Annotation of loncom/lciptables, revision 1.9
1.1 raeburn 1: #!/usr/bin/perl
2: #
3: # The Learning Online Network with CAPA
4: #
1.9 ! raeburn 5: # $Id: lciptables,v 1.8 2018/10/24 15:11:19 raeburn Exp $
1.1 raeburn 6: #
7: # Copyright Michigan State University Board of Trustees
8: #
9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
10: #
11: # LON-CAPA is free software; you can redistribute it and/or modify
12: # it under the terms of the GNU General Public License as published by
13: # the Free Software Foundation; either version 2 of the License, or
14: # (at your option) any later version.
15: #
16: # LON-CAPA is distributed in the hope that it will be useful,
17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19: # GNU General Public License for more details.
20: #
21: # You should have received a copy of the GNU General Public License
22: # along with LON-CAPA; if not, write to the Free Software
23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24: #
25: # /home/httpd/html/adm/gpl.txt
26: #
27: # http://www.lon-capa.org/
28: #
29: # lciptables - LONC-CAPA setuid script to:
30: # o use iptables commands to update Firewall rules for current
31: # list of IPs for LON-CAPA hosts in server's cluster.
32: #
33:
34: use strict;
35: use lib '/home/httpd/lib/perl/';
36: use LONCAPA::Firewall;
37:
38: # ------------------------------------------------------------------ Exit codes
39: # Exit codes.
40: # ( (0,"ok"),
41: # (1,"User ID mismatch. This program must be run as user 'www'"),
42: # (2,"Missing argument: Usage: this script takes one argument - ".
43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
45: # (4,"Error. Only one lciptables script can run at any time."),
46: #
47: # ------------------------------------------------------------- Initializations
48: # Security
49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
50: # information
51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
52:
53: # Do not print error messages.
54: my $noprint=1;
55:
56: print "In lciptables\n" unless $noprint;
57:
58: # ----------------------------- Make sure this process is running from user=www
59: my $wwwid=getpwnam('www');
1.3 foxr 60:
61: if ($wwwid!=$<) {
1.1 raeburn 62: print("User ID mismatch. This program must be run as user 'www'\n")
63: unless $noprint;
64: &Exit(1);
65: }
66:
67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
1.3 foxr 68:
1.1 raeburn 69:
70: my %iphost;
71: if (@ARGV != 1) {
72: print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
73: &Exit(2);
74: }
75: my $tmpfile = $ARGV[0];
1.8 raeburn 76: if ($tmpfile =~ m{^\Q/home/httpd/perl/tmp/lciptables_iphost_\E\d+$}) {
77: if (-e $tmpfile) {
78: if (open(my $fh,"<$tmpfile")) {
79: while(<$fh>) {
80: chomp();
81: if (/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
82: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
83: $iphost{$_} = 1;
84: }
85: }
86: }
87: close($fh);
88: } else {
89: &Exit(3);
1.1 raeburn 90: }
91: } else {
1.8 raeburn 92: print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
93: &Exit(3);
1.1 raeburn 94: }
95: } else {
1.8 raeburn 96: print "Error. Invalid filename for file containing IP addresses\n" unless $noprint;
1.1 raeburn 97: &Exit(3);
98: }
99:
1.7 raeburn 100: my ($opened,$closed);
1.1 raeburn 101: my $lond_port = &LONCAPA::Firewall::get_lond_port();
1.7 raeburn 102: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
103: print "Error. Invalid lond port\n" unless $noprint;
104: &Exit(3);
105: }
106: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
107: if ($iptables eq '') {
108: print "Error. No path to iptables\n" unless $noprint;
109: &Exit(3);
110: }
1.1 raeburn 111:
1.9 ! raeburn 112: my ($firewalld) = &LONCAPA::Firewall::uses_firewalld();
1.3 foxr 113:
1.1 raeburn 114: &EnableRoot();
1.2 raeburn 115: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
1.7 raeburn 116: if ($firewalld) {
117: $<=0;
118: }
119: $opened =
1.9 ! raeburn 120: &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld);
1.7 raeburn 121: $closed =
1.9 ! raeburn 122: &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld);
1.7 raeburn 123: if ($firewalld) {
124: $<=$wwwid;
1.1 raeburn 125: }
1.7 raeburn 126: &DisableRoot();
1.1 raeburn 127:
128: # -------------------------------------------------------- Exit script
1.7 raeburn 129: if ($opened) {
130: print "$opened\n";
131: }
132: if ($closed) {
133: print "$closed\n";
134: }
1.1 raeburn 135: print "lciptables Exiting\n" unless $noprint;
136: &Exit(0);
137:
138: sub EnableRoot {
139: if ($wwwid==$>) {
140: ($<,$>)=($>,$<);
141: ($(,$))=($),$();
142: }
143: else {
144: # root capability is already enabled
145: }
146: return $>;
147: }
148:
149: sub DisableRoot {
150: if ($wwwid==$<) {
151: ($<,$>)=($>,$<);
152: ($(,$))=($),$();
153: }
154: else {
155: # root capability is already disabled
156: }
157: }
158:
159: sub Exit {
160: my ($code) = @_;
161: &DisableRoot();
162: print "Exiting with status $code\n" unless $noprint;
163: exit $code;
164: }
165:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>