $exports=`/bin/cat /etc/exports`;
   89: $exports=~s/\/home\/${safeusername}\s*${safeipaddress}.*?\n//g;
   90: # Resynchronize /etc/exports file
   91: open (OUT,">/etc/exports");
   92: print OUT $exports;
   93: close OUT;
   94: system('/usr/sbin/exportfs','-r');
   95: 
   96: # Remove entry from /etc/hosts.allow
   97: my $hostsallow=`/bin/cat /etc/hosts.allow`;
   98: $hostsallow=~s/\# $safeusername\nportmap: $safeipaddress\n//g;
   99: open (OUT,">/etc/hosts.allow");
  100: print OUT $hostsallow;
  101: close OUT;
  102: 
  103: &disable_root_capability;
  104: unlink('/tmp/lock_lcnfs');
  105: exit 0;
  106: 
  107: # ----------------------------------------------------------- have setuid script run as root
  108: sub enable_root_capability {
  109:     if ($wwwid==$>) {
  110: 	($<,$>)=($>,$<);
  111: 	($(,$))=($),$();
  112:     }
  113:     else {
  114: 	# root capability is already enabled
  115:     }
  116:     return $>;
  117: }
  118: 
  119: # ----------------------------------------------------------- have setuid script run as www
  120: sub disable_root_capability {
  121:     if ($wwwid==$<) {
  122: 	($<,$>)=($>,$<);
  123: 	($(,$))=($),$();
  124:     }
  125:     else {
  126: 	# root capability is already disabled
  127:     }
  128: }
  129: 
  130: # ----------------------------------- make sure that another lcnfs process isn't running
  131: sub try_to_lock {
  132:     my ($lockfile)=@_;
  133:     my $currentpid;
  134:     my $lastpid;
  135:     # Do not manipulate lock file as root
  136:     if ($>==0) {
  137: 	return 0;
  138:     }
  139:     # Try to generate lock file.
  140:     # Wait 3 seconds.  If same process id is in
  141:     # lock file, then assume lock file is stale, and
  142:     # go ahead.  If process id's fluctuate, try
  143:     # for a maximum of 10 times.
  144:     for (0..10) {
  145: 	if (-e $lockfile) {
  146: 	    open(LOCK,"<$lockfile");
  147: 	    $currentpid=<LOCK>;
  148: 	    close LOCK;
  149: 	    if ($currentpid==$lastpid) {
  150: 		last;
  151: 	    }
  152: 	    sleep 3;
  153: 	    $lastpid=$currentpid;
  154: 	}
  155: 	else {
  156: 	    last;
  157: 	}
  158: 	if ($_==10) {
  159: 	    return 0;
  160: 	}
  161:     }
  162:     open(LOCK,">$lockfile");
  163:     print LOCK $$;
  164:     close LOCK;
  165:     return 1;
  166: }
  167: 
  168: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>