The following lines should be present at the start of the config
file and they should not be changed.
use lib "/usr/local/accounts/lib";
use RatsLib;
package CONFIG;
use vars qw($CLIENT_PORT $MAX_CHILD $LOG_FILE %COMMAND_HOOKS );
use vars qw(%DES_KEYS %RESPONSE %FS %LINKED_FS %INTERNAL_FUNCTIONS);
use vars qw($PATH_REGEXP %ACCT_FILES %ACCT_FILES_TMP $EXT_TOKEN);
use vars qw($GROUP_ENTRY_LENGTH_LIMIT %LOCK_FILE $SLEEP_LEN $LOCK_TRIES );
use vars qw(%ACCT_FILES_MASTER $BOGUS_UID $MIN_UID $LOG_HOST);
use vars qw($INITIAL_NET_TIMEOUT $NORMAL_NET_TIMEOUT %ACCOUNTS);
use vars qw($MASTER_HOST $RATS_MASTER %API $UNAME_SIZE $UID_HOST);
use vars qw($SERVER_PORT $USE_ARCHIVE $ARCHIVE_PATH $ARCHIVE_CMD $ARCHIVE_EXT);
use vars qw($ARCHIVE_HOST $PKT_SIZE $EMAIL_HOST $RADIUS_DOMAIN $PRIVS_FILE);
use vars qw($PRIVS_FILE_TEMP %GROUP_SUPER $YPFILE $RAD_AUTH_FILE);
use vars qw($RAD_AUTH_FILE_TEMP $WEB_TIMEOUT $UID_SYNC $ALLOW_UID_RESERVE);
use vars qw($NET_READ_TIMEOUT $KERB_TOKEN $ENIGMA_TOKEN $SYS_lchown);
use vars qw($OS_HAS_lchown %HOST_ACL $SCRIPT_DIR $WEB_DEFAULT_ACCT);
use vars qw($MAIN_SCREEN_HELP $GENERAL_HELP $WEB_END_MSG);
use vars qw($USE_NEXT_UID $WEB_INTRO $WEB_DATA_ERROR $WEB_GROUP_HELP);
use vars qw($WEB_NO_SERVICE $WEB_NO_SERVICE_MSG %SHELL_LOCKS);
use vars qw($KERBSHELL_REALM %ACCT_FILES_PERMS $ARCHIVE_PERMS);
# we set the path to keep the taint checks happy
$ENV{PATH} = "/usr/bin:/usr/sbin:/usr/local/gnu/bin";
# include user conf file
require "/usr/local/accounts/etc/rats.conf";
What follows are internal variables which should not be touched
unless you know what you are doing. If you have to ask what's it do, then
DON'T TOUCH IT!
This are permissions for various account files.
%ACCT_FILES_PERMS = (
'group' => '0644',
'passwd' => '0644',
'shadow' => '0600',
'reserve'=> '0644',
);The following is a mapping of API commands to actual functions. Note that for each call there are occasionally three associated functions. The main one determines if the operations should be performed locally, the "L" function the function which performs the command locally, and the "R" function is used to send the commands to different host. The main functions and the "L" functions should take as arguments those described in the API, while the "R" function should take the same args followed by a hostname and a port number. Some commands do not have local and remote functions and other of the listed functions do not have commands associated with them but are used by some other functions and they where deemed important enough to be configurable.
%COMMAND_HOOKS = (
"QSET" => \&RatsLib::default_set_quota,
"LQSET" => \&RatsLib::default_set_local_quota,
"RQSET" => \&RatsLib::default_set_remote_quota,
"MKDIR" => \&RatsLib::default_mk_dir,
"RMKDIR" => \&RatsLib::default_mk_remote_dir,
"LMKDIR" => \&RatsLib::default_mk_local_dir,
"RMDIR" => \&RatsLib::default_rm_dir,
"RRMDIR" => \&RatsLib::default_rm_remote_dir,
"LRMDIR" => \&RatsLib::default_rm_local_dir,
"ADDPWEN" => \&RatsLib::default_add_pw_entry,
"LADDPWEN" => \&RatsLib::default_add_local_pw_entry,
"RADDPWEN" => \&RatsLib::default_add_remote_pw_entry,
"REMPWEN" => \&RatsLib::default_remove_pw_entry,
"LREMPWEN" => \&RatsLib::default_remove_local_pw_entry,
"RREMPWEN" => \&RatsLib::default_remove_remote_pw_entry,
"ADDTOGRP" => \&RatsLib::default_add_user_to_group,
"LADDTOGRP"=> \&RatsLib::default_local_add_user_to_group,
"RADDTOGRP"=> \&RatsLib::default_remote_add_user_to_group,
"REMFRGRP" => \&RatsLib::default_remove_user_from_group,
"LREMFRGRP"=> \&RatsLib::default_local_remove_user_from_group,
"RREMFRGRP"=> \&RatsLib::default_remote_remove_user_from_group,
"GENUID" => \&RatsLib::default_generate_uid,
"GENNUID" => \&RatsLib::default_generate_next_uid,
"GETUID" => \&RatsLib::default_get_uid,
"LGETUID" => \&RatsLib::default_get_local_uid,
"RGETUID" => \&RatsLib::default_get_remote_uid,
"GETGID" => \&RatsLib::default_get_gid,
"LGETGID" => \&RatsLib::default_get_local_gid,
"RGETGID" => \&RatsLib::default_get_remote_gid,
"LOG" => \&RatsLib::default_log,
"LLOG" => \&RatsLib::default_local_log,
"RLOG" => \&RatsLib::default_remote_log,
"DEBUG" => \&RatsLib::default_debug,
"GETPWENT" => \&RatsLib::default_getpwent,
"LGETPWENT"=> \&RatsLib::default_local_getpwent,
"RGETPWENT"=> \&RatsLib::default_remote_getpwent,
"GETSHENT" => \&RatsLib::default_getshent,
"LGETSHENT"=> \&RatsLib::default_local_getshent,
"RGETSHENT"=> \&RatsLib::default_remote_getshent,
"QGET" => \&RatsLib::default_get_quota,
"LQGET" => \&RatsLib::default_get_local_quota,
"RQGET" => \&RatsLib::default_get_remote_quota,
"LINK" => \&RatsLib::default_link,
"COPY" => \&RatsLib::default_copy,
"RUN" => \&RatsLib::default_run_script,
"GETGROUP" => \&RatsLib::default_get_groups,
"LGETGROUP"=> \&RatsLib::default_get_local_groups,
"RGETGROUP"=> \&RatsLib::default_get_remote_groups,
"ARCHIVE" => \&RatsLib::default_archive,
"LARCHIVE" => \&RatsLib::default_local_archive,
"RARCHIVE" => \&RatsLib::default_remote_archive,
"GETUSERS" => \&RatsLib::default_get_users,
"LGETUSERS"=> \&RatsLib::default_get_local_users,
"RGETUSERS"=> \&RatsLib::default_get_remote_users,
"GETGRNAM" => \&RatsLib::default_getgrnam,
"LGETGRNAM"=> \&RatsLib::default_getgrnam_local,
"RGETGRNAM"=> \&RatsLib::default_getgrnam_remote,
"RESERVE" => \&RatsLib::default_reserve_uid,
"LRESERVE" => \&RatsLib::default_reserve_local_uid,
"RRESERVE" => \&RatsLib::default_reserve_remote_uid,
"CHGSHELL" => \&RatsLib::default_change_shell,
"LCHGSHELL"=> \&RatsLib::default_change_local_shell,
"RCHGSHELL"=> \&RatsLib::default_change_remote_shell,
"EXUSER" => \&RatsLib::default_exist_user,
"LEXUSER" => \&RatsLib::default_local_exist_user,
"REXUSER" => \&RatsLib::default_remote_exist_user,
);These are some of the truly internal functions. For now only the encryption functions are on this list.
%INTERNAL_FUNCTIONS = (
"ENCRYPT" => \&LIBS::des_3cbc_encrypt,
"DECRYPT" => \&LIBS::des_3cbc_decrypt,
);
Here is the list of various error messages likely to be generated
by the client software.
