Annotation of loncom/lciptables, revision 1.7
1.1 raeburn 1: #!/usr/bin/perl
2: #
3: # The Learning Online Network with CAPA
4: #
1.7 ! raeburn 5: # $Id: lciptables,v 1.6 2011/05/14 23:38:07 raeburn Exp $
1.1 raeburn 6: #
7: # Copyright Michigan State University Board of Trustees
8: #
9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
10: #
11: # LON-CAPA is free software; you can redistribute it and/or modify
12: # it under the terms of the GNU General Public License as published by
13: # the Free Software Foundation; either version 2 of the License, or
14: # (at your option) any later version.
15: #
16: # LON-CAPA is distributed in the hope that it will be useful,
17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19: # GNU General Public License for more details.
20: #
21: # You should have received a copy of the GNU General Public License
22: # along with LON-CAPA; if not, write to the Free Software
23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24: #
25: # /home/httpd/html/adm/gpl.txt
26: #
27: # http://www.lon-capa.org/
28: #
29: # lciptables - LONC-CAPA setuid script to:
30: # o use iptables commands to update Firewall rules for current
31: # list of IPs for LON-CAPA hosts in server's cluster.
32: #
33:
34: use strict;
35: use lib '/home/httpd/lib/perl/';
36: use LONCAPA::Firewall;
37:
38: # ------------------------------------------------------------------ Exit codes
39: # Exit codes.
40: # ( (0,"ok"),
41: # (1,"User ID mismatch. This program must be run as user 'www'"),
42: # (2,"Missing argument: Usage: this script takes one argument - ".
43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
45: # (4,"Error. Only one lciptables script can run at any time."),
46: #
47: # ------------------------------------------------------------- Initializations
48: # Security
49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
50: # information
51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
52:
53: # Do not print error messages.
54: my $noprint=1;
55:
56: print "In lciptables\n" unless $noprint;
57:
58: # ----------------------------- Make sure this process is running from user=www
59: my $wwwid=getpwnam('www');
1.3 foxr 60:
61: if ($wwwid!=$<) {
1.1 raeburn 62: print("User ID mismatch. This program must be run as user 'www'\n")
63: unless $noprint;
64: &Exit(1);
65: }
66:
67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
1.3 foxr 68:
1.1 raeburn 69:
70: my %iphost;
71: if (@ARGV != 1) {
72: print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
73: &Exit(2);
74: }
75: my $tmpfile = $ARGV[0];
76: if (-e $tmpfile) {
77: if (open(my $fh,"<$tmpfile")) {
78: while(<$fh>) {
79: chomp();
80: $iphost{$_} = 1;
81: }
82: close($fh);
83: } else {
84: &Exit(3);
85: }
86: } else {
87: print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
88: &Exit(3);
89: }
90:
1.7 ! raeburn 91: my ($opened,$closed);
1.1 raeburn 92: my $lond_port = &LONCAPA::Firewall::get_lond_port();
1.7 ! raeburn 93: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
! 94: print "Error. Invalid lond port\n" unless $noprint;
! 95: &Exit(3);
! 96: }
! 97: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
! 98: if ($iptables eq '') {
! 99: print "Error. No path to iptables\n" unless $noprint;
! 100: &Exit(3);
! 101: }
1.1 raeburn 102:
1.7 ! raeburn 103: my $firewalld = &LONCAPA::Firewall::uses_firewalld();
1.3 foxr 104:
1.1 raeburn 105: &EnableRoot();
1.2 raeburn 106: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
1.7 ! raeburn 107: if ($firewalld) {
! 108: $<=0;
! 109: }
! 110: $opened =
! 111: &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
! 112: $closed =
! 113: &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
! 114: if ($firewalld) {
! 115: $<=$wwwid;
1.1 raeburn 116: }
1.7 ! raeburn 117: &DisableRoot();
1.1 raeburn 118:
119: # -------------------------------------------------------- Exit script
1.7 ! raeburn 120: if ($opened) {
! 121: print "$opened\n";
! 122: }
! 123: if ($closed) {
! 124: print "$closed\n";
! 125: }
1.1 raeburn 126: print "lciptables Exiting\n" unless $noprint;
127: &Exit(0);
128:
129: sub EnableRoot {
130: if ($wwwid==$>) {
131: ($<,$>)=($>,$<);
132: ($(,$))=($),$();
133: }
134: else {
135: # root capability is already enabled
136: }
137: return $>;
138: }
139:
140: sub DisableRoot {
141: if ($wwwid==$<) {
142: ($<,$>)=($>,$<);
143: ($(,$))=($),$();
144: }
145: else {
146: # root capability is already disabled
147: }
148: }
149:
150: sub Exit {
151: my ($code) = @_;
152: &DisableRoot();
153: print "Exiting with status $code\n" unless $noprint;
154: exit $code;
155: }
156:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lciptables CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom