Annotation of loncom/lciptables, revision 1.9

1.1       raeburn     1: #!/usr/bin/perl
                      2: #
                      3: # The Learning Online Network with CAPA
                      4: #
1.9     ! raeburn     5: # $Id: lciptables,v 1.8 2018/10/24 15:11:19 raeburn Exp $
1.1       raeburn     6: #
                      7: # Copyright Michigan State University Board of Trustees
                      8: #
                      9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     10: #
                     11: # LON-CAPA is free software; you can redistribute it and/or modify
                     12: # it under the terms of the GNU General Public License as published by
                     13: # the Free Software Foundation; either version 2 of the License, or
                     14: # (at your option) any later version.
                     15: #
                     16: # LON-CAPA is distributed in the hope that it will be useful,
                     17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     19: # GNU General Public License for more details.
                     20: #
                     21: # You should have received a copy of the GNU General Public License
                     22: # along with LON-CAPA; if not, write to the Free Software
                     23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     24: #
                     25: # /home/httpd/html/adm/gpl.txt
                     26: #
                     27: # http://www.lon-capa.org/
                     28: #
                     29: #  lciptables - LONC-CAPA setuid script to:
                     30: #              o use iptables commands to update Firewall rules for current
                     31: #                list of IPs for LON-CAPA hosts in server's cluster.
                     32: #
                     33: 
                     34: use strict;
                     35: use lib '/home/httpd/lib/perl/';
                     36: use LONCAPA::Firewall;
                     37: 
                     38: # ------------------------------------------------------------------ Exit codes
                     39: # Exit codes.
                     40: # ( (0,"ok"),
                     41: # (1,"User ID mismatch.  This program must be run as user 'www'"),
                     42: # (2,"Missing argument: Usage: this script takes one argument - ".
                     43: # " the name of a file in /home/httpd/perl/tmp containing IP addresses."),
                     44: # (3,"Missing IP addresses file. The file containing IP addresses is missing."),
                     45: # (4,"Error. Only one lciptables script can run at any time."),
                     46: #
                     47: # ------------------------------------------------------------- Initializations
                     48: # Security
                     49: $ENV{'PATH'}='/bin/:/usr/bin:/usr/local/sbin:/home/httpd/perl'; # Nullify path
                     50:                                                                 # information
                     51: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # nullify potential taints
                     52: 
                     53: # Do not print error messages.
                     54: my $noprint=1;
                     55: 
                     56: print "In lciptables\n" unless $noprint;
                     57: 
                     58: # ----------------------------- Make sure this process is running from user=www
                     59: my $wwwid=getpwnam('www');
1.3       foxr       60: 
                     61: if ($wwwid!=$<) {
1.1       raeburn    62:     print("User ID mismatch.  This program must be run as user 'www'\n")
                     63:         unless $noprint;
                     64:     &Exit(1);
                     65: }
                     66: 
                     67: # ----------------------------------- Retrieve IP addreses for hosts in cluster
1.3       foxr       68: 
1.1       raeburn    69: 
                     70: my %iphost;
                     71: if (@ARGV != 1) {
                     72:     print("Error. this script takes one argument - the name of a file in /home/httpd/perl/tmp containing IP addresses.\n") unless $noprint;
                     73:     &Exit(2);
                     74: }
                     75: my $tmpfile = $ARGV[0];
1.8       raeburn    76: if ($tmpfile =~ m{^\Q/home/httpd/perl/tmp/lciptables_iphost_\E\d+$}) {
                     77:     if (-e $tmpfile) {
                     78:         if (open(my $fh,"<$tmpfile")) {
                     79:             while(<$fh>) {
                     80:                 chomp();
                     81:                 if (/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
                     82:                     if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
                     83:                         $iphost{$_} = 1;
                     84:                     }
                     85:                 }
                     86:             }
                     87:             close($fh);
                     88:         } else {
                     89:             &Exit(3);  
1.1       raeburn    90:         }
                     91:     } else {
1.8       raeburn    92:         print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint;
                     93:         &Exit(3);
1.1       raeburn    94:     }
                     95: } else {
1.8       raeburn    96:     print "Error. Invalid filename for file containing IP addresses\n" unless $noprint; 
1.1       raeburn    97:     &Exit(3);
                     98: }
                     99: 
1.7       raeburn   100: my ($opened,$closed);
1.1       raeburn   101: my $lond_port = &LONCAPA::Firewall::get_lond_port();
1.7       raeburn   102: if (($lond_port eq '') || ($lond_port =~ /\D/)) {
                    103:     print "Error. Invalid lond port\n" unless $noprint;
                    104:     &Exit(3);
                    105: }
                    106: my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
                    107: if ($iptables eq '') {
                    108:     print "Error. No path to iptables\n" unless $noprint;
                    109:     &Exit(3);
                    110: }
1.1       raeburn   111: 
1.9     ! raeburn   112: my ($firewalld) = &LONCAPA::Firewall::uses_firewalld();
1.3       foxr      113: 
1.1       raeburn   114: &EnableRoot();
1.2       raeburn   115: my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
1.7       raeburn   116: if ($firewalld) {
                    117:     $<=0;
                    118: }
                    119: $opened =
1.9     ! raeburn   120:     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld);
1.7       raeburn   121: $closed =
1.9     ! raeburn   122:     &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld);
1.7       raeburn   123: if ($firewalld) {
                    124:     $<=$wwwid;
1.1       raeburn   125: }
1.7       raeburn   126: &DisableRoot();
1.1       raeburn   127: 
                    128: # -------------------------------------------------------- Exit script
1.7       raeburn   129: if ($opened) {
                    130:     print "$opened\n";
                    131: }
                    132: if ($closed) {
                    133:     print "$closed\n";
                    134: }
1.1       raeburn   135: print "lciptables Exiting\n" unless $noprint;
                    136: &Exit(0);
                    137: 
                    138: sub EnableRoot {
                    139:     if ($wwwid==$>) {
                    140:         ($<,$>)=($>,$<);
                    141:         ($(,$))=($),$();
                    142:     }
                    143:     else {
                    144:         # root capability is already enabled
                    145:     }
                    146:     return $>;
                    147: }
                    148: 
                    149: sub DisableRoot {
                    150:     if ($wwwid==$<) {
                    151:         ($<,$>)=($>,$<);
                    152:         ($(,$))=($),$();
                    153:     }
                    154:     else {
                    155:         # root capability is already disabled
                    156:     }
                    157: }
                    158: 
                    159: sub Exit {
                    160:     my ($code) = @_;
                    161:     &DisableRoot();
                    162:     print "Exiting with status $code\n" unless $noprint;
                    163:     exit $code;
                    164: }
                    165: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>