File:
[LON-CAPA] /
loncom /
lcnfson
Revision
1.5:
download - view:
text,
annotated -
select for diffs
Wed Aug 22 19:53:22 2007 UTC (16 years, 9 months ago) by
albertel
Branches:
MAIN
CVS tags:
version_2_9_X,
version_2_9_99_0,
version_2_9_1,
version_2_9_0,
version_2_8_X,
version_2_8_99_1,
version_2_8_99_0,
version_2_8_2,
version_2_8_1,
version_2_8_0,
version_2_7_X,
version_2_7_99_1,
version_2_7_99_0,
version_2_7_1,
version_2_7_0,
version_2_6_X,
version_2_6_99_1,
version_2_6_99_0,
version_2_6_3,
version_2_6_2,
version_2_6_1,
version_2_6_0,
version_2_5_99_1,
version_2_5_99_0,
version_2_10_0_RC1,
bz6209-base,
bz6209,
bz5969,
bz2851,
PRINT_INCOMPLETE_base,
PRINT_INCOMPLETE,
HEAD,
GCI_3,
GCI_2,
GCI_1,
BZ5971-printing-apage,
BZ5434-fox
- add in revision info
#!/usr/bin/perl
use strict;
# $Id: lcnfson,v 1.5 2007/08/22 19:53:22 albertel Exp $
# This script is a setuid script (chmod 6755; chown root:root).
# It enables nfs/portmap services for a specific user at
# a specific ip address.
# Exit codes. 0=ok. Higher than 0 means something went wrong.
# Usage within code
#
# $exitcode=system("/home/httpd/perl/lcuseradd","NAME","IPADDRESS")/256;
# print "uh-oh" if $exitcode;
# Security
$ENV{'PATH'}=""; # Nullify path information.
$ENV{'BASH_ENV'}=""; # Nullify shell environment information.
# Do not print error messages if there are command-line arguments
my $noprint=0;
if (@ARGV) {
$noprint=1;
}
# Read in /etc/passwd, and make sure this process is running from user=www
open (IN, "</etc/passwd");
my @lines=<IN>;
close IN;
my $wwwid;
for my $l (@lines) {
chop $l;
my @F=split(/\:/,$l);
if ($F[0] eq 'www') {$wwwid=$F[2];}
}
if ($wwwid!=$<) {
print("User ID mismatch. This program must be run as user 'www'\n") unless $noprint;
exit 1;
}
&disable_root_capability;
# Handle case of another lcnfs process
unless (&try_to_lock("/tmp/lock_lcnfs")) {
print "Error. Too many other simultaneous nfs change requests being made.\n" unless $noprint;
exit 4;
}
# Gather input. Should be 2 values (user name, numeric ip address).
my @input;
if (@ARGV==3) {
@input=@ARGV;
}
elsif (@ARGV) {
print("Error. This program needs 2 command-line arguments (username, numeric ip address).\n") unless $noprint;
unlink('/tmp/lock_lcnfs');
exit 2;
}
else {
@input=<>;
if (@input!=2) {
print("Error. Two lines should be entered into standard input.\n") unless $noprint;
unlink('/tmp/lock_lcnfs');
exit 3;
}
map {chop} @input;
}
my ($username,$ipaddress)=@input;
$username=~/^(\w+)$/;
my $safeusername=$1;
if ($username ne $safeusername) {
print "Error. The user name specified has invalid characters.\n";
unlink('/tmp/lock_lcnfs');
exit 9;
}
# Read in /etc/passwd, and make sure this process is running from user=www
open (IN, "</etc/passwd");
my @lines=<IN>;
close IN;
my $uid;
my $gid;
for my $l (@lines) {
chop $l;
my @F=split(/\:/,$l);
if ($F[0] eq $safeusername) {$uid=$F[2]; $gid=$F[3];}
}
$ipaddress=~/^([\w|\.]*)$/;
my $safeipaddress=$1;
if ($ipaddress ne $safeipaddress) {
print "Error. The IP address must be numeric and of the form ##.##.##.##.\n";
unlink('/tmp/lock_lcnfs');
exit 8;
}
&enable_root_capability;
# Make sure nfs is running, if not, start it
my $status=`/etc/rc.d/init.d/nfs status`;
if ($status=~/is stopped/) {
system('/etc/rc.d/init.d/nfs start','start');
}
# Add entry to /etc/exports
my $exports=`/bin/cat /etc/exports`; $exports="\n$exports";
my $entry="/home/$safeusername $safeipaddress(rw,all_squash,anonuid=$uid,anongid=$gid)\n";
if ($exports=~/\n\/home\/$safeusername\s+$safeipaddress\(rw,all_squash,anonuid=$uid,anongid=$gid\)/) {
print "Error. /etc/exports already has this entry enabled.\n";
unlink('/tmp/lock_lcnfs');
exit 7;
}
open (OUT,">>/etc/exports");
print OUT $entry;
close OUT;
# Resynchronize /etc/exports file
system('/usr/sbin/exportfs','-r');
# Add entry /etc/hosts.allow
my $hostsallow=`/bin/cat /etc/hosts.allow`;
my $entry="# $safeusername\nportmap: $safeipaddress\n";
if ($hostsallow=~/\n\# $safeusername\s*\nportmap: $safeipaddress\n/) {
print "Error. /etc/hosts already has this entry enabled.\n";
unlink('/tmp/lock_lcnfs');
exit 6;
}
open (OUT,">>/etc/hosts.allow");
print OUT $entry;
close OUT;
&disable_root_capability;
unlink('/tmp/lock_lcnfs');
exit 0;
# ----------------------------------------------------------- have setuid script run as root
sub enable_root_capability {
if ($wwwid==$>) {
($<,$>)=($>,$<);
($(,$))=($),$();
}
else {
# root capability is already enabled
}
return $>;
}
# ----------------------------------------------------------- have setuid script run as www
sub disable_root_capability {
if ($wwwid==$<) {
($<,$>)=($>,$<);
($(,$))=($),$();
}
else {
# root capability is already disabled
}
}
# ----------------------------------- make sure that another lcnfs process isn't running
sub try_to_lock {
my ($lockfile)=@_;
my $currentpid;
my $lastpid;
# Do not manipulate lock file as root
if ($>==0) {
return 0;
}
# Try to generate lock file.
# Wait 3 seconds. If same process id is in
# lock file, then assume lock file is stale, and
# go ahead. If process id's fluctuate, try
# for a maximum of 10 times.
for (0..10) {
if (-e $lockfile) {
open(LOCK,"<$lockfile");
$currentpid=<LOCK>;
close LOCK;
if ($currentpid==$lastpid) {
last;
}
sleep 3;
$lastpid=$currentpid;
}
else {
last;
}
if ($_==10) {
return 0;
}
}
open(LOCK,">$lockfile");
print LOCK $$;
close LOCK;
return 1;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lcnfson CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom