int main(int argc, char *argv[]) {
if ( argc < 2 ) {
printf("invalid parameter(s)\n");
return(1);
}
if (!(initsetuid()))
exit(1);
if (strcmp(argv[1], "cron") == 0) {
safe_system("rm /etc/fcron.*/updxlrator 2&>/dev/null");
if (strcmp(argv[2], "daily") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.daily/updxlrator");
} else if (strcmp(argv[2], "weekly") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.weekly/updxlrator");
} else if (strcmp(argv[2], "monthly") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.monthly/updxlrator");
} else {
printf("invalid parameter(s)\n");
return(1);
}
}
return 0;
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nsquidctrl (start|stop|restart|flush|reconfigure)\n\n");
exit(1);
}
if (strcmp(argv[1], "start") == 0) {
safe_system("/etc/rc.d/init.d/squid start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/squid stop");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/squid restart");
} else if (strcmp(argv[1], "reconfigure") == 0) {
safe_system("/etc/rc.d/init.d/squid reconfigure");
} else if (strcmp(argv[1], "flush") == 0) {
safe_system("/etc/rc.d/init.d/squid flush");
} else if (strcmp(argv[1], "enable") == 0) {
safe_system("ln -fs ../init.d/squid /etc/rc.d/rc0.d/K00squid >/dev/null 2>&1");
safe_system("ln -fs ../init.d/squid /etc/rc.d/rc6.d/K00squid >/dev/null 2>&1");
} else if (strcmp(argv[1], "disable") == 0) {
safe_system("rm -f /etc/rc.d/rc*.d/*squid >/dev/null 2>&1");
} else {
fprintf(stderr, "\nBad argument given.\n\nsquidctrl (start|stop|restart|flush|reconfigure|setperms)\n\n");
exit(1);
}
return 0;
}
int main(int argc, char *argv[]) {
struct keyvalue* kv = NULL;
int fd = -1;
int r = 0;
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nqosctrl (start|stop|restart|status|generate)\n\n");
exit(1);
}
if (strcmp(argv[1], "generate") == 0) {
kv = initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/qos/settings")) {
fprintf(stderr, "Cannot read QoS settings\n");
r = 1;
goto END;
}
char enabled[STRING_SIZE];
if (!findkey(kv, "ENABLED", enabled))
strcpy(enabled, "off");
if (strcmp(enabled, "on") == 0)
safe_system("/usr/bin/perl /var/ipfire/qos/bin/makeqosscripts.pl > " QOS_SH);
else
unlink(QOS_SH);
}
if ((fd = open(QOS_SH, O_RDONLY)) != -1) {
close(fd);
} else {
// If there is no qos.sh do nothing.
goto END;
}
safe_system("chmod 755 " QOS_SH " &>/dev/null");
if (strcmp(argv[1], "start") == 0) {
safe_system(QOS_SH " start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system(QOS_SH " clear");
} else if (strcmp(argv[1], "status") == 0) {
safe_system(QOS_SH " status");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system(QOS_SH " restart");
} else {
if (strcmp(argv[1], "generate") == 0) {exit(0);}
fprintf(stderr, "\nBad argument given.\n\nqosctrl (start|stop|restart|status|generate)\n\n");
exit(1);
}
END:
if (kv)
freekeyvalues(kv);
return r;
}
int main(void)
{
if (!(initsetuid()))
exit(1);
safe_system("/usr/bin/sendprofile");
return 0;
}
int main(void)
{
if (!(initsetuid(1)))
exit(1);
system("/sbin/shutdown -r now");
return 0;
}
int main(int argc, char *argv[])
{
if (!(initsetuid()) )
exit(1);
system("/etc/rc.d/rc.vlan");
return 0;
}
int main(int argc, char *argv[]) {
char command[512];
if (!(initsetuid()))
exit(1);
snprintf(command, 512, "/var/ipfire/extrahd/bin/extrahd.pl %s %s", argv[1], argv[2]);
safe_system("chmod 755 /var/ipfire/extrahd/bin/extrahd.pl 2>&1 >/dev/null");
safe_system(command);
}
int main(int argc, char *argv[])
{
if (argc < 2)
return(1);
if (!(initsetuid()))
exit(-1);
snprintf(command, BUFFER_SIZE-1, "/bin/chown nobody:squid /home/httpd/vhost81/html/updatecache/%s", argv[1]);
safe_system(command);
return(0);
}
int main(int argc, char *argv[])
{
if (!(initsetuid()))
exit(1);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s %s", argv[2], argv[1]);
safe_system(command);
/* Send magic packet with broadcast flag set. */
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s -b %s", argv[2], argv[1]);
safe_system(command);
return(0);
}
int main(void)
{
FILE *f;
if (!(initsetuid(1)))
exit(1);
if ((f = fopen("/var/smoothwall/adsl/mgmt.o", "r")))
{
system("/usr/bin/modem_run -f /var/smoothwall/adsl/mgmt.o -v 1");
fclose(f);
}
return 0;
}
int main(int argc, char *argv[]) {
int i;
char command[1024];
char add[STRING_SIZE];
if (!(initsetuid()))
exit(1);
snprintf(command, STRING_SIZE, "/opt/pakfire/pakfire");
for (i = 1; i < argc; i++) {
sprintf(add, " %s", argv[i]);
strcat(command, add);
}
return safe_system(command);
}
int main(void) {
if (!(initsetuid()))
exit(1);
FILE *fp = fopen("/proc/net/nf_conntrack", "r");
if (fp == NULL) {
exit(1);
}
/* Read content line by line and write it to stdout. */
char linebuf[STRING_SIZE];
while (fgets(linebuf, STRING_SIZE, fp)) {
printf("%s", linebuf);
}
fclose(fp);
return 0;
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n");
exit(1);
}
if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/dnsmasq restart");
} else {
fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n");
exit(1);
}
return 0;
}
int main(int argc, char *argv[]) {
char cmd[STRING_SIZE];
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nddnsctrl (update-all)\n\n");
exit(1);
}
if (strcmp(argv[1], "update-all") == 0) {
snprintf(cmd, sizeof(cmd), "/usr/bin/ddns --config %s update-all >/dev/null 2>&1", conffile);
safe_system(cmd);
} else {
fprintf(stderr, "\nBad argument given.\n\nddnsctrl (update-all)\n\n");
exit(1);
}
return 0;
}
int main(int argc, char *argv[])
{
static struct option long_options[] =
{
{ "eroute", no_argument, &flag_eroute, 1 },
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
while ((c = getopt_long(argc, argv, "v", long_options, &option_index)) != -1) {
switch (c) {
case 0:
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
if ( !(initsetuid()) )
exit(1);
if (flag_eroute) {
safe_system("/bin/cat /proc/net/ipsec_eroute 2>/dev/null");
}
else {
safe_system("/usr/sbin/conntrack -L -o xml 2>/dev/null");
}
return(0);
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nredctrl (start|stop|restart)\n\n");
exit(1);
}
if (strcmp(argv[1], "start") == 0) {
safe_system("/etc/rc.d/init.d/network start red");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/network stop red");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/network restart red");
} else {
fprintf(stderr, "\nBad argument given.\n\nredctrl (start|stop|restart)\n\n");
exit(1);
}
return 0;
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nsmartctrl <device>\n\n");
exit(1);
}
sprintf(command, "/var/run/hddshutdown-%s", argv[1]);
FILE *fp = fopen(command,"r");
if( fp ) {
fclose(fp);
printf("\nDisk %s is in Standby. Do nothing because we won't wakeup\n",argv[1]);
exit(1);
}
sprintf(command, "smartctl -iHA /dev/%s", argv[1]);
safe_system(command);
return 0;
}
int main(int argc, char *argv[]) {
char configtype[STRING_SIZE];
char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
if (argc < 2) {
usage();
exit(1);
}
if (!(initsetuid()))
exit(1);
FILE *file = NULL;
if (strcmp(argv[1], "I") == 0) {
safe_system("/usr/sbin/ipsec status");
exit(0);
}
if (strcmp(argv[1], "R") == 0) {
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
exit(0);
}
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
signal(SIGCHLD, SIG_DFL);
/* handle operations that doesn't need start the ipsec system */
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
ipsec_norules();
exit(0);
}
}
/* read vpn config */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
{
fprintf(stderr, "Cannot read vpn settings\n");
exit(1);
}
/* check is the vpn system is enabled */
{
char s[STRING_SIZE];
findkey(kv, "ENABLED", s);
freekeyvalues(kv);
if (strcmp (s, "on") != 0)
exit(0);
}
/* read interface settings */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
if (!findkey(kv, "CONFIG_TYPE", configtype))
{
fprintf(stderr, "Cannot read CONFIG_TYPE\n");
exit(1);
}
findkey(kv, "RED_TYPE", redtype);
/* Loop through the config file to find physical interface that will accept IPSEC */
int enable_red=0; // states 0: not used
int enable_green=0; // 1: error condition
int enable_orange=0; // 2: good
int enable_blue=0;
char if_red[STRING_SIZE] = "";
char if_green[STRING_SIZE] = "";
char if_orange[STRING_SIZE] = "";
char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
// when RED is up, find interface name in special file
FILE *ifacefile = NULL;
if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
if (fgets(if_red, STRING_SIZE, ifacefile)) {
if (if_red[strlen(if_red) - 1] == '\n')
if_red[strlen(if_red) - 1] = '\0';
}
fclose (ifacefile);
if (VALID_DEVICE(if_red))
enable_red++;
}
// Check if GREEN is enabled.
