Annotation of loncom/lciptables, revision 1.6

1.1       raeburn     1: #!/usr/bin/perl
                      2: #
                      3: # The Learning Online Network with CAPA
                      4: #
1.6     ! raeburn     5: # $Id: lciptables,v 1.5 2011/05/14 16:12:53 raeburn Exp $
1.1       raeburn     6: #
                      7: # Copyright Michigan State University Board of Trustees
                      8: #
                      9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     10: #
                     11: # LON-CAPA is free software; you can redistribute it and/or modify
                     12: # it under the terms of the GNU General Public License as published by
                     13: # the Free Software Foundation; either version 2 of the License, or
                     14: # (at your option) any later version.
                     15: #
                     16: # LON-CAPA is distributed in the hope that it will be useful,
                     17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     19: # GNU General Public License for more details.
                     20: #
                     21: # You should have received a copy of the GNU General Public License
                     22: # along with LON-CAPA; if not, write to the Free Software
                     23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     24: #
                     25: # /home/httpd/html/adm/gpl.txt
                     26: #
                     27: # http://www.lon-capa.org/
                     28: #
                     29: #  lciptables - LONC-CAPA setuid script to:
                     30: #              o use iptables commands to update Firewall rules for current
                     31: #                list of IPs for LON-CAPA hosts in server's cluster.
                     32: #
                     33: 
                     34: use strict;
                     35: use lib '/home/httpd/lib/perl/';
                     36: use LONCAPA::Firewall;
                     37: 
                     38: # ------------------------------------------------------------------ Exit codes
                     39: # Exit codes.
                     40: # ( (0,"ok"),
                     41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
                     42: # (2,"Missing argument: Usage: this script takes one argument - ".
                     43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
                     44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
                     45: # (4,"Error. Only one lciptables script can run at any time."),
                     46: #
                     47: # ------------------------------------------------------------- Initializations
                     48: # Security
                     49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                     50:                                                                 # information
                     51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
                     52: 
                     53: # Do not print error messages.
                     54: my $noprint=1;
                     55: 
                     56: print "In lciptables\n" unless $noprint;
                     57: 
                     58: # ----------------------------- Make sure this process is running from user=www
                     59: my $wwwid=getpwnam('www');
1.3       foxr       60: 
                     61: if ($wwwid!=$<) {
1.1       raeburn    62:     print("User ID mismatch.  This program must be run as user 'www'\n")
                     63:         unless $noprint;
                     64:     &Exit(1);
                     65: }
                     66: 
                     67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
1.3       foxr       68: 
1.1       raeburn    69: 
                     70: my %iphost;
                     71: if (@ARGV != 1) {
                     72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
                     73:     &Exit(2);
                     74: }
                     75: my $tmpfile = $ARGV[0];
                     76: if (-e $tmpfile) {
                     77:     if (open(my $fh,"<$tmpfile")) {
                     78:         while(<$fh>) {
                     79:             chomp();
                     80:             $iphost{$_} = 1;
                     81:         }
                     82:         close($fh);
                     83:     } else {
                     84:        &Exit(3);  
                     85:     }
                     86: } else {
                     87:     print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
                     88:     &Exit(3);
                     89: }
                     90: 
                     91: my $lond_port = &LONCAPA::Firewall::get_lond_port();
                     92: 
1.3       foxr       93: 
1.1       raeburn    94: &EnableRoot();
                     95: 
1.2       raeburn    96: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
1.1       raeburn    97: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
                     98: my $firewall_result = 
1.4       raeburn    99:      &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
1.1       raeburn   100: if ($firewall_result) {
                    101:     print "$firewall_result\n";
                    102: }
1.6     ! raeburn   103: $firewall_result = &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
1.1       raeburn   104: if ($firewall_result) {
                    105:     print "$firewall_result\n";
                    106: }
                    107: 
                    108: # -------------------------------------------------------- Exit script
                    109: print "lciptables Exiting\n" unless $noprint;
                    110: &DisableRoot;
                    111: &Exit(0);
                    112: 
                    113: 
                    114: sub EnableRoot {
                    115:     if ($wwwid==$>) {
                    116:         ($<,$>)=($>,$<);
                    117:         ($(,$))=($),$();
                    118:     }
                    119:     else {
                    120:         # root capability is already enabled
                    121:     }
                    122:     return $>;
                    123: }
                    124: 
                    125: sub DisableRoot {
                    126:     if ($wwwid==$<) {
                    127:         ($<,$>)=($>,$<);
                    128:         ($(,$))=($),$();
                    129:     }
                    130:     else {
                    131:         # root capability is already disabled
                    132:     }
                    133: }
                    134: 
                    135: sub Exit {
                    136:     my ($code) = @_;
                    137:     &DisableRoot();
                    138:     print "Exiting with status $code\n" unless $noprint;
                    139:     exit $code;
                    140: }
                    141: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>