The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.

NAME

locklbtype -- lock (and unlock) label types

Perl script intended to be used under suid to a account, itself authorized to connect to the local host via ssh, as vob owner.

SYNOPSYS

locklbtype [--unlock | --nusers accounts] --vob <vob> --lbtype <lbtypes> | --help

The default function is to lock the label types passed as argument. To unlock them instead, use --unlock. Only one vob parameter is accepted, and it is mandatory. Multiple label types are possible, either with separate options or as one comma separated list. All the types must exist in the vob. For the locking function, a --nusers exception list is supported.

SSH CONFIGURATION

The account for which this script should be suid -enabled, should have a valid ssh configuration: a pair of private/public keys generated, for passwordless (challenge -based) authentication.

Its public keys should be added into each of the intended vob owner accounts' ~/.ssh/authorized_keys files.

The script connects to a host, where ssh is configured. If all hosts are so configured, one may obtain the local host name by invoking hostname, instead of hardcoding one dedicated host.

The host configuration may include adding the chosen account to the users.allow file.

SUDO CONFIGURATION

The user account owning the script, installed suid-enabled, should be allowed in /etc/sudoers to run (cleartool) commands passwordlessly on behalf of all vob owner accounts. The following setting can serve as template:

Runas_Alias VOBOWN = vobown1,vobown2 %user ALL=(VOBOWN) NOPASSWD: ALL

DETAILS

The script sets its real uid to the value of its effective uid (owning the running process, and set via the suid bit).

It then invokes, either (1) ssh on myhost.mydomain (but using its host name instead of 0 or localhost, in order to avoid recording different host keys under the same name), or (20 sudo, with the account of the vob owner, obtained from ClearCase.

Unlock events are logged, with the id and name of the real user, to a dedicated log file under the crontab account home. Lock events contain a comment with the same identity information.

This script itself is to be used from a copy in a unix directory, unless the vobs are mounted on all hosts with suid enabled. It is acknowledgedly a workaround for the lack of sudo, which would provide a simpler, better, safer and more secure solution.

Perl requires that any data obtained from the user or from a system call be thoroughly checked, and in fact re-created by any script run under an other id than the effective one (i.e. in practice, via suid). The script performs this by untainting the data, via one of several functions specialized for certain kinds of data.

Among other things, it unsets its PATH environment variable. This it must however do before requiring ClearCase::Argv, thus in a BEGIN block. The reason is that ClearCase::Argv sets the path to the cleartool binary in different way for priviledged and for normal invocations: for the latter, it uses the environment; for the former, the standard installation path. It also uses the standard path when the environment is unset. Invocation under suid is detected by comparing the real and the effective uid, which misses the case when the real uid happens to be the same as the suid account. In this case, it is important that the PATH is not wiped out between the initialization and the actual invocation.