findkey(kv, "GREEN_DEV", if_green);
if (VALID_DEVICE(if_green))
enable_green++;
// Check if ORANGE is enabled.
findkey(kv, "ORANGE_DEV", if_orange);
if (VALID_DEVICE(if_orange))
enable_orange++;
// Check if BLUE is enabled.
findkey(kv, "BLUE_DEV", if_blue);
if (VALID_DEVICE(if_blue))
enable_blue++;
freekeyvalues(kv);
// exit if nothing to do
if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
exit(0);
// open needed ports
if (enable_red > 0)
open_physical(if_red, 4500);
if (enable_green > 0)
open_physical(if_green, 4500);
if (enable_orange > 0)
open_physical(if_orange, 4500);
if (enable_blue > 0)
open_physical(if_blue, 4500);
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
fprintf(stderr, "Bad arg: %s\n", argv[2]);
usage();
exit(1);
}
// search the vpn pointed by 'key'
if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
fprintf(stderr, "Couldn't open vpn settings file");
exit(1);
}
while (fgets(s, STRING_SIZE, file) != NULL) {
char *key;
char *name;
char *type;
if (!decode_line(s,&key,&name,&type))
continue;
// is it the 'key' requested ?
if (strcmp(argv[2], key) != 0)
continue;
// Start or Delete this Connection
if (strcmp(argv[1], "S") == 0)
turn_connection_on (name, type);
else if (strcmp(argv[1], "D") == 0)
turn_connection_off (name);
else {
fprintf(stderr, "Bad command\n");
exit(1);
}
}
fclose(file);
return 0;
}
int main(void)
{
char s[STRING_SIZE];
char command[STRING_SIZE];
char red_netmask[STRING_SIZE];
char red_broadcast[STRING_SIZE];
char red_dev[STRING_SIZE];
char default_gateway[STRING_SIZE];
char *aliasip;
char *enabled;
char *sptr;
char *comment;
int alias;
int count;
if (!(initsetuid()))
{
fprintf(stderr, "Cannot run setuid\n");
exit(1);
}
atexit(exithandler);
/* Init the keyvalue structure */
kv=initkeyvalues();
/* Read in the current values */
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
/* Find the CONFIG_TYPE value */
if (!findkey(kv, "CONFIG_TYPE", s))
{
fprintf(stderr, "Cannot read CONFIG_TYPE\n");
exit(1);
}
/* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,
* exit gracefully. This is not an error... */
if (!((strcmp(s, "1")==0) || (strcmp(s, "2")==0) || (strcmp(s, "3")==0) || (strcmp(s, "4")==0)))
exit(0);
/* Now check the RED_TYPE - aliases only work with STATIC.
* At least, that's what /etc/rc.d/rc.netaddress.up thinks.. */
/* Find the RED_TYPE value */
if (!findkey(kv, "RED_TYPE", s))
{
fprintf(stderr, "Cannot read RED_TYPE\n");
exit(1);
}
/* Make sure it's the right type */
if (!(strcmp(s, "STATIC")==0))
exit(0);
/* Get the RED interface details */
if((!findkey(kv, "RED_NETMASK", red_netmask)) || (!findkey(kv, "RED_BROADCAST", red_broadcast)) ||
(!findkey(kv, "RED_DEV", red_dev)) || (!findkey(kv, "DEFAULT_GATEWAY", default_gateway)))
{
fprintf(stderr, "Cannot read RED settings\n");
exit(1);
}
if (!VALID_DEVICE(red_dev))
{
fprintf(stderr, "Bad red_dev: %s\n", red_dev);
exit(1);
}
if (!VALID_IP(red_netmask))
{
fprintf(stderr, "Bad red_netmask : %s\n", red_netmask);
exit(1);
}
if (!VALID_IP(red_broadcast))
{
fprintf(stderr, "Bad red_broadcast : %s\n", red_broadcast);
exit(1);
}
if (!VALID_IP(default_gateway))
{
fprintf(stderr, "Bad default_gateway : %s\n", default_gateway);
exit(1);
}
/* down the aliases in turn until ifconfig complains */
alias=0;
do
{
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE-1, "/sbin/ifconfig %s:%d down 2>/dev/null", red_dev, alias++);
} while (safe_system(command)==0);
/* Now set up the new aliases from the config file */
if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))
{
fprintf(stderr, "Unable to open aliases configuration file\n");
exit(1);
}
alias=0;
int linecounter = 0;
while (fgets(s, STRING_SIZE, file) != NULL)
{
linecounter++;
if (s[strlen(s) - 1] == '\n')
s[strlen(s) - 1] = '\0';
count = 0;
aliasip = NULL;
enabled = NULL;
comment = NULL;
sptr = strtok(s, ",");
while (sptr)
{
if (count == 0)
aliasip = sptr;
if (count == 1)
enabled = sptr;
else
comment = sptr;
count++;
sptr = strtok(NULL, ",");
}
if (!(aliasip && enabled)) {
fprintf(stderr, "Incomplete data line: in %s(%d)\n",
CONFIG_ROOT "/ethernet/aliases",
linecounter);
exit(1);
}
if (!strcmp(enabled, "on") == 0) /* disabled rule? */
continue;
if (!VALID_IP(aliasip))
{
fprintf(stderr, "Bad alias : %s in %s(%d)\n",
aliasip,
CONFIG_ROOT "/ethernet/aliases",
linecounter);
exit(1);
}
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE-1,
"/sbin/ifconfig %s:%d %s netmask %s broadcast %s up",
red_dev, alias, aliasip, red_netmask, red_broadcast);
safe_system(command);
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE-1,
"/usr/sbin/arping -q -c 1 -w 1 -i %s -S %s %s",
red_dev, aliasip, default_gateway);
safe_system(command);
alias++;
}
return 0;
}
int main(int argc, char**argv)
{
if (!(initsetuid()))
return 1;
// Check what command is asked
if (argc==1)
{
fprintf (stderr, "Missing reboot command!\n");
return 1;
}
if (argc==2 && strcmp(argv[1], OP_SHUTDOWN)==0)
{
safe_system("/sbin/shutdown -h now");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_REBOOT)==0)
{
safe_system("/sbin/shutdown -r now");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_REBOOT_FS)==0)
{
safe_system("/sbin/shutdown -F -r now");
return 0;
}
// output schedule to stdout
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_GET)==0)
{
safe_system("/bin/grep /sbin/shutdown /var/spool/cron/root.orig");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_REM)==0)
{
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
safe_system("/usr/bin/fcrontab -u root -z");
return 0;
}
if (argc==6 && strcmp(argv[1], OP_SCHEDULE_ADD)==0)
{
// check args
if (!( strlen(argv[2])<3 &&
strspn(argv[2], "0123456789") == strlen (argv[2]) &&
strlen(argv[3])<3 &&
strspn(argv[3], "0123456789") == strlen (argv[3]) &&
strlen(argv[4])<14 &&
strspn(argv[4], "1234567,*") == strlen (argv[4]) &&
((strcmp(argv[5], "-r")==0) || //reboot
(strcmp(argv[5], "-h")==0)) ) //hangup
) {
fprintf (stderr, "Bad cron+ parameters!\n");
return 1;
}
// remove old entry
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
// add new entry
FILE *fd = NULL;
if ((fd = fopen("/var/spool/cron/root.orig", "a")))
{
fprintf (fd,"%s %s * * %s /sbin/shutdown %s 1\n",argv[2],argv[3],argv[4],argv[5]);
fclose (fd);
}
// inform cron
safe_system("/usr/bin/fcrontab -u root -z");
return 0;
}
fprintf (stderr, "Bad reboot command!\n");
return 1;
}
int main(int argc, char *argv[])
{
int tempfd;
char command[STRING_SIZE];
char filename[STRING_SIZE];
char buffer[STRING_SIZE];
char *timestamp = NULL;
FILE *fd;
NODEKV *kv_old = NULL;
NODEKV *kv_new = NULL;
char port_gui[STRING_SIZE];
char port_ssh[STRING_SIZE];
static struct option long_options[] =
{
{ "hardware", no_argument, &flag_hardware, 1 },
{ "hostname", required_argument, &flag_hostname, 1 },
{ "import", no_argument, &flag_import, 1 },
{ "restore", required_argument, &flag_restore, 1},
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
char *opt_filename = NULL;
while ((c = getopt_long(argc, argv, "r:v", long_options, &option_index)) != -1) {
switch (c) {
case 0:
if (!strcmp("hostname", long_options[option_index].name)) {
strcpy(hostname, optarg);
}
else if (!strcmp("restore", long_options[option_index].name)) {
opt_filename = strdup(optarg);
}
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], BACKUP_ERR_PARM);
}
}
if (!flag_import && !flag_restore) {
/* need at least one of import or restore */
usage(argv[0], 1);
}
/* Init setuid */
if (!(initsetuid()))
exit(BACKUP_ERR_SUID);
if (!flag_hostname) {
gethostname(hostname, STRING_SIZE - 1);
}
if (flag_restore) {
/* check filename valid, full file name length */
if (strlen(opt_filename) != (strlen(MOUNTPOINT "/-YYYY-MM-DD_HH-MM-SS.dat")+ strlen(hostname))) {
fprintf(stderr, "ipcoprscfg : bad file name\n");
fprintf(stderr, "%s\n", hostname);
fprintf(stderr, "%s\n", opt_filename);
exit(BACKUP_ERR_FILENAME);
}
/* file in the path */
if (!strstr(opt_filename, MOUNTPOINT)) {
