version 1.1, 2000/11/02 20:48:13
|
version 1.6, 2010/10/12 10:26:50
|
Line 1
|
Line 1
|
#!/usr/bin/perl |
#!/usr/bin/perl |
|
|
# Scott Harrison |
|
# SH: November 2, 2000 |
|
|
|
use strict; |
use strict; |
|
|
|
# $Id$ |
|
|
|
# This script is a setuid script (chmod 6755; chown root:root). |
|
# It enables nfs/portmap services for a specific user at |
|
# a specific ip address. |
|
|
|
# Exit codes. 0=ok. Higher than 0 means something went wrong. |
|
# Usage within code |
|
# |
|
# $exitcode=system("/home/httpd/perl/lcuseradd","NAME","IPADDRESS")/256; |
|
# print "uh-oh" if $exitcode; |
|
|
# Security |
# Security |
$ENV{'PATH'}=""; # Nullify path information. |
$ENV{'PATH'}=""; # Nullify path information. |
$ENV{'BASH_ENV'}=""; # Nullify shell environment information. |
$ENV{'BASH_ENV'}=""; # Nullify shell environment information. |
Line 29 if ($wwwid!=$<) {
|
Line 38 if ($wwwid!=$<) {
|
print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint; |
print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint; |
exit 1; |
exit 1; |
} |
} |
&disable_root_capability; |
|
|
|
# Handle case of another lcnfs process |
# Handle case of another lcnfs process |
unless (&try_to_lock("/tmp/lock_lcnfs")) { |
unless (&try_to_lock("/tmp/lock_lcnfs")) { |
print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint; |
print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint; |
exit 4; |
exit 4; |
} |
} |
# Gather input. Should be 3 values (user name, password 1, password 2). |
# Gather input. Should be 2 values (user name, numeric ip address). |
my @input; |
my @input; |
if (@ARGV==3) { |
if (@ARGV==3) { |
@input=@ARGV; |
@input=@ARGV; |
} |
} |
elsif (@ARGV) { |
elsif (@ARGV) { |
print("Error. This program needs 3 command-line arguments (username, password 1, password 2).\n") unless $noprint; |
print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint; |
unlink('/tmp/lock_lcpasswd'); |
unlink('/tmp/lock_lcnfs'); |
exit 2; |
exit 2; |
} |
} |
else { |
else { |
@input=<>; |
@input=<>; |
if (@input!=3) { |
if (@input!=2) { |
print("Error. Three lines should be entered into standard input.\n") unless $noprint; |
print("Error. Two lines should be entered into standard input.\n") unless $noprint; |
unlink('/tmp/lock_lcpasswd'); |
unlink('/tmp/lock_lcnfs'); |
exit 3; |
exit 3; |
} |
} |
map {chop} @input; |
map {chop} @input; |
Line 61 $username=~/^(\w+)$/;
|
Line 70 $username=~/^(\w+)$/;
|
my $safeusername=$1; |
my $safeusername=$1; |
if ($username ne $safeusername) { |
if ($username ne $safeusername) { |
print "Error. The user name specified has invalid characters.\n"; |
print "Error. The user name specified has invalid characters.\n"; |
unlink('/tmp/lock_nfs'); |
unlink('/tmp/lock_lcnfs'); |
exit 9; |
exit 9; |
} |
} |
|
|
Line 81 $ipaddress=~/^([\w|\.]*)$/;
|
Line 90 $ipaddress=~/^([\w|\.]*)$/;
|
my $safeipaddress=$1; |
my $safeipaddress=$1; |
if ($ipaddress ne $safeipaddress) { |
if ($ipaddress ne $safeipaddress) { |
print "Error. The IP address must be numeric and of the form ##.##.##.##.\n"; |
print "Error. The IP address must be numeric and of the form ##.##.##.##.\n"; |
unlink('/tmp/lock_nfs'); |
unlink('/tmp/lock_lcnfs'); |
exit 8; |
exit 8; |
} |
} |
|
|
Line 94 if ($status=~/is stopped/) {
|
Line 103 if ($status=~/is stopped/) {
|
|
|
# Add entry to /etc/exports |
# Add entry to /etc/exports |
my $exports=`/bin/cat /etc/exports`; $exports="\n$exports"; |
my $exports=`/bin/cat /etc/exports`; $exports="\n$exports"; |
my $entry="/home/$safeusername $safeipaddress(rw,all_squash,anonuid=$uid,anongid=$gid\n"; |
my $entry="/home/$safeusername $safeipaddress(rw,all_squash,anonuid=$uid,anongid=$gid)\n"; |
if ($exports=~/\n\/home\/$safeusername\s+$safeipaddress\(rw,all_squash,anonuid=$uid,anongid=$gid\)/) { |
if ($exports=~/\n\/home\/$safeusername\s+$safeipaddress\(rw,all_squash,anonuid=$uid,anongid=$gid\)/) { |
print "Error. /etc/exports already has this entry enabled.\n"; |
print "Error. /etc/exports already has this entry enabled.\n"; |
unlink('/tmp/lock_nfs'); |
unlink('/tmp/lock_lcnfs'); |
exit 7; |
exit 7; |
} |
} |
open (OUT,">>/etc/exports); |
open (OUT,">>/etc/exports"); |
print OUT $entry; |
print OUT $entry; |
close OUT; |
close OUT; |
|
|
Line 109 system('/usr/sbin/exportfs','-r');
|
Line 118 system('/usr/sbin/exportfs','-r');
|
|
|
# Add entry /etc/hosts.allow |
# Add entry /etc/hosts.allow |
my $hostsallow=`/bin/cat /etc/hosts.allow`; |
my $hostsallow=`/bin/cat /etc/hosts.allow`; |
my $entry="# $safeusername\nportmap $safeipaddress\n"; |
my $entry="# $safeusername\nportmap: $safeipaddress\n"; |
if ($hostsallow=~/\n\# $safeusername\s*\nportmap $safeipaddress\n/) { |
if ($hostsallow=~/\n\# $safeusername\s*\nportmap: $safeipaddress\n/) { |
print "Error. /etc/hosts already has this entry enabled.\n"; |
print "Error. /etc/hosts already has this entry enabled.\n"; |
unlink('/tmp/lock_nfs'); |
unlink('/tmp/lock_lcnfs'); |
exit 6; |
exit 6; |
} |
} |
open (OUT,">>/etc/hosts.allow"); |
open (OUT,">>/etc/hosts.allow"); |
print OUT $entry; |
print OUT $entry; |
close OUT; |
close OUT; |
|
|
|
&disable_root_capability; |
|
unlink('/tmp/lock_lcnfs'); |
|
exit 0; |
|
|
# ----------------------------------------------------------- have setuid script run as root |
# ----------------------------------------------------------- have setuid script run as root |
sub enable_root_capability { |
sub enable_root_capability { |
if ($wwwid==$>) { |
if ($wwwid==$>) { |