%RESPONSE = (
"NSC" => "NO_SUCH_COMMAND",
"SCS" => "SUCCESS",
"FIL" => "COMMAND_FAILED",
"QFF" => "QUOTA_FILEOPEN_FAILED",
"QSF" => "QUOTA_IOCTL_FAILED", # are quotas on?
"TNT" => "TAINTED_INPUT_DATA",
"NFS" => "NO_SUCH_FILE_SYSTEM",
"NFL" => "NO_SUCH_FILE",
"SCF" => "SOCKET_CONNECT_FAILURE",
"SRF" => "SOCKET_READ_FAILURE",
"SRT" => "SOCKET_READ_TIMEOUT",
"FAL" => "FILE_ALREADY_LOCKED",
"GRE" => "ERROR_OPENING_GROUP_FILE",
"PRE" => "ERROR_OPENING_PASSWD_FILE",
"RRE" => "ERROR_OPENING_RESERVE_FILE",
"SRE" => "ERROR_OPENING_SHADOW_FILE",
"GTE" => "ERROR_OPENING_TEMP_GROUP_FILE",
"PTE" => "ERROR_OPENING_TEMP_PASSWD_FILE",
"RTE" => "ERROR_OPENING_TEMP_RESERVE_FILE",
"STE" => "ERROR_OPENING_TEMP_SHADOW_FILE",
"ELF" => "ERROR_OPENING_LOCK_FILE",
"NSG" => "NO_SUCH_GROUP",
"LTE" => "LOCK_TIMEOUT_EXPIRED",
"MKF" => "MKDIR_FAILED",
"FLF" => "FLOCK_LOCK_FAILED",
"RMF" => "RM_FAILURE",
"UAE" => "USER_OR_UID_ALREADY_EXISTS",
"UGF" => "UID_GENERATION_FAILURE",
"NSU" => "NO_SUCH_USER",
"FOL" => "COULD_NOT_OPEN_LOG_FILE",
"NES" => "CAN_NOT_EXECUTE_SCRIPT",
"FAE" => "FILE_ALREADY_EXISTS",
"ARF" => "ARCHIVE_FAILED",
"RNS" => "UID_RESERVATION_NOT_SUPPORTED",
"NCP" => "NO_COMMAND_PERMISSIONS",
);This is a regular expresion used to verify that the name of a path is correct (i.e. not bizarre escapes and so on)
$PATH_REGEXP = '[\d\w/.-]+';
The main RATS API calls. These are better documented in the API
documentation. DON'T modify
these unless you want to maintain the package.
%API = (
CLIENTMIN => 10000, #defines the minimum of the client calls range
GETIRFL_U => 10010, #give USERNAME get IID RCPID FIRSTNAME and LASTNAME
GETIR_FLSB => 10020, #give FIRSTNAME, LASTNAME, SSN and BDAY get IID RCPID
GETRFL_I => 10030, #give IID get RCPID FIRSTNAME LASTNAME
GETIFL_R => 10040, #give RCPID get IID FIRSTNAME LASTNAME
GETROLE => 10050, #give RCPID ROLE get 0/1
GETEMAIL => 10060, #give RCPID ROLE get email
GETROSTER => 10070, #give SSN TERM YEAR REG_I get 0/1
GETUSREX => 10080, #give USERNAME get 0/1, checks username existance
GETKERB => 10090, #give IID REALM get 0/1
GETUSRINF => 10100, #give RCPID get primary activeUSERNAME
GETRIFL_S => 10110, #give SSN get RCPID IID FIRST LAST
GETCAMPUS => 10120, #give RCPID CAMPUS get 0/1
GETMAJOR => 10140, #give RCPID, MAJOR, get 0/1
SETKERB => 15000, #give IID REALM PASSWORD and set kerberos principal
SETEMAIL => 15010, #give RCPID EMAIL ROLE set set EMAIL in PDB
SETACCINF => 15020, #give RCPID USERNAME, set acct infon in the PDB
REMEMAIL => 15030, #give USERNAME, EMAIL, remove from all roles
SETNPUSER => 15060, #give RCPID,USERNAME, get 1/fail
CHNGPWD => 15070, #give Fst,Lst,SSN,Bday,Princ,RLM,PASS get 1/0
QUIT => 19980, #end conversation terminated by client
CLIENTMAX => 19990, #defines the maximum of the client calls range
SERVERMIN => 20000, #defines the minimum of the server calls range
RETIRFL_U => 20010, #returning value for API call 10010
RETIR_FLSB => 20020, #returning value for API call 10020
RETRFL_I => 20030, #returning value for API call 10030
RETIFL_R => 20040, #returning value for API call 10040
RETROLE => 20050, #returning value for API call 10050
RETEMAIL => 20060, #returning value for API call 10060
RETROSTER => 20070, #returning value for API call 10070
RETUSREX => 20080, #returning value for API call 10080
RETGETKERB => 20090, #returning value for API call 10090
RETUSRINF => 20100, #returning value for API call 10100
RETRIFL_S => 20110, #returning value for API call 10110
RETCAMPUS => 20120, #returning value for API call 10120
RETMAJOR => 20140, #returning value for API call 10140
RETSETKERB => 25000, #returning value for API call 15000
RETSEMAIL => 25010, #returning value for API call 15010
RETACCINF => 25020, #returning value for API call 15020
RETREMEMAIL => 25030, #returning value for API call 15030
RETNPUSER => 25060, #returning value for API call 15060
RETCHNGPWD => 25070, #returning value for API call 15070
SERVERMAX => 29990, #defines the maximum of the server calls range
QSET => 30010, #set quota
MKDIR => 30020, #create directory
RMDIR => 30030, #remove directory
ADDPWEN => 30040, #add passwd entry
REMPWEN => 30050, #remove passwd entry
ADDTOGRP => 30060, #add user to group
REMFRGRP => 30070, #remove user from group
LOG => 30080, #log message
DEBUG => 30090, #log debug message, uses the LOG api underneath
LINK => 30100, #link file1 to file2
COPY => 30110, #copy file1 to file2
RUN => 30120, #run a script
ARCHIVE => 30130, #archive directory
RESERVE => 30140, #reserve uid for username
CHGSHELL => 30150, #change user shell
GETUID => 35010, #get uid for username
GETPWENT => 35020, #get pw entry for user
QGET => 35030, #get quota for user on fs
GETGID => 35040, #get gid for username
GETGROUP => 35050, #get list of groups for username
GETUSERS => 35060, #get a list of all the users on a system
GETGRNAM => 35070, #get a group return getgrnam like list
GETSHENT => 35080, #get sh entry for user
EXUSER => 35090, #check if user exits
R_QSET => 40010, #reply to set quota
R_MKDIR => 40020, #reply to create directory
R_RMDIR => 40030, #reply to remove directory
R_ADDPWEN => 40040, #reply to add passwd entry
R_REMPWEN => 40050, #reply to remove passwd entry
R_ADDTOGRP => 40060, #reply to add user to group
R_REMFRGRP => 40070, #reply to remove user from group
R_LOG => 40080, #reply to log message
R_DEBUG => 40090, #reply to log debug message, uses the LOG api underneath
R_LINK => 40100, #reply to link file1 to file2
R_COPY => 40110, #reply to copy file1 to file2
R_RUN => 40120, #reply to run script
R_ARCHIVE => 40130, #reply to archive
R_RESERVE => 40140, #reply to reserve
R_CHGSHELL => 40150, #reply to change user shell
R_GETUID => 45010, #reply to get uid for username
R_GETPWENT => 45020, #reply to get pw entry for user
R_QGET => 45030, #reply to quota get
R_GETGID => 45040, #reply to get gid for username
R_GETGROUP => 45050, #reply to get list of groups for username
R_GETUSERS => 45060, #reply to get list of users
R_GETGRNAM => 45070, #reply to getgrnam
R_GETSHENT => 45080, #reply to get sh entry for user
R_EXUSER => 45090, #reply to check if user exits
RSCLIENTMIN => 50000, #defines the min server restricted call range
GETPHERDS => 50010, #give RCPID get list of herds
GETHERDACL => 50020, #give RCPID/HERD get 1/0/err
GETHERDUSR => 50030, #give HERD NAME ger list of RCPIDs
SETHERD => 55010, #give RCPIDu,RCPIDc,RCPIDs,HERD,EXPDT get 1/0/er
EXPHERD => 55020, #give RCPID,HERD get 1/err
EXPUSER => 55030, #give RCPID/USERNAME/DATE/DATE get 1/err
SETHERDACL => 55040, #give RCPID/HERD get 1/err
SETHERDNAME => 55050, #give HERD get 1/0/err
REMHERDACL => 55060, #give RCPID/HERD get 1/err
RSCLIENTMAX => 59999, #defines the max server restricted call range
RSSERVERMIN => 60000, #defines the min server restricted resp range
RETPHERDS => 60010, #returning value for API call 50010
RETGHERDACL => 60020, #returning value for API call 50020
CETPHERDS => 60011, #returning value for API call 50010, continue
RETHERDUSR => 60030, #returning value for API call 50030
CETHERDUSR => 60031, #returning value for API call 50030, contiue
RETHERD => 65010, #returning value for API call 55010
RETEXPHERD => 65020, #returning value for API call 55020
REXPUSER => 65030, #returning value for API call 55030,
RETSHERDACL => 65040, #returning value for API call 55040,
RETHERDNAME => 65050, #returning value for API call 55050,
RETRHERDACL => 65060, #returning value for API call 55060,
RSSERVERMAX => 69999, #defines the max server restricted resp range
RCCLIENTMIN => 70000, #defines the min client restricted call range
RCCLIENTMAX => 79999, #defines the max client restricted call range
RCSERVERMIN => 80000, #defines the min client restricted resp range
RCSERVERMAX => 89999, #defines the max client restricted resp range
ERRMSGMIN => 90000, #defines the minumum of the error calls range
NOTFOUND => 90010, #uncoded not found error
ITEXISTS => 90020, #uncoded entry already exists error
CODEDERR => 99000, #coded error call
ERRMSGMAX => 99990, #defines the maximum of the error calls range
);The size of the packet size in the network code. This is number of bytes sent before each network command defining the length of the actual command. This is currently a network long which is 4bytes.
$PKT_SIZE = 4;
And this is used by the RATS client daemons at the creation of
the socket. This defines how many clients can be kept by "listen" before
"accept". If you don't know what this means then HANDS OFF!
$MAX_CHILD = 15;
Some platforms (like Solaris) have a lchown system call which
changes ownership of the link itself and not the target of link. If $OS_HAS_lchown
is set to "1" then $SYS_lchown is used as thesyscall number. $SYS_lchown
can generaly be found in /usr/include/sys/syscall.h
$OS_HAS_lchown = 1;
$SYS_lchown = 130;
The ammount of time we wait for the first piece of data over
the net in seconds
$INITIAL_NET_TIMEOUT = 30;
The time we wait for new data once the connection was estabilshed
$NORMAL_NET_TIMEOUT = 300;
Amount of time to wait on a network read. The main daemon timesout
after 60.
$NET_READ_TIMEOUT = 240;
The bogus uid which will trigger a new uid generation
$BOGUS_UID = -1;
Time to sleep between lock attempts in seconds
$SLEEP_LEN = 5;
Number of tries before giving up on obtaining a lock
$LOCK_TRIES = 5;
The max size of a username
$UNAME_SIZE=8;
Use the next uid. if set to 0 the the next uid will be used
$USE_NEXT_UID = 0;
Message to print once the account was created. The default is
"Account created successfully" and it hardcoded.
$WEB_END_MSG = "";
Generic help message to be displayed when Help button is used.
$GENERAL_HELP = <<"ENDOFHELP";
ENDOFHELP
The top of the first page used for account creation.
$WEB_INTRO = <<"ENDOFINTRO";
ENDOFINTRO
Generic data error message
$WEB_DATA_ERROR ="<h1>There was an error in the information you provided.</h1>";
Help text for the group maintanace tool
$WEB_GROUP_HELP =<<"ENDOFGROUPHELP";
ENDOFGROUPHELP