fprintf(stderr, "ipcoprscfg : wrong path\n");
exit(BACKUP_ERR_PATHNAME);
}
/* and exist */
if (access(opt_filename, F_OK) == -1) {
fprintf(stderr, "Missing backup\n");
exit(BACKUP_ERR_DAT);
}
strcpy(filename, opt_filename);
}
else {
snprintf(filename, STRING_SIZE - 1, MOUNTPOINT "/%s.dat", hostname);
}
/* key file and encrypted .dat are required */
if (access(BACKUP_KEY, F_OK) == -1) {
fprintf(stderr, "Missing encryption key\n");
exit(BACKUP_ERR_DECRYPT);
}
/* now exithandler will have something to do */
atexit(exithandler);
/* decrypt .dat file to /tmp/hostname.tar.gz */
snprintf(command, STRING_SIZE - 1,
"/usr/bin/openssl des3 -d -salt "
"-in %s " "-out /tmp/%s.tar.gz " "-kfile " BACKUP_KEY "> /dev/null 2> /dev/null", filename, hostname);
if (safe_system(command)) {
fprintf(stderr, "Couldn't decrypt %s.dat archive\n", hostname);
exit(BACKUP_ERR_DECRYPT);
}
/* create temporary directory for testing untar */
strcpy(tmpdir, "/tmp/cfg_XXXXXX");
if (mkdtemp(tmpdir) == NULL) {
exit(BACKUP_ERR_ANY);
}
/* Start (test) untarring files from compressed archive */
snprintf(command, STRING_SIZE - 1, "/bin/tar -C %s -xzvf /tmp/%s.tar.gz > /dev/null 2> /dev/null", tmpdir,
hostname);
if (safe_system(command)) {
fprintf(stderr, "Invalid archive\n");
exit(BACKUP_ERR_UNTARTST);
}
/* Backup version OK ? */
if (testbackupversion(tmpdir) != SUCCESS) {
fprintf(stderr, "No version or invalid version in archive\n");
exit(BACKUP_ERR_VERSION);
}
/* If in import mode, read tagfile if include
* or parse backup to read newest file time change */
if (flag_import) {
snprintf(filename, STRING_SIZE - 1, "%s/var/ipcop/backup.dat.time", tmpdir);
if (access(filename, F_OK) == -1) {
/* without tagfile include */
strcpy(tmpdatefile, "/tmp/date.XXXXXX");
if (!(tempfd = mkstemp(tmpdatefile)) > 0) {
fprintf(stderr, "Couldn't create temporary file.\n");
exit(BACKUP_ERR_ANY);
}
/* Parse all files of a backup
* to read last modification date.
* The most recent date is written on tmp file */
snprintf(command, STRING_SIZE - 1,
"/usr/bin/find %s -type f -exec "
"/bin/ls --time-style=+%%Y-%%m-%%d_%%H-%%M-%%S -l {} \\; | "
"/usr/bin/awk '{print $6}' | " "/usr/bin/sort -rn | /bin/head -n 1 >%s", tmpdir, tmpdatefile);
if (safe_system(command)) {
fprintf(stderr, "Couldn't write tmpdatefile\n");
exit(BACKUP_ERR_ANY);
}
/* read the date */
if (!(fd = fopen(tmpdatefile, "r"))) {
perror("ipcoprscfg : Failed opening file tagfile");
exit(BACKUP_ERR_ANY);
}
if (fgets(buffer, STRING_SIZE, fd)) {
if (buffer[strlen(buffer) - 1] == '\n')
buffer[strlen(buffer) - 1] = '\0';
}
fclose(fd);
timestamp = strtok(buffer, " ");
/* Write tagfile for backup */
snprintf(filename, STRING_SIZE - 1, MOUNTPOINT "/%s-%s.dat.time", hostname, timestamp);
writetagfile(filename, timestamp);
}
else {
/* date is available to be read directly */
if (!(fd = fopen(filename, "r"))) {
perror("ipcoprscfg : Failed opening file tagfile");
exit(BACKUP_ERR_ANY);
}
if (fgets(buffer, STRING_SIZE, fd)) {
timestamp = strtok(buffer, " ");
}
fclose(fd);
/* Moving from ext3 to FAT system, system warn not
* able to preserve ownership, change before */
if (chown(filename, 99, 99)) {
fprintf(stderr, "Couldn't chown .dat.time file\n");
exit(BACKUP_ERR_ANY);
}
snprintf(command, STRING_SIZE - 1,
"/bin/mv %s " MOUNTPOINT "/%s-%s.dat.time", filename, hostname, timestamp);
if (safe_system(command)) {
perror("Failed to copy tagfile");
exit(BACKUP_ERR_ANY);
}
}
/* backup is valid, move to a name with date */
snprintf(filename, STRING_SIZE - 1, MOUNTPOINT "/%s.dat", hostname);
snprintf(command, STRING_SIZE - 1, "/bin/mv %s " MOUNTPOINT "/%s-%s.dat", filename, hostname, timestamp);
if (safe_system(command)) {
perror("Failed to copy backup");
exit(BACKUP_ERR_ANY);
}
exit(0);
}
/* uncompress archive */
snprintf(command, STRING_SIZE - 1, "/bin/gunzip -d -f /tmp/%s.tar.gz", hostname);
safe_system(command);
/* remove hardware specific settings */
if (flag_hardware == 0) {
snprintf(command, STRING_SIZE - 1,
"/bin/tar --delete --file=/tmp/%s.tar -T /var/ipcop/backup/exclude.hardware", hostname);
safe_system(command);
}
/* get current ports for GUI and ssh */
if (read_kv_from_file(&kv_old, "/var/ipcop/main/settings") == SUCCESS) {
if (find_kv_default(kv_old, "GUIPORT", port_gui) != SUCCESS) {
strcpy(port_gui, "8443");
}
if (find_kv_default(kv_old, "SSHPORT", port_ssh) != SUCCESS) {
strcpy(port_ssh, "8022");
}
free_kv(&kv_old);
}
/* Start (real) untarring files from compressed archive */
snprintf(command, STRING_SIZE - 1,
"/bin/tar -X /var/ipcop/backup/exclude.system -C / -xvf /tmp/%s.tar &>/dev/null", hostname);
if (safe_system(command)) {
fprintf(stderr, "Error restoring archive\n");
exit(BACKUP_ERR_UNTAR);
}
else {
/* TODO: here we will need to add mechanism for upgrade from 1.4.xx configuration files */
/* get new ports for GUI and ssh and check for modifications */
if (read_kv_from_file(&kv_new, "/var/ipcop/main/settings") == SUCCESS) {
if (test_kv(kv_new, "GUIPORT", port_gui) != SUCCESS) {
find_kv_default(kv_new, "GUIPORT", port_gui);
snprintf(command, STRING_SIZE, "/usr/local/bin/setreservedports.pl --nocheck --gui %s", port_gui);
safe_system(command);
}
if (test_kv(kv_new, "SSHPORT", port_ssh) != SUCCESS) {
find_kv_default(kv_new, "SSHPORT", port_ssh);
snprintf(command, STRING_SIZE, "/usr/local/bin/setreservedports.pl --nocheck --ssh %s", port_ssh);
safe_system(command);
}
free_kv(&kv_new);
}
if (safe_system("/usr/local/bin/upgrade.sh &>/dev/null")) {
fprintf(stderr, "Error upgrading data from backup!\n");
exit(BACKUP_ERR_ANY);
}
}
exit(0);
}
int main(int argc, char *argv[])
{
int flag_disk = 0;
int flag_link = 0;
int flag_mii = 0;
int flag_pci = 0;
int flag_raid = 0;
int flag_usb = 0;
char *opt_eth = NULL;
char *opt_mii = NULL;
char *opt_drive = NULL;
char *opt_raid = NULL;
char *opt_slot = NULL;
static struct option long_options[] =
{
{ "disk", required_argument, 0, 'd' },
{ "link", required_argument, 0, 'l' },
{ "mii", required_argument, 0, 'm' },
{ "pci", required_argument, 0, 'p' },
{ "raid", required_argument, 0, 'r' },
{ "usb", no_argument, 0, 'u' },
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
if (!(initsetuid()))
exit(1);
while ((c = getopt_long(argc, argv, "d:l:m:p:r:uv", long_options, &option_index)) != -1) {
switch (c) {
case 'd': /* hdparm drive */
flag_disk = 1;
opt_drive = strdup(optarg);
break;
case 'l': /* ethtool link */
flag_link = 1;
opt_eth = strdup(optarg);
break;
case 'm': /* mii-tool link */
flag_mii = 1;
opt_mii = strdup(optarg);
break;
case 'p': /* pci slot */
flag_pci = 1;
opt_slot = strdup(optarg);
break;
case 'r': /* raid drive */
flag_raid = 1;
opt_raid = strdup(optarg);
break;
case 'u': /* lsusb */
flag_usb = 1;
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
if (!flag_disk && !flag_link && !flag_mii && !flag_pci && !flag_raid && !flag_usb) {
fprintf(stderr, "option missing\n");
usage(argv[0], 2);
}
if (flag_disk) {
snprintf(command, STRING_SIZE - 1, "/usr/sbin/hdparm -I /dev/%s", opt_drive);
safe_system(command);
}
if (flag_pci) {
snprintf(command, STRING_SIZE - 1, "/usr/sbin/lspci -nvvvs %s", opt_slot);
safe_system(command);
}
if (flag_raid) {
snprintf(command, STRING_SIZE - 1, "/sbin/mdadm --detail /dev/%s", opt_raid);
safe_system(command);
}
if (flag_usb) {
safe_system("/usr/bin/lsusb");
}
if (flag_link) {
snprintf(command, STRING_SIZE - 1, "/usr/sbin/ethtool %s", opt_eth);
safe_system(command);
}
if (flag_mii) {
snprintf(command, STRING_SIZE - 1, "/sbin/mii-tool %s", opt_mii);
safe_system(command);
}
return (0);
}
int main(int argc, char *argv[])
{
if (!(initsetuid()))
exit(1);
// Check what command is asked
if (argc==1)
{
fprintf (stderr, "Missing tripwirectrl command!\n");
return 1;
}
if (strcmp(argv[1], "tripwirelog")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twprint -m r --cfgfile /var/ipfire/tripwire/tw.cfg --twrfile /var/ipfire/tripwire/report/%s", argv[2]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "generatereport")==0)
{
safe_system("/usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol");
return 0;
}
if (strcmp(argv[1], "deletereport")==0)
{
sprintf(command, "rm -f /var/ipfire/tripwire/report/%s", argv[2]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "updatedatabase")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --update --accept-all --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s --twrfile %s", argv[2], argv[3]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "keys")==0)
{
snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/site.key && /usr/sbin/twadmin --generate-keys --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s && chmod 640 /var/ipfire/tripwire/site.key", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/local.key && /usr/sbin/twadmin --generate-keys --local-keyfile /var/ipfire/tripwire/local.key --local-passphrase %s && chmod 640 /var/ipfire/tripwire/local.key", argv[3]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/tw.cfg && /usr/sbin/twadmin --create-cfgfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s /var/ipfire/tripwire/twcfg.txt && chmod 640 /var/ipfire/tripwire/tw.cfg", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "rm -rf /var/ipfire/tripwire/tw.pol && /usr/sbin/twadmin --create-polfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s /var/ipfire/tripwire/twpol.txt && chmod 640 /var/ipfire/tripwire/tw.pol", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "generatepolicy")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twadmin --create-polfile --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s --polfile /var/ipfire/tripwire/tw.pol --cfgfile /var/ipfire/tripwire/tw.cfg /var/ipfire/tripwire/twpol.txt", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "resetpolicy")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/twadmin --create-polfile --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase %s --polfile /var/ipfire/tripwire/tw.pol --cfgfile /var/ipfire/tripwire/tw.cfg /var/ipfire/tripwire/twpol.default", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase %s", argv[3]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "readconfig")==0)
{
safe_system("/bin/chown nobody:nobody /var/ipfire/tripwire/twcfg.txt");
return 0;
}
if (strcmp(argv[1], "lockconfig")==0)
{
safe_system("/bin/chown root:root /var/ipfire/tripwire/twcfg.txt");
return 0;
}
if (strcmp(argv[1], "enable")==0)
{
safe_system("touch /var/ipfire/tripwire/enable");
safe_system("rm -rf /var/ipfire/tripwire/site.key && /usr/sbin/twadmin --generate-keys --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire && chmod 640 /var/ipfire/tripwire/site.key");
safe_system("rm -rf /var/ipfire/tripwire/local.key && /usr/sbin/twadmin --generate-keys --local-keyfile /var/ipfire/tripwire/local.key --local-passphrase ipfire && chmod 640 /var/ipfire/tripwire/local.key");
safe_system("rm -rf /var/ipfire/tripwire/tw.cfg && /usr/sbin/twadmin --create-cfgfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire /var/ipfire/tripwire/twcfg.txt && chmod 640 /var/ipfire/tripwire/tw.cfg");
safe_system("rm -rf /var/ipfire/tripwire/tw.pol && /usr/sbin/twadmin --create-polfile --cfgfile /var/ipfire/tripwire/tw.cfg --site-keyfile /var/ipfire/tripwire/site.key --site-passphrase ipfire /var/ipfire/tripwire/twpol.txt && chmod 640 /var/ipfire/tripwire/tw.pol");
safe_system("/usr/sbin/tripwire --init --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol --local-passphrase ipfire");
safe_system("cat /usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol > /etc/fcron.daily/tripwire0600");
safe_system("chmod 755 /etc/fcron.daily/tripwire0600");
safe_system("touch -t 01010600 /etc/fcron.daily/tripwire0600");
return 0;
}
if (strcmp(argv[1], "disable")==0)
{
safe_system("unlink /var/ipfire/tripwire/enable");
safe_system("unlink /etc/fcron.daily/tripwire*");
safe_system("rm -rf /var/ipfire/tripwire/site.key");
safe_system("rm -rf /var/ipfire/tripwire/local.key");
safe_system("rm -rf /var/ipfire/tripwire/tw.cfg*");
safe_system("rm -rf /var/ipfire/tripwire/tw.pol*");
safe_system("rm -rf /var/ipfire/tripwire/*.twd*");
safe_system("rm -rf /var/ipfire/tripwire/report/*");
return 0;
}
if (strcmp(argv[1], "addcron")==0)
{
snprintf(command, BUFFER_SIZE-1, "echo \"/usr/sbin/tripwire --check --cfgfile /var/ipfire/tripwire/tw.cfg --polfile /var/ipfire/tripwire/tw.pol\" > /etc/fcron.daily/tripwire%s%s", argv[2], argv[3]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "chmod 755 /etc/fcron.daily/tripwire%s%s", argv[2], argv[3]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "touch -t 0101%s%s /etc/fcron.daily/tripwire%s%s", argv[2], argv[3], argv[2], argv[3]);
safe_system(command);
return 0;
}
if (strcmp(argv[1], "disablecron")==0)
{
snprintf(command, BUFFER_SIZE-1, "unlink /etc/fcron.daily/tripwire%s", argv[2]);
safe_system(command);
return 0;
}
return 0;
}
int main(void) {
char green_dev[STRING_SIZE] = "";
char buffer[STRING_SIZE];
char *index, *ipaddress, *macaddress, *enabled;
struct keyvalue *kv = NULL;
if (!(initsetuid()))
exit(1);
/* flush wireless iptables */
safe_system("/sbin/iptables --wait -F WIRELESSINPUT > /dev/null 2> /dev/null");
safe_system("/sbin/iptables --wait -F WIRELESSFORWARD > /dev/null 2> /dev/null");
memset(buffer, 0, STRING_SIZE);
/* Init the keyvalue structure */
kv=initkeyvalues();
/* Read in the current values */
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
/* Read in the firewall values */
if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
fprintf(stderr, "Cannot read optionsfw settings\n");
exit(1);
}
/* Get the GREEN interface details */
if (findkey(kv, "GREEN_DEV", green_dev) > 0) {
if (!VALID_DEVICE(green_dev)) {
fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
exit(1);
}
}
/* Get the BLUE interface details */
if (findkey(kv, "BLUE_DEV", blue_dev) > 0) {
if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) {
fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
exit(1);
}
}
if (strlen(blue_dev) == 0) {
exit(0);
}
if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
return 0;
/* register exit handler to ensure the block rule is always present */
atexit(exithandler);
if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) {
exit(0);
}
/* restrict blue access tp the proxy port */
if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer, "on") == 0) {
/* Read the proxy values */
if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) {
fprintf(stderr, "Cannot read proxy settings\n");
exit(1);
}
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
safe_system(command);
}
/* not allow blue to acces a samba server running on local fire*/
if (findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
}
while (fgets(buffer, STRING_SIZE, fd)) {
buffer[strlen(buffer) - 1] = 0;
index = strtok(buffer, ",");
ipaddress = strtok(NULL, ",");
macaddress = strtok(NULL, ",");
enabled = strtok(NULL, ",");
if (strcmp(enabled, "on") == 0) {
/* both specified, added security */
if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command);
} else {
/* correctly formed mac address is 17 chars */
if (strlen(macaddress) == 17) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command);
}
if (VALID_IP_AND_MASK(ipaddress)) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command);
}
}
}
}
/* with this rule you can disable the logging of the dropped wireless input packets*/
if (findkey(kv, "DROPWIRELESSINPUT", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
}
/* with this rule you can disable the logging of the dropped wireless forward packets*/
if (findkey(kv, "DROPWIRELESSFORWARD", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
}
return 0;
}
int main(int argc, char **argv)
{
char server[STRING_SIZE];
char port[STRING_SIZE];
char opt_port[STRING_SIZE];
char user[STRING_SIZE];
char opt_user[STRING_SIZE];
char password[STRING_SIZE];
char opt_password[STRING_SIZE];
char from[STRING_SIZE];
char to[STRING_SIZE];
char hostname[STRING_SIZE];
char domainname[STRING_SIZE];
char subject[STRING_SIZE];
char subject_prefix[STRING_SIZE];
char message[STRING_SIZE];
char attachment[STRING_SIZE];
char *opt_subject = NULL;
char *opt_messagefile = NULL;
char *opt_attachment = NULL;
char date[STRING_SIZE];
NODEKV *kv = NULL;
NODEKV *main_kv = NULL;
int rc;
time_t curtime;
struct tm *loctime;
static struct option long_options[] = {
{ "subject", required_argument, 0, 's'},
{ "messagefile", required_argument, 0, 'm'},
{ "delete", no_argument, 0, 'd'},
{ "attachment", required_argument, 0, 'a'},
{ "verbose", no_argument, 0, 'v'},
{ "help", no_argument, 0, 'h'},
{0, 0, 0, 0}
};
int c;
int option_index = 0;
if (!(initsetuid()))
exit(1);
while ((c = getopt_long(argc, argv, "s:m:da:vh", long_options, &option_index)) != -1) {
switch (c) {
case 0:
break;
case 's':
verbose_printf(3, "Option s ... \n");
flag_subject = 1;
/* check a valid subject */
int len = 0;
len = strlen(optarg);
if (len > STRING_SIZE - 1) {
fprintf(stdout, "Subject too long: %s\n", optarg);
exit(EMAIL_ERR_SUBJECT);
}
if (strspn(optarg, LETTERS_NUMBERS "-_:.+, ") != len) {
fprintf(stdout, "Invalid character in subject (%s)\n", optarg);
exit(EMAIL_ERR_SUBJECT);
}
opt_subject = strdup(optarg);
break;
case 'm':
verbose_printf(3, "Option m ... \n");
flag_messagefile = 1;
opt_messagefile = strdup(optarg);
break;
case 'd':
verbose_printf(3, "Option d ... \n");
flag_delete_messagefile = 1;
break;
case 'a':
verbose_printf(3, "Option a ... \n");
flag_attachment = 1;
opt_attachment = strdup(optarg);
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], EMAIL_SUCCESS);
default:
fprintf(stdout, "unknown option\n");
usage(argv[0], EMAIL_ERR_ANY);
}
}
verbose_printf(1, "Reading email settings ... \n");
if (read_kv_from_file(&kv, "/var/ipcop/email/settings") != SUCCESS) {
fprintf(stdout, "Cannot read email settings\n");
exit(EMAIL_ERR_ANY);
}
strcpy(server, "");
verbose_printf(2, "Reading EMAIL_SERVER ... \n");
if (find_kv_default(kv, "EMAIL_SERVER", server) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_SERVER\n");
exit(EMAIL_ERR_SERVER);
}
verbose_printf(2, "Validate EMAIL_SERVER ... \n");
if (!(strlen(server))) {
fprintf(stdout, "Email server cannot be empty\n");
exit(EMAIL_ERR_SERVER);
}
else if (strchr(server, ' ')) {
fprintf(stdout, "Email server cannot contain spaces\n");
exit(EMAIL_ERR_SERVER);
}
else if (strlen(server) != strspn(server, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-.")) {
fprintf(stdout, "Email server contains non valid chars\n");
exit(EMAIL_ERR_SERVER);
}
strcpy(opt_port, "");
verbose_printf(2, "Reading EMAIL_SERVER_PORT ... \n");
if (find_kv_default(kv, "EMAIL_SERVER_PORT", opt_port) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_SERVER_PORT\n");
exit(EMAIL_ERR_PORT);
}
verbose_printf(2, "Validate EMAIL_SERVER_PORT ... \n");
if (strchr(opt_port, ' ')) {
fprintf(stdout, "Email server port cannot contain spaces\n");
exit(EMAIL_ERR_PORT);
}
else if (strlen(opt_port) != strspn(opt_port, NUMBERS)) {
fprintf(stdout, "Email server port contains non valid chars\n");
exit(EMAIL_ERR_PORT);
}
else if (strlen(opt_port)) {
verbose_printf(2, "Use EMAIL_SERVER_PORT from settings... \n");
snprintf(port, STRING_SIZE, ":%s", opt_port);
}
else {
verbose_printf(2, "No EMAIL_SERVER_PORT in settings... \n");
strcpy(port, "");
}
strcpy(opt_user, "");
verbose_printf(2, "Reading EMAIL_USR ... \n");
if (find_kv_default(kv, "EMAIL_USR", opt_user) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_USR\n");
exit(EMAIL_ERR_USR);
}
verbose_printf(2, "Validate EMAIL_USR ... \n");
if (strchr(opt_user, ' ')) {
fprintf(stdout, "Username cannot contain spaces\n");
exit(EMAIL_ERR_USR);
}
else if (strlen(opt_user) != strspn(opt_user, LETTERS_NUMBERS "-_.@")) {
fprintf(stdout, "Username contains non valid chars\n");
exit(EMAIL_ERR_USR);
}
else if (strlen(opt_user)) {
verbose_printf(2, "Use EMAIL_USR from settings... \n");
snprintf(user, STRING_SIZE, "-xu %s", opt_user);
}
else {
verbose_printf(2, "No EMAIL_USR in settings... \n");
strcpy(user, "");
}
strcpy(opt_password, "");
verbose_printf(2, "Reading EMAIL_PW ... \n");
if (find_kv_default(kv, "EMAIL_PW", opt_password) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_PW\n");
exit(EMAIL_ERR_PW);
}
verbose_printf(2, "Validate EMAIL_PW ... \n");
if (strchr(opt_password, ' ')) {
fprintf(stdout, "Password cannot contain spaces\n");
exit(EMAIL_ERR_PW);
}
else if (strchr(opt_password, '"') || strstr(opt_password, "'")) {
fprintf(stdout, "Password cannot contain single or double quotes\n");
exit(EMAIL_ERR_PW);
}
else if (strlen(opt_password)) {
verbose_printf(2, "Use EMAIL_PW from settings... \n");
snprintf(password, STRING_SIZE, "-xp %s", opt_password);
}
else {
verbose_printf(2, "No EMAIL_PW in settings... \n");
strcpy(password, "");
}
strcpy(from, "");
verbose_printf(2, "Reading EMAIL_FROM ... \n");
if (find_kv_default(kv, "EMAIL_FROM", from) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_FROM\n");
exit(EMAIL_ERR_FROM);
}
verbose_printf(2, "Validate EMAIL_FROM ... \n");
if (!(strlen(from))) {
fprintf(stdout, "From email cannot be empty\n");
exit(EMAIL_ERR_FROM);
}
else if (strchr(from, ' ')) {
fprintf(stdout, "From email cannot contain spaces\n");
exit(EMAIL_ERR_FROM);
}
else if (strlen(from) != strspn(from, LETTERS_NUMBERS "-_.@=+#")) {
fprintf(stdout, "From email contains non valid chars\n");
exit(EMAIL_ERR_FROM);
}
strcpy(to, "");
verbose_printf(2, "Reading EMAIL_TO ... \n");
if (find_kv_default(kv, "EMAIL_TO", to) != SUCCESS) {
fprintf(stdout, "Cannot read EMAIL_TO\n");
exit(EMAIL_ERR_TO);
}
verbose_printf(2, "Validate EMAIL_TO ... \n");
if (!(strlen(to))) {
fprintf(stdout, "To email cannot be empty\n");
exit(EMAIL_ERR_TO);
}
else if (strlen(to) != strspn(to, LETTERS_NUMBERS "-_.@=+# ")) {
fprintf(stdout, "To email contains non valid chars\n");
exit(EMAIL_ERR_TO);
}
verbose_printf(1, "Reading main settings ... \n");
if (read_kv_from_file(&main_kv, "/var/ipcop/main/settings") != SUCCESS) {
fprintf(stdout, "Cannot read main settings\n");
exit(EMAIL_ERR_ANY);
}
strcpy(hostname, "");
verbose_printf(2, "Reading HOSTNAME ... \n");
if (find_kv_default(main_kv, "HOSTNAME", hostname) != SUCCESS) {
fprintf(stdout, "Cannot read HOSTNAME\n");
exit(EMAIL_ERR_HOSTNAME);
}
strcpy(domainname, "");
verbose_printf(2, "Reading DOMAINNAME ... \n");
if (find_kv_default(main_kv, "DOMAINNAME", domainname) != SUCCESS) {
fprintf(stdout, "Cannot read DOMAINNAME\n");
exit(EMAIL_ERR_DOMAINNAME);
}
snprintf(subject_prefix, STRING_SIZE, "[IPCop] %s.%s:", hostname, domainname);
if (flag_subject) {
verbose_printf(1, "Have subject: %s \n", opt_subject);
snprintf(subject, STRING_SIZE, "-u \"%s %s\"", subject_prefix, opt_subject);
}
else {
verbose_printf(2, "No subject... \n");
snprintf(subject, STRING_SIZE, "-u \"%s\"", subject_prefix);
}
if (flag_messagefile) {
if (access(opt_messagefile, 0) == -1) {
verbose_printf(2, "Messagefile is not available \n");
exit(EMAIL_ERR_MESSAGE);
}
else {
verbose_printf(1, "Use messagefile: %s \n", opt_messagefile);
snprintf(message, STRING_SIZE, "-o message-file=%s", tmpEmailFile);
verbose_printf(2, "Replace placeholders in messagefile\n");
curtime = time (NULL);
loctime = localtime (&curtime);
strftime (date, STRING_SIZE, "%Y-%m-%d, %H:%M", loctime);
snprintf(sed, STRING_SIZE_LARGE, "/bin/sed -e 's/__HOSTNAME__/%s.%s/;s/__CURRENT_DATE__/%s/;' %s > %s", hostname, domainname, date, opt_messagefile, tmpEmailFile);
verbose_printf(2, "sed: %s\n", sed);
rc = safe_system(sed);
if (rc) {
fprintf(stdout, "Couldn't replace placeholders in messagefile: %d\n", rc);
exit(EMAIL_ERR_SED);
}
}
}
else {
verbose_printf(2, "No message... \n");
strcpy(message, "-m \" \"");
}
if (flag_attachment) {
if (access(opt_attachment, 0) == -1) {
verbose_printf(2, "Attachment is not available \n");
exit(EMAIL_ERR_ATTACH);
}
else {
verbose_printf(1, "Use attachment: %s \n", opt_attachment);
snprintf(attachment, STRING_SIZE, "-a %s", opt_attachment);
}
}
else {
verbose_printf(2, "No attachment... \n");
strcpy(attachment, "");
}
snprintf(command, STRING_SIZE_LARGE,
"/usr/bin/sendEmail -s %s%s %s %s -f %s -t %s %s %s %s -o message-charset=utf-8", server, port, user, password, from, to, subject, message, attachment);
verbose_printf(2, "Command: %s\n", command);
rc = safe_system(command);
if (rc) {
fprintf(stdout, "Couldn't send Email, sendEmail exitcode: %d\n", rc);
exit(EMAIL_ERR_SENDEMAIL);
}
unlink(tmpEmailFile);
if (flag_messagefile && flag_delete_messagefile) {
verbose_printf(1, "Delete messagefile: %s \n", opt_messagefile);
unlink(opt_messagefile);
}
return EMAIL_SUCCESS;
}
int main(int argc, char *argv[])
{
if (!(initsetuid()))
exit(1);
// Check what command is asked
if (argc==1)
{
fprintf (stderr, "Missing smbctrl command!\n");
return 1;
}
else if (strcmp(argv[1], "smbuserdisable")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -d %s >/dev/null", argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbuserenable")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -e %s >/dev/null", argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbuserdelete")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -x %s >/dev/null", argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/userdel %s >/dev/null", argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbsafeconf")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf");
return 0;
}
else if (strcmp(argv[1], "smbsafeconfcups")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/shares /var/ipfire/samba/printer > /var/ipfire/samba/smb.conf");
return 0;
}
else if (strcmp(argv[1], "smbsafeconfpdc")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/pdc /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf");
return 0;
}
else if (strcmp(argv[1], "smbsafeconfpdccups")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/pdc /var/ipfire/samba/shares /var/ipfire/samba/printer > /var/ipfire/samba/smb.conf");
return 0;
}
else if (strcmp(argv[1], "smbglobalreset")==0)
{
safe_system("/bin/cat /var/ipfire/samba/default.global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf");
safe_system("/bin/cat /var/ipfire/samba/default.settings > /var/ipfire/samba/settings");
safe_system("/bin/cat /var/ipfire/samba/default.global > /var/ipfire/samba/global");
safe_system("/bin/cat /var/ipfire/samba/default.pdc > /var/ipfire/samba/pdc");
return 0;
}
else if (strcmp(argv[1], "smbsharesreset")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/default.shares > /var/ipfire/samba/smb.conf");
safe_system("/bin/cat /var/ipfire/samba/default.shares > /var/ipfire/samba/shares");
return 0;
}
else if (strcmp(argv[1], "smbprinterreset")==0)
{
safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/shares /var/default.printer > /var/ipfire/samba/smb.conf");
safe_system("/bin/cat /var/ipfire/samba/default.printer > /var/ipfire/samba/printer");
return 0;
}
else if (strcmp(argv[1], "smbstop")==0)
{
safe_system("/etc/rc.d/init.d/samba stop >/dev/null");
safe_system("/usr/local/bin/sambactrl disable");
return 0;
}
else if (strcmp(argv[1], "smbstart")==0)
{
safe_system("/etc/rc.d/init.d/samba start >/dev/null");
safe_system("/usr/local/bin/sambactrl enable");
return 0;
}
else if (strcmp(argv[1], "smbrestart")==0)
{
safe_system("/etc/rc.d/init.d/samba restart >/dev/null");
return 0;
}
else if (strcmp(argv[1], "smbreload")==0)
{
safe_system("/etc/rc.d/init.d/samba reload >/dev/null");
return 0;
}
else if (strcmp(argv[1], "smbstatus")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbstatus 2>/dev/null");
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbuseradd")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambauser >/dev/null");
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g %s -s %s %s >/dev/null", argv[4], argv[5], argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbpcadd")==0)
{
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambawks >/dev/null");
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba Workstation' -g %s -s %s %s >/dev/null", argv[3], argv[4], argv[2]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -a -m %s >/dev/null", argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "smbchangepw")==0)
{
snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]);
safe_system(command);
snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]);
safe_system(command);
return 0;
}
else if (strcmp(argv[1], "readsmbpasswd")==0)
{
safe_system("/bin/chown root:nobody /var/ipfire/samba/private >/dev/null");
safe_system("/bin/chown root:nobody /var/ipfire/samba/private/smbpasswd >/dev/null");
safe_system("/bin/chmod 640 /var/ipfire/samba/private/smbpasswd >/dev/null");
safe_system("/bin/chmod 650 /var/ipfire/samba/private >/dev/null");
return 0;
}
else if (strcmp(argv[1], "locksmbpasswd")==0)
{
safe_system("/bin/chown root:root /var/ipfire/samba/private >/dev/null");
safe_system("/bin/chown root:root /var/ipfire/samba/private/smbpasswd >/dev/null");
safe_system("/bin/chmod 600 /var/ipfire/samba/private/smbpasswd >/dev/null");
safe_system("/bin/chmod 600 /var/ipfire/samba/private >/dev/null");
return 0;
}
else if (strcmp(argv[1], "enable")==0)
{
safe_system("touch /var/ipfire/samba/enable");
safe_system("ln -snf /etc/rc.d/init.d/samba /etc/rc.d/rc3.d/S45samba");
safe_system("ln -snf /etc/rc.d/init.d/samba /etc/rc.d/rc0.d/K48samba");
safe_system("ln -snf /etc/rc.d/init.d/samba /etc/rc.d/rc6.d/K48samba");
return 0;
}
else if (strcmp(argv[1], "disable")==0)
{
safe_system("unlink /var/ipfire/samba/enable");
safe_system("rm -rf /etc/rc.d/rc*.d/*samba");
return 0;
}
return 0;
}
int main(int argc, char **argv)
{
int flag_test = 0;
int flag_flush = 0;
int flag_repair = 0;
int enabled_green = 0;
int transparent_green = 0;
int enabled_blue = 0;
int transparent_blue = 0;
int enabled_ovpn = 0;
int transparent_ovpn = 0;
struct stat st;
NODEKV *squid_kv = NULL;
char buffer[STRING_SIZE];
char proxy_port[STRING_SIZE];
NODEKV *ipsec_kv = NULL;
char enabled_IPsec[STRING_SIZE] = "";
static struct option long_options[] =
{
{ "flush", no_argument, 0, 'f' },
{ "repair", no_argument, 0, 'r' },
{ "test", no_argument, 0, 't' },
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
if (!(initsetuid()))
exit(1);
while ((c = getopt_long(argc, argv, "frtv", long_options, &option_index)) != -1) {
switch (c) {
case 't': /* test first */
flag_test = 1;
break;
case 'f': /* flush cache */
flag_flush = 1;
break;
case 'r': /* repair cache */
flag_repair = 1;
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
/* Retrieve the Squid pid file */
if ((access("/var/run/squid.pid", F_OK) == -1) && flag_test) {
verbose_printf(1, "Squid not running, no need to start\n");
exit(0); /* Not running, no need to start with -t */
}
if (access("/var/run/squid.pid", F_OK) != -1) {
/* Kill running squid */
verbose_printf(1, "Flush squid iptables chain ... \n");
safe_system("/sbin/iptables -t nat -F SQUID");
verbose_printf(1, "Shutdown squid ... \n");
safe_system("/usr/sbin/squid -k shutdown >/dev/null 2>/dev/null");
c = 0;
while ((c++ < 15) && (access("/var/run/squid.pid", F_OK) != -1)) {
sleep(1);
}
if (access("/var/run/squid.pid", F_OK) != -1) {
verbose_printf(1, "Really shutdown squid ... \n");
safe_system("/usr/bin/killall -9 squid >/dev/null 2>/dev/null");
}
}
if (access("/var/run/squid.pid", F_OK) != -1) {
verbose_printf(2, "Remove leftover PID file ... \n");
unlink("/var/run/squid.pid");
}
/* See if we need to flush/repair the cache */
if (flag_flush) {
struct passwd *pw;
if ((pw = getpwnam("squid"))) {
endpwent(); /* probably paranoia, but just in case.. */
verbose_printf(1, "Flushing proxy cache ... \n");
unpriv_system("/bin/rm -rf /var/log/cache/*", pw->pw_uid, pw->pw_gid);
}
else {
