The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
=head1 NAME

locklbtype -- lock (and unlock) label types

Perl script intended to be used under suid to a account, itself
authorized to connect to the local host via C<ssh>, as vob owner.

=head1 SYNOPSYS

locklbtype [--unlock | --nusers accounts] --vob <vob> --lbtype <lbtypes>
 | --help

The default function is to I<lock> the label types passed as argument.
To unlock them instead, use C<--unlock>.
Only one vob parameter is accepted, and it is mandatory.
Multiple label types are possible, either with separate options or as one
comma separated list.
All the types must exist in the vob.
For the I<locking> function, a C<--nusers> exception list is supported.

=head1 SSH CONFIGURATION

The account for which this script should be suid -enabled, should have a
valid ssh configuration: a pair of private/public keys generated, for
passwordless (challenge -based) authentication.

Its public keys should be added into each of the intended vob owner accounts'
C<~/.ssh/authorized_keys> files.

The script connects to a host, where ssh is configured. If all hosts
are so configured, one may obtain the local host name by invoking
I<hostname>, instead of hardcoding one dedicated host.

The host configuration may include adding the chosen account to the
users.allow file.

=head1 SUDO CONFIGURATION

The I<user> account owning the script, installed suid-enabled, should
be allowed in I</etc/sudoers> to run (cleartool) commands
passwordlessly on behalf of all vob owner accounts. The following
setting can serve as template:

Runas_Alias VOBOWN = vobown1,vobown2
%user ALL=(VOBOWN) NOPASSWD: ALL

=head1 DETAILS

The script sets its real uid to the value of its effective uid (owning the
running process, and set via the suid bit).

It then invokes, either (1) C<ssh> on I<myhost.mydomain> (but using
its host name instead of C<0> or C<localhost>, in order to avoid
recording different host keys under the same name), or (20 sudo, with
the account of the vob owner, obtained from ClearCase.

Unlock events are logged, with the id and name of the real user, to a
dedicated log file under the crontab account home.
Lock events contain a comment with the same identity information.

This script itself is to be used from a copy in a unix directory, unless the
vobs are mounted on all hosts with suid enabled.
It is acknowledgedly a workaround for the lack of C<sudo>, which would
provide a simpler, better, safer and more secure solution.

Perl requires that any data obtained from the user or from a system call be
thoroughly checked, and in fact re-created by any script run under an other
id than the effective one (i.e. in practice, via suid).
The script performs this by C<untainting> the data, via one of several
functions specialized for certain kinds of data.

Among other things, it unsets its C<PATH> environment variable. This it must
however do before requiring C<ClearCase::Argv>, thus in a C<BEGIN> block.
The reason is that C<ClearCase::Argv> sets the path to the C<cleartool>
binary in different way for priviledged and for normal invocations: for the
latter, it uses the environment; for the former, the standard installation
path. It also uses the standard path when the environment is unset. Invocation
under suid is detected by comparing the real and the effective uid, which
misses the case when the real uid happens to be the same as the suid account.
In this case, it is important that the C<PATH> is not wiped out between the
initialization and the actual invocation.