Link and Unlink VnmrX experiments

DISCLAIMER: These scripts and procedures are working on a system running VnmrX 5.3B and Solaris 2.4. By understanding the basic procedures involved, it should be possible to make it work under other configurations. --- Your mileage may vary!! ----

This script is used to link experiments 8 and 9 on a large disk to exp8 and exp9 in a user's vnmrsys subdirectory. On our system, the large (9G) disk is mounted on /bigexp and two experiments, exp8 and exp9, were defined there. The protocol used here links these experiments to a user's directory when he logs in and unlinks them when he logs out, so that they are available for the next user. In order for this to apply only to console logins, the script is called from the bootup macro within an if statement that examines the login terminal to determine whether or not this should be a spectrometer or a workstation login. The experiments are linked only in the spectrometer mode. This is the makelink script for creating the links:

#! /bin/sh
#  makelink
# make links to experiment 8 and experiment 9 on 9G drive.
#
olduid=`ls -lnd /bigexp/exp9 |awk '{print $3}'`
oldinfo=`nisgrep uid=$olduid passwd.org_dir`
# echo "Current owner: $olduid"
# echo "    passwd info: $oldinfo"
oldhome=`echo $oldinfo|awk 'BEGIN {FS=":"} {print $6}'`
olduser=`echo $oldinfo|awk 'BEGIN {FS=":"} {print $1}'`
# echo "Old home: $oldhome"
cd ${oldhome}/vnmrsys
if [ -h exp8 ]; then
   echo "Removed exp8 link from $olduser."
   rm exp8
fi
if [ -h exp9 ]; then
   echo "Removed exp9 link from $olduser."
   rm exp9
fi
cd $vnmruser
if [ -d exp8 ]; then
   echo "Experiment 8 exists, cannot link to big experiment 8"
 else
   ln -s /bigexp/exp8 exp8
   /vnmr/bin/vchown $USER exp8 
fi
if [ -d exp9 ]; then
   echo "Experiment 9 exists, cannot link to big experiment 9"
 else
   ln -s /bigexp/exp9 exp9
   /vnmr/bin/vchown  $USER exp9
fi

Notice the calls in this script to /vnmr/bin/vchown - This is a special version of the chown(change owner) command. Normally, chown is run by root, and cannot be run by regular users. The vchown script simply runs chown using the SUID bit in the permission modes, and the special directive at the beginning that will permit the csh to run a SUID script. Solaris normally prohibits scripts to use the SUID function, and a csh script with the -b option is the only exception. This script must be stored with the SUID bit set: chmod 4711 vchown. This type of script also represents a potential security problem, since any one could use it to change ownership of any of the system files and effectively gain access to root-owned files. In order to minimize the damage that might be done, the /bigexp/ portion of the chown command arguments is included in the vchown script, rather than the makelink script, so that it will only change ownerships in the /bigexp directory. This is the vchown script:

#! /bin/csh -b
/usr/bin/chown -R $1 /bigexp/$2

The script necessary to unlink the experiments is much simpler, and is run every time a user logs out by incorporating it in the exit macro. If the experiments were never linked, then they won't be unlinked and there is no particular problem. Note that the makelink script includes provision for unlinking experiments that were accidently left linked. This prevents simultaneous access to the experiments by more than one process. This is the script to unlink the experiments:

#! /bin/sh
#
# Unlink exp8 and exp9 from current user.
#
if [ $DISPLAY = ":0" ]; then  # this is system console
cd $vnmruser
if [ -h exp8 ]; then
  rm exp8
  echo "Unlinked Experiment 8."
fi

if [ -h exp9 ]; then
  rm exp9
  echo "Unlinked Experiment 9."
fi
fi

The extra test in this script, examining the state of the DISPLAY environment variable, is necessary only if a user logs in on the console to collect data and then remotely to examine data. When he logs out from the remote session, the experiments should not be unlinked. That should happen only when he logs out from the console session. Experiments are only linked when the login is on the console, so they should likewise only be unlinked only when logging off of the console.

The other bit of code that may be useful is the section of the bootup macro that runs the makelink script. This is inserted at the end of the normal bootup macro:

if ($bg = 0) then
  jexp:$e
  if ($e=0) then
    unlock(1)
  endif

  shell('/usr/ucb/whoami'):$me
  shell('con_usr'):$con
  if ($me <> $con)
   then system='datastation'
  else
   system='spectrometer'
   acqstat
   acqi:$e
   shell('/vnmr/bin/makelink')
  endif

  menu('main')
endif

The test here compares the current user login name to the name of any user logged in on the console. If they are the same, then the user is given spectrometer privileges since he is already logged in on the system console. Otherwise, if no one is logged in on the console, or if the names don't match, the user is given datastation privileges only. The short con_usr script, to determine the console user, is:

#! /bin/sh
con=`w | awk '$2 ~ /console/ {print $1}'`
if [ x$con = "x" ]
 then
   con="null_user"
fi
echo $con

This script returns null_user as the login user if no one is logged in on the console rather than attempting to return a null string. Most systems will probably not have a user named null_user ;-).