fprintf(stderr, "User squid not found, cache not flushed\n");
endpwent();
}
}
int saferestart = 0;
if (flag_repair) {
struct passwd *pw;
if ((pw = getpwnam("squid"))) {
endpwent(); /* probably paranoia, but just in case.. */
verbose_printf(1, "Repairing proxy cache ... \n");
if (stat("/var/log/cache/swap.state", &st) == 0) {
unpriv_system("/bin/rm -f /var/log/cache/swap.state", pw->pw_uid, pw->pw_gid);
}
saferestart = 1;
}
else {
fprintf(stderr, "User squid not found, cache not repaired\n");
endpwent();
}
}
verbose_printf(1, "Reading Proxy settings ... \n");
if (read_kv_from_file(&squid_kv, "/var/ipcop/proxy/settings") != SUCCESS) {
fprintf(stderr, "Cannot read proxy settings\n");
exit(1);
}
/* See if proxy is enabled and / or transparent */
if (test_kv(squid_kv, "ENABLED_GREEN_1", "on") == SUCCESS) {
enabled_green = 1;
}
if (test_kv(squid_kv, "TRANSPARENT_GREEN_1", "on") == SUCCESS) {
transparent_green = 1;
}
if (test_kv(squid_kv, "ENABLED_BLUE_1", "on") == SUCCESS) {
enabled_blue = 1;
}
if (test_kv(squid_kv, "TRANSPARENT_BLUE_1", "on") == SUCCESS) {
transparent_blue = 1;
}
if (test_kv(squid_kv, "ENABLED_OVPN", "on") == SUCCESS) {
enabled_ovpn = 1;
}
if (test_kv(squid_kv, "TRANSPARENT_OVPN", "on") == SUCCESS) {
transparent_ovpn = 1;
}
/* Retrieve the proxy port */
if (transparent_green || transparent_blue || transparent_ovpn) {
if (find_kv_default(squid_kv, "PROXY_PORT", proxy_port) != SUCCESS) {
strcpy(proxy_port, "8080");
}
else {
if (strspn(proxy_port, NUMBERS) != strlen(proxy_port)) {
fprintf(stderr, "Invalid proxy port: %s, defaulting to 8080\n", proxy_port);
strcpy(proxy_port, "8080");
}
}
}
free_kv(&squid_kv);
if (!enabled_green && !enabled_blue && !enabled_ovpn) {
verbose_printf(1, "Proxy not enabled ... exit ... \n");
return 0;
}
/* We can't start squid if .conf is missing */
if (access("/var/ipcop/proxy/squid.conf", F_OK) == -1) {
fprintf(stderr, "Configuration file squid.conf not found\n");
exit(1);
}
/* Fetch ethernet/settings, exit on error */
read_ethernet_settings(1);
if (enabled_green || enabled_blue || enabled_ovpn) {
/* rebuild firewall rules, proxy port may be different now */
verbose_printf(1, "Rebuild firewall rules ... \n");
safe_system("/usr/local/bin/setfwrules --ipcop");
verbose_printf(1, "Create swap directories ... \n");
if (safe_system("/usr/sbin/squid -s -z 2>/dev/null")) {
verbose_printf(1, "Error creating swap directories ... \n");
}
verbose_printf(1, "Starting squid ... \n");
if (saferestart)
safe_system("/usr/sbin/squid -s -S");
else
safe_system("/usr/sbin/squid -s");
}
/* static (green/blue) interfaces must exist if transparence is requested */
if (transparent_green && enabled_green && !ipcop_ethernet.count[GREEN]) {
fprintf(stderr, "No GREEN device, not running transparent\n");
exit(1);
}
if (transparent_blue && enabled_blue && !ipcop_ethernet.count[BLUE]) {
fprintf(stderr, "No BLUE device, not running transparent\n");
exit(1);
}
/* TODO: test for OpenVPN device if ovpn transparent is selected? */
/* For now we use fixed tun0 and expect it to be present. */
/* disable transparence for known IPsec networks */
verbose_printf(1, "Reading IPsec settings ... \n");
if (read_kv_from_file(&ipsec_kv, "/var/ipcop/ipsec/settings") != SUCCESS) {
fprintf(stderr, "Cannot read IPsec settings\n");
exit(1);
}
find_kv_default(ipsec_kv, "ENABLED_RED_1", enabled_IPsec);
if (strcmp(enabled_IPsec, "on")) {
find_kv_default(ipsec_kv, "ENABLED_BLUE_1", enabled_IPsec);
}
free_kv(&ipsec_kv);
if (!strcmp(enabled_IPsec, "on")) {
setdirectipsec (enabled_green && transparent_green,
enabled_blue && transparent_blue);
}
/* TODO: disable transparence for OpenVPN networks, but only for
OpenVPN net-2-net which we currently have not implemented */
/* choose RED destination: 'localip' or 'red_netaddress/red_netmask' */
char destination[STRING_SIZE] = "";
if (strcmp(ipcop_ethernet.red_type[1], "STATIC") == 0) {
snprintf(destination, STRING_SIZE, "%s/%s", ipcop_ethernet.address[RED][1], ipcop_ethernet.netmask[RED][1]);
}
else {
if (ipcop_ethernet.red_address[1][0] && VALID_IP(ipcop_ethernet.red_address[1])) {
snprintf(destination, STRING_SIZE, "%s", ipcop_ethernet.red_address[1]);
}
}
/* RED may be down */
if (!strlen(destination)) {
verbose_printf(1, "Cannot determine RED network.\n");
}
else {
verbose_printf(2, "Dest IP is set to: %s\n", destination);
}
/* install the transparency rules */
/* green transparent ? */
if (transparent_green && enabled_green) {
/* direct http GREEN-->RED network */
verbose_printf(1, "Setting transparent iptables rule for GREEN ... \n");
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN",
ipcop_ethernet.device[GREEN][1], destination) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
if (strlen(destination))
safe_system(buffer); /* only id known RED */
/* install the redirect for other port http destinations from green */
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s",
ipcop_ethernet.device[GREEN][1], proxy_port) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
safe_system(buffer);
}
/* blue transparent ? */
if (transparent_blue && enabled_blue) {
/* direct http BLUE-->RED network */
verbose_printf(1, "Setting transparent iptables rule for BLUE ... \n");
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN",
ipcop_ethernet.device[BLUE][1], destination) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
if (strlen(destination))
safe_system(buffer); /* only id known RED */
/* install the redirect for other port http destinations from blue */
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s",
ipcop_ethernet.device[BLUE][1], proxy_port) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
safe_system(buffer);
}
/* OpenVPN roadwarriors transparent ? */
if (transparent_ovpn && enabled_ovpn) {
/* direct http OpenVPN-->RED network */
verbose_printf(1, "Setting transparent iptables rule for OpenVPN RW ... \n");
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN",
"tun0", destination) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
if (strlen(destination))
safe_system(buffer); /* only id known RED */
/* install the redirect for other port http destinations from OpenVPN */
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s",
"tun0", proxy_port) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
safe_system(buffer);
}
return 0;
}
int main(int argc, char *argv[])
{
char hostname[STRING_SIZE] = "";
char domainname[STRING_SIZE] = "";
char buffer[STRING_SIZE];
char string[STRING_SIZE];
char *active, *ip, *host, *domain;
static struct option long_options[] = {
{ "nosighup", no_argument, &flag_nosighup, 1 },
{ "verbose", no_argument, 0, 'v'},
{ "help", no_argument, 0, 'h'},
{0, 0, 0, 0}
};
int c;
int option_index = 0;
if (!(initsetuid()))
exit(1);
while ((c = getopt_long(argc, argv, "hv", long_options, &option_index)) != -1) {
switch (c) {
case 0:
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
atexit(exithandler);
memset(buffer, 0, STRING_SIZE);
/* Fetch ethernet/settings, exit on error */
read_ethernet_settings(1);
if (read_kv_from_file(&main_kv, "/var/ipcop/main/settings") != SUCCESS) {
fprintf(stderr, "Couldn't read main settings\n");
exit(1);
}
strcpy(hostname, SNAME);
find_kv_default(main_kv, "HOSTNAME", hostname);
find_kv_default(main_kv, "DOMAINNAME", domainname);
free_kv(&main_kv);
main_kv = NULL;
if (!(fd = fopen("/var/ipcop/main/hosts", "r"))) {
fprintf(stderr, "Couldn't open main hosts file\n");
exit(1);
}
snprintf(string, STRING_SIZE, "/etc/hosts");
if (!(hosts = fopen(string, "w"))) {
fprintf(stderr, "Couldn't open /etc/hosts file\n");
fclose(fd);
fd = NULL;
exit(1);
}
fprintf(hosts, "127.0.0.1\tlocalhost\n");
if (strlen(domainname))
fprintf(hosts, "%s\t%s.%s\t%s\n", ipcop_ethernet.address[GREEN][1], hostname, domainname, hostname);
else
fprintf(hosts, "%s\t%s\n", ipcop_ethernet.address[GREEN][1], hostname);
while (fgets(buffer, STRING_SIZE, fd)) {
buffer[strlen(buffer) - 1] = 0;
if (buffer[0] == ',')
continue; /* disabled if empty field */
active = strtok(buffer, ",");
if (strcmp(active, "off") == 0)
continue; /* or 'off' */
ip = strtok(NULL, ",");
host = strtok(NULL, ",");
domain = strtok(NULL, ",");
if (!(ip && host))
continue; /* bad line ? skip */
if (!VALID_IP(ip)) {
fprintf(stderr, "Bad IP: %s\n", ip);
continue; /* bad ip, continue */
}
if (strspn(host, LETTERS_NUMBERS "-") != strlen(host)) {
fprintf(stderr, "Bad Host: %s\n", host);
continue; /* bad name, continue */
}
if (domain)
fprintf(hosts, "%s\t%s.%s\t%s\n", ip, host, domain, host);
else
fprintf(hosts, "%s\t%s\n", ip, host);
}
fclose(fd);
fd = NULL;
fclose(hosts);
hosts = NULL;
if (flag_nosighup) {
verbose_printf(1, "Restart dnsmasq... \n");
safe_system("/etc/rc.d/rc.dnsmasq --restart");
}
else {
verbose_printf(1, "Send SIGHUP to dnsmasq... \n");
safe_system("/etc/rc.d/rc.dnsmasq --sighup");
}
return 0;
}
int main(int argc, char **argv)
{
int flag_boot = 0;
int fd, config_fd, rc, pid;
char buffer[STRING_SIZE_LARGE], command[STRING_SIZE_LARGE] = "/bin/sed -e '";
NODEKV *ssh_kv = NULL;
int enabled = 0;
static struct option long_options[] =
{
{ "boot", no_argument, 0, 'b' },
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
if (!(initsetuid()))
exit(1);
while ((c = getopt_long(argc, argv, "bv", long_options, &option_index)) != -1) {
switch (c) {
case 'b': /* booting */
flag_boot = 1;
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
verbose_printf(1, "Reading SSHd settings ... \n");
if (read_kv_from_file(&ssh_kv, "/var/ipcop/remote/settings") != SUCCESS) {
fprintf(stderr, "Cannot read remote access settings\n");
exit(1);
}
/* By using O_CREAT with O_EXCL open() will fail if the file already exists,
* this prevents 2 copies of restartssh both trying to edit the config file
* at once. It also prevents race conditions, but these shouldn't be
* possible as /etc/ssh/ should only be writable by root anyhow
*/
if ((config_fd = open("/etc/ssh/sshd_config.new", O_WRONLY | O_CREAT | O_EXCL, 0644)) == -1) {
perror("Unable to open new config file");
free_kv(&ssh_kv);
exit(1);
}
verbose_printf(1, "Rebuilding SSHd config ... \n");
if (test_kv(ssh_kv, "ENABLE_SSH_PROTOCOL1", "on") == SUCCESS)
strlcat(command, "s/^Protocol .*$/Protocol 2,1/;", STRING_SIZE_LARGE - 1);
else
strlcat(command, "s/^Protocol .*$/Protocol 2/;", STRING_SIZE_LARGE - 1);
if (test_kv(ssh_kv, "ENABLE_SSH_KEYS", "off") == SUCCESS)
strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication no/;"
"s/^PubkeyAuthentication .*$/PubkeyAuthentication no/;", STRING_SIZE_LARGE - 1);
else
strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication yes/;"
"s/^PubkeyAuthentication .*$/PubkeyAuthentication yes/;", STRING_SIZE_LARGE - 1);
if (test_kv(ssh_kv, "ENABLE_SSH_PASSWORDS", "off") == SUCCESS)
strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication no/;", STRING_SIZE_LARGE - 1);
else
strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication yes/;", STRING_SIZE_LARGE - 1);
if (test_kv(ssh_kv, "ENABLE_SSH_PORTFW", "on") == SUCCESS)
strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding yes/", STRING_SIZE_LARGE - 1);
else
strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/", STRING_SIZE_LARGE - 1);
if (test_kv(ssh_kv, "ENABLE_SSH", "on") == SUCCESS)
enabled = 1;
free_kv(&ssh_kv);
snprintf(buffer, STRING_SIZE_LARGE - 1, "' /etc/ssh/sshd_config >&%d", config_fd);
strlcat(command, buffer, STRING_SIZE_LARGE - 1);
if ((rc = unpriv_system(command, 99, 99)) != 0) {
fprintf(stderr, "sed returned bad exit code: %d\n", rc);
close(config_fd);
unlink("/etc/ssh/sshd_config.new");
exit(1);
}
close(config_fd);
if (rename("/etc/ssh/sshd_config.new", "/etc/ssh/sshd_config") != 0) {
perror("Unable to replace old config file");
unlink("/etc/ssh/sshd_config.new");
exit(1);
}
memset(buffer, 0, STRING_SIZE_LARGE);
verbose_printf(1, "Shutdown SSHd ... \n");
if ((fd = open("/var/run/sshd.pid", O_RDONLY)) != -1) {
if ((read(fd, buffer, STRING_SIZE_LARGE - 1) == -1) && !flag_boot) {
fprintf(stderr, "Couldn't read from pid file\n");
}
else {
pid = atoi(buffer);
if (pid <= 1)
fprintf(stderr, "Bad pid value\n");
else {
if (kill(pid, SIGTERM) == -1)
fprintf(stderr, "Unable to send SIGTERM\n");
else
unlink("/var/run/sshd.pid");
}
}
close(fd);
}
else {
if (!flag_boot && (errno != ENOENT)) {
perror("Unable to open pid file");
exit(1);
}
}
if (enabled) {
verbose_printf(1, "Starting SSHd ... \n");
safe_system("/usr/sbin/sshd");
/* Give SSHd some time to start */
sleep(1);
if (access("/var/run/sshd.pid", F_OK) == -1) {
fprintf(stderr, "Couldn't read from pid file, SSHd not running?\n");
}
else if (flag_verbose >= 2) {
safe_system("echo -n \"SSHd running with PID \" && cat /var/run/sshd.pid");
}
}
return 0;
}
int main(void)
{
FILE *ipfile = NULL, *ifacefile = NULL;
FILE *fwdfile = NULL;
int count;
char iface[STRING_SIZE];
char locip[STRING_SIZE];
char *protocol;
char *extip;
char *locport;
char *remip;
char *remport;
char *origremport;
char *enabled;
char s[STRING_SIZE];
char *result;
char command[STRING_SIZE];
char remdouble[STRING_SIZE];
if (!(initsetuid(1)))
exit(1);
if (!(ipfile = fopen("/var/smoothwall/red/local-ipaddress", "r")))
{
fprintf(stderr, "Couldn't open local ip file");
goto EXIT;
}
fgets(locip, STRING_SIZE, ipfile);
if (locip[strlen(locip) - 1] == '\n')
locip[strlen(locip) - 1] = '\0';
fclose (ipfile);
ipfile = NULL;
if (strspn(locip, IP_NUMBERS) != strlen(locip))
{
fprintf(stderr, "Bad local IP: %s\n", locip);
goto EXIT;
}
if (!(ifacefile = fopen("/var/smoothwall/red/iface", "r")))
{
fprintf(stderr, "Couldn't open iface file");
goto EXIT;
}
fgets(iface, STRING_SIZE, ifacefile);
if (iface[strlen(iface) - 1] == '\n')
iface[strlen(iface) - 1] = '\0';
fclose (ifacefile);
ifacefile = NULL;
if (strspn(iface, LETTERS_NUMBERS) != strlen(iface))
{
fprintf(stderr, "Bad iface: %s\n", iface);
goto EXIT;
}
if (!(fwdfile = fopen("/var/smoothwall/portfw/config", "r")))
{
fprintf(stderr, "Couldn't open portfw settings file\n");
goto EXIT;
}
system("/sbin/iptables -F portfwf");
system("/sbin/iptables -t nat -F portfw");
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
{
if (s[strlen(s) - 1] == '\n')
s[strlen(s) - 1] = '\0';
result = strtok(s, ",");
count = 0;
protocol = NULL;
extip = NULL;
locport = NULL;
remip = NULL;
remport = NULL;
enabled = NULL;
while (result)
{
if (count == 0)
protocol = result;
else if (count == 1)
extip = result;
else if (count == 2)
locport = result;
else if (count == 3)
remip = result;
else if (count == 4)
remport = result;
else
enabled = result;
count++;
result = strtok(NULL, ",");
}
if (!(protocol && extip && locport && remip && remport && enabled))
break;
if (strspn(protocol, LETTERS) != strlen(protocol))
{
fprintf(stderr, "Bad protocol: %s\n", protocol);
goto EXIT;
}
if (strspn(extip, IP_NUMBERS) != strlen(extip))
{
fprintf(stderr, "Bad external IP: %s\n", extip);
goto EXIT;
}
if (strspn(locport, NUMBERS_COLON) != strlen(locport))
{
fprintf(stderr, "Bad loal port: %s\n", locport);
goto EXIT;
}
if (strspn(remport, NUMBERS) != strlen(remport))
{
fprintf(stderr, "Bad remote port: %s\n", remport);
goto EXIT;
}
if (strcmp(enabled, "on") == 0)
{
origremport = remport;
if (!atol(remport))
remport = locport;
if (!strchr(locport, ':') || atol(origremport))
{
snprintf(remdouble, STRING_SIZE - 1, "%s:%s",
remip, remport);
}
else
strncpy(remdouble, remip, STRING_SIZE - 1);
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE - 1,
"/sbin/iptables -A portfwf -m state --state NEW -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
iface, protocol, extip, remip, remport);
system(command);
snprintf(command, STRING_SIZE - 1,
"/sbin/iptables -t nat -A portfw -p %s -s %s -d %s --dport %s -j DNAT --to %s",
protocol, extip, locip, locport, remdouble);
system(command);
}
}
EXIT:
if (ipfile)
fclose(ipfile);
if (ifacefile)
fclose(ifacefile);
if (fwdfile)
fclose(fwdfile);
return 0;
}
