Annotation of loncom/lcnfsoff, revision 1.4
1.1 harris41 1: #!/usr/bin/perl
2:
3: use strict;
4:
1.4 ! foxr 5: # $Id: lcnfsoff,v 1.3 2007/08/22 19:53:22 albertel Exp $
1.3 albertel 6:
1.1 harris41 7: # This script is a setuid script (chmod 6755; chown root:root).
8: # It disables nfs/portmap services for a specific user at
9: # a specific ip address.
10:
11: # Exit codes. 0=ok. Higher than 0 means something went wrong.
12:
13: # Usage within code
14: #
15: # $exitcode=system("/home/httpd/perl/lcnfsoff","NAME","IPADDRESS")/256;
16: # print "uh-oh" if $exitcode;
17:
18: # Security
19: $ENV{'PATH'}=""; # Nullify path information.
20: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
21:
22: # Do not print error messages if there are command-line arguments
23: my $noprint=0;
24: if (@ARGV) {
25: $noprint=1;
26: }
27:
28: # Read in /etc/passwd, and make sure this process is running from user=www
29: open (IN, "</etc/passwd");
30: my @lines=<IN>;
31: close IN;
32: my $wwwid;
33: for my $l (@lines) {
34: chop $l;
35: my @F=split(/\:/,$l);
36: if ($F[0] eq 'www') {$wwwid=$F[2];}
37: }
38: if ($wwwid!=$<) {
39: print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
40: exit 1;
41: }
1.4 ! foxr 42:
1.1 harris41 43:
44: # Handle case of another lcnfs process
45: unless (&try_to_lock("/tmp/lock_lcnfs")) {
46: print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint;
47: exit 4;
48: }
49: # Gather input. Should be 2 values (user name, numeric ip address).
50: my @input;
51: if (@ARGV==3) {
52: @input=@ARGV;
53: }
54: elsif (@ARGV) {
55: print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint;
56: unlink('/tmp/lock_lcnfs');
57: exit 2;
58: }
59: else {
60: @input=<>;
61: if (@input!=2) {
62: print("Error. Two lines should be entered into standard input.\n") unless $noprint;
63: unlink('/tmp/lock_lcnfs');
64: exit 3;
65: }
66: map {chop} @input;
67: }
68:
69: my ($username,$ipaddress)=@input;
70: $username=~/^(\w+)$/;
71: my $safeusername=$1;
72: if ($username ne $safeusername) {
73: print "Error. The user name specified has invalid characters.\n";
74: unlink('/tmp/lock_lcnfs');
75: exit 9;
76: }
77:
78: $ipaddress=~/^([\w|\.]*)$/;
79: my $safeipaddress=$1;
80: if ($ipaddress ne $safeipaddress) {
81: print "Error. The IP address must be numeric and of the form ##.##.##.##.\n";
82: unlink('/tmp/lock_lcnfs');
83: exit 8;
84: }
85:
86: &enable_root_capability;
87: # Remove entry from /etc/exports
88: my $exports=`/bin/cat /etc/exports`;
89: $exports=~s/\/home\/${safeusername}\s*${safeipaddress}.*?\n//g;
90: # Resynchronize /etc/exports file
91: open (OUT,">/etc/exports");
92: print OUT $exports;
93: close OUT;
94: system('/usr/sbin/exportfs','-r');
95:
96: # Remove entry from /etc/hosts.allow
97: my $hostsallow=`/bin/cat /etc/hosts.allow`;
98: $hostsallow=~s/\# $safeusername\nportmap: $safeipaddress\n//g;
99: open (OUT,">/etc/hosts.allow");
100: print OUT $hostsallow;
101: close OUT;
102:
103: &disable_root_capability;
104: unlink('/tmp/lock_lcnfs');
105: exit 0;
106:
107: # ----------------------------------------------------------- have setuid script run as root
108: sub enable_root_capability {
109: if ($wwwid==$>) {
110: ($<,$>)=($>,$<);
111: ($(,$))=($),$();
112: }
113: else {
114: # root capability is already enabled
115: }
116: return $>;
117: }
118:
119: # ----------------------------------------------------------- have setuid script run as www
120: sub disable_root_capability {
121: if ($wwwid==$<) {
122: ($<,$>)=($>,$<);
123: ($(,$))=($),$();
124: }
125: else {
126: # root capability is already disabled
127: }
128: }
129:
130: # ----------------------------------- make sure that another lcnfs process isn't running
131: sub try_to_lock {
132: my ($lockfile)=@_;
133: my $currentpid;
134: my $lastpid;
135: # Do not manipulate lock file as root
136: if ($>==0) {
137: return 0;
138: }
139: # Try to generate lock file.
140: # Wait 3 seconds. If same process id is in
141: # lock file, then assume lock file is stale, and
142: # go ahead. If process id's fluctuate, try
143: # for a maximum of 10 times.
144: for (0..10) {
145: if (-e $lockfile) {
146: open(LOCK,"<$lockfile");
147: $currentpid=<LOCK>;
148: close LOCK;
149: if ($currentpid==$lastpid) {
150: last;
151: }
152: sleep 3;
153: $lastpid=$currentpid;
154: }
155: else {
156: last;
157: }
158: if ($_==10) {
159: return 0;
160: }
161: }
162: open(LOCK,">$lockfile");
163: print LOCK $$;
164: close LOCK;
165: return 1;
166: }
167:
168:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcnfsoff CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom