commit | author | age
|
396f0e
|
1 |
<?php |
T |
2 |
|
|
3 |
/* |
|
4 |
Copyright (c) 2007, Till Brehm, projektfarm Gmbh |
|
5 |
All rights reserved. |
|
6 |
|
|
7 |
Redistribution and use in source and binary forms, with or without modification, |
|
8 |
are permitted provided that the following conditions are met: |
|
9 |
|
|
10 |
* Redistributions of source code must retain the above copyright notice, |
|
11 |
this list of conditions and the following disclaimer. |
|
12 |
* Redistributions in binary form must reproduce the above copyright notice, |
|
13 |
this list of conditions and the following disclaimer in the documentation |
|
14 |
and/or other materials provided with the distribution. |
|
15 |
* Neither the name of ISPConfig nor the names of its contributors |
|
16 |
may be used to endorse or promote products derived from this software without |
|
17 |
specific prior written permission. |
|
18 |
|
|
19 |
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND |
|
20 |
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
21 |
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
22 |
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
|
23 |
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
|
24 |
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
25 |
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
|
26 |
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
|
27 |
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, |
|
28 |
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
29 |
*/ |
|
30 |
|
|
31 |
class shelluser_jailkit_plugin { |
7fe908
|
32 |
|
396f0e
|
33 |
//* $plugin_name and $class_name have to be the same then the name of this class |
T |
34 |
var $plugin_name = 'shelluser_jailkit_plugin'; |
|
35 |
var $class_name = 'shelluser_jailkit_plugin'; |
b79d24
|
36 |
var $min_uid = 499; |
7fe908
|
37 |
|
396f0e
|
38 |
//* This function is called during ispconfig installation to determine |
T |
39 |
// if a symlink shall be created for this plugin. |
|
40 |
function onInstall() { |
|
41 |
global $conf; |
7fe908
|
42 |
|
396f0e
|
43 |
if($conf['services']['web'] == true) { |
T |
44 |
return true; |
|
45 |
} else { |
|
46 |
return false; |
|
47 |
} |
7fe908
|
48 |
|
396f0e
|
49 |
} |
7fe908
|
50 |
|
MC |
51 |
|
396f0e
|
52 |
/* |
T |
53 |
This function is called when the plugin is loaded |
|
54 |
*/ |
7fe908
|
55 |
|
396f0e
|
56 |
function onLoad() { |
T |
57 |
global $app; |
7fe908
|
58 |
|
396f0e
|
59 |
/* |
T |
60 |
Register for the events |
|
61 |
*/ |
9edea9
|
62 |
|
7fe908
|
63 |
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert'); |
MC |
64 |
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update'); |
|
65 |
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete'); |
9edea9
|
66 |
|
7fe908
|
67 |
|
396f0e
|
68 |
} |
7fe908
|
69 |
|
396f0e
|
70 |
//* This function is called, when a shell user is inserted in the database |
7fe908
|
71 |
function insert($event_name, $data) { |
396f0e
|
72 |
global $app, $conf; |
7fe908
|
73 |
|
9edea9
|
74 |
$app->uses('system,getconf'); |
TB |
75 |
|
|
76 |
$security_config = $app->getconf->get_security_config('permissions'); |
|
77 |
if($security_config['allow_shell_user'] != 'yes') { |
|
78 |
$app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); |
|
79 |
return false; |
|
80 |
} |
|
81 |
|
|
82 |
|
cc7a82
|
83 |
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); |
7fe908
|
84 |
|
64ea56
|
85 |
if(!$app->system->is_allowed_user($data['new']['username'], false, false) |
MC |
86 |
|| !$app->system->is_allowed_user($data['new']['puser'], true, true) |
|
87 |
|| !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) { |
|
88 |
$app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN); |
|
89 |
return false; |
|
90 |
} |
|
91 |
|
b79d24
|
92 |
if($app->system->is_user($data['new']['puser'])) { |
FT |
93 |
// Get the UID of the parent user |
|
94 |
$uid = intval($app->system->getuid($data['new']['puser'])); |
|
95 |
if($uid > $this->min_uid) { |
|
96 |
|
|
97 |
if($app->system->is_user($data['new']['username'])) { |
7fe908
|
98 |
|
b79d24
|
99 |
/** |
FT |
100 |
* Setup Jailkit Chroot System If Enabled |
|
101 |
*/ |
|
102 |
|
|
103 |
if ($data['new']['chroot'] == "jailkit") |
|
104 |
{ |
7fe908
|
105 |
|
MC |
106 |
|
b79d24
|
107 |
// load the server configuration options |
FT |
108 |
$app->uses("getconf"); |
|
109 |
$this->data = $data; |
|
110 |
$this->app = $app; |
|
111 |
$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit'); |
7fe908
|
112 |
|
b79d24
|
113 |
$this->_update_website_security_level(); |
7fe908
|
114 |
|
b79d24
|
115 |
$app->system->web_folder_protection($web['document_root'], false); |
7fe908
|
116 |
|
b79d24
|
117 |
$this->_setup_jailkit_chroot(); |
7fe908
|
118 |
|
b79d24
|
119 |
$this->_add_jailkit_user(); |
7fe908
|
120 |
|
b79d24
|
121 |
//* call the ssh-rsa update function |
FT |
122 |
$this->_setup_ssh_rsa(); |
7fe908
|
123 |
|
b79d24
|
124 |
//$command .= 'usermod -s /usr/sbin/jk_chrootsh -U '.escapeshellcmd($data['new']['username']); |
FT |
125 |
//exec($command); |
|
126 |
$app->system->usermod($data['new']['username'], 0, 0, '', '/usr/sbin/jk_chrootsh', '', ''); |
7fe908
|
127 |
|
b79d24
|
128 |
//* Unlock user |
FT |
129 |
$command = 'usermod -U '.escapeshellcmd($data['new']['username']).' 2>/dev/null'; |
|
130 |
exec($command); |
7fe908
|
131 |
|
b79d24
|
132 |
$this->_update_website_security_level(); |
FT |
133 |
$app->system->web_folder_protection($web['document_root'], true); |
|
134 |
} |
7fe908
|
135 |
|
b79d24
|
136 |
$app->log("Jailkit Plugin -> insert username:".$data['new']['username'], LOGLEVEL_DEBUG); |
7fe908
|
137 |
|
b79d24
|
138 |
} else { |
FT |
139 |
$app->log("Jailkit Plugin -> insert username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN); |
|
140 |
} |
|
141 |
} else { |
|
142 |
$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR); |
396f0e
|
143 |
} |
T |
144 |
} else { |
b79d24
|
145 |
$app->log("Skipping insertion of user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN); |
396f0e
|
146 |
} |
7fe908
|
147 |
|
396f0e
|
148 |
} |
7fe908
|
149 |
|
396f0e
|
150 |
//* This function is called, when a shell user is updated in the database |
7fe908
|
151 |
function update($event_name, $data) { |
396f0e
|
152 |
global $app, $conf; |
7fe908
|
153 |
|
9edea9
|
154 |
$app->uses('system,getconf'); |
TB |
155 |
|
|
156 |
$security_config = $app->getconf->get_security_config('permissions'); |
|
157 |
if($security_config['allow_shell_user'] != 'yes') { |
|
158 |
$app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); |
|
159 |
return false; |
|
160 |
} |
|
161 |
|
cc7a82
|
162 |
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']); |
7fe908
|
163 |
|
64ea56
|
164 |
if(!$app->system->is_allowed_user($data['new']['username'], false, false) |
MC |
165 |
|| !$app->system->is_allowed_user($data['new']['puser'], true, true) |
|
166 |
|| !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) { |
|
167 |
$app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN); |
|
168 |
return false; |
|
169 |
} |
|
170 |
|
b79d24
|
171 |
if($app->system->is_user($data['new']['puser'])) { |
FT |
172 |
// Get the UID of the parent user |
|
173 |
$uid = intval($app->system->getuid($data['new']['puser'])); |
|
174 |
if($uid > $this->min_uid) { |
|
175 |
|
|
176 |
|
|
177 |
if($app->system->is_user($data['new']['username'])) { |
7fe908
|
178 |
|
b79d24
|
179 |
/** |
FT |
180 |
* Setup Jailkit Chroot System If Enabled |
|
181 |
*/ |
|
182 |
if ($data['new']['chroot'] == "jailkit") |
|
183 |
{ |
7fe908
|
184 |
|
b79d24
|
185 |
// load the server configuration options |
FT |
186 |
$app->uses("getconf"); |
|
187 |
$this->data = $data; |
|
188 |
$this->app = $app; |
|
189 |
$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit'); |
7fe908
|
190 |
|
b79d24
|
191 |
$this->_update_website_security_level(); |
7fe908
|
192 |
|
b79d24
|
193 |
$app->system->web_folder_protection($web['document_root'], false); |
7fe908
|
194 |
|
b79d24
|
195 |
$this->_setup_jailkit_chroot(); |
FT |
196 |
$this->_add_jailkit_user(); |
7fe908
|
197 |
|
b79d24
|
198 |
//* call the ssh-rsa update function |
FT |
199 |
$this->_setup_ssh_rsa(); |
7fe908
|
200 |
|
b79d24
|
201 |
$this->_update_website_security_level(); |
7fe908
|
202 |
|
b79d24
|
203 |
$app->system->web_folder_protection($web['document_root'], true); |
FT |
204 |
} |
7fe908
|
205 |
|
b79d24
|
206 |
$app->log("Jailkit Plugin -> update username:".$data['new']['username'], LOGLEVEL_DEBUG); |
7fe908
|
207 |
|
b79d24
|
208 |
} else { |
FT |
209 |
$app->log("Jailkit Plugin -> update username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN); |
|
210 |
} |
|
211 |
} else { |
|
212 |
$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR); |
396f0e
|
213 |
} |
T |
214 |
} else { |
b79d24
|
215 |
$app->log("Skipping update for user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN); |
396f0e
|
216 |
} |
7fe908
|
217 |
|
396f0e
|
218 |
} |
7fe908
|
219 |
|
396f0e
|
220 |
//* This function is called, when a shell user is deleted in the database |
T |
221 |
/** |
|
222 |
* TODO: Remove chroot user home and from the chroot passwd file |
7fe908
|
223 |
*/ |
MC |
224 |
function delete($event_name, $data) { |
396f0e
|
225 |
global $app, $conf; |
7fe908
|
226 |
|
9edea9
|
227 |
$app->uses('system,getconf'); |
TB |
228 |
|
|
229 |
$security_config = $app->getconf->get_security_config('permissions'); |
|
230 |
if($security_config['allow_shell_user'] != 'yes') { |
|
231 |
$app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); |
|
232 |
return false; |
|
233 |
} |
7fe908
|
234 |
|
cc7a82
|
235 |
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']); |
7fe908
|
236 |
|
396f0e
|
237 |
if ($data['old']['chroot'] == "jailkit") |
T |
238 |
{ |
|
239 |
$app->uses("getconf"); |
|
240 |
$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit'); |
7fe908
|
241 |
|
396f0e
|
242 |
$jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']); |
7fe908
|
243 |
|
396f0e
|
244 |
//commented out proved to be dangerous on config errors |
T |
245 |
//exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome); |
7fe908
|
246 |
|
MC |
247 |
$app->system->web_folder_protection($web['document_root'], false); |
be08cd
|
248 |
|
TB |
249 |
$userid = intval($app->system->getuid($data['old']['username'])); |
|
250 |
$command = 'killall -u '.escapeshellcmd($data['old']['username']).' ; '; |
|
251 |
$command .= 'userdel -f '.escapeshellcmd($data['old']['username']).' &> /dev/null'; |
|
252 |
exec($command); |
|
253 |
|
437887
|
254 |
// Remove the jailed user from passwd and shadow file inside the jail |
TB |
255 |
$app->system->removeLine($data['old']['dir'].'/etc/passwd', $data['old']['username']); |
|
256 |
$app->system->removeLine($data['old']['dir'].'/etc/shadow', $data['old']['username']); |
7fe908
|
257 |
|
396f0e
|
258 |
if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) { |
a7e4ec
|
259 |
$this->_delete_homedir($data['old']['dir'].$jailkit_chroot_userhome,$userid,$data['old']['parent_domain_id']); |
TB |
260 |
|
7fe908
|
261 |
$app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG); |
396f0e
|
262 |
} |
7fe908
|
263 |
|
MC |
264 |
$app->system->web_folder_protection($web['document_root'], true); |
|
265 |
|
396f0e
|
266 |
} |
7fe908
|
267 |
|
MC |
268 |
$app->log("Jailkit Plugin -> delete username:".$data['old']['username'], LOGLEVEL_DEBUG); |
|
269 |
|
|
270 |
|
396f0e
|
271 |
} |
7fe908
|
272 |
|
396f0e
|
273 |
function _setup_jailkit_chroot() |
T |
274 |
{ |
7fe908
|
275 |
global $app; |
MC |
276 |
|
|
277 |
//check if the chroot environment is created yet if not create it with a list of program sections from the config |
|
278 |
if (!is_dir($this->data['new']['dir'].'/etc/jailkit')) |
|
279 |
{ |
|
280 |
$command = '/usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh'; |
|
281 |
$command .= ' '.escapeshellcmd($this->data['new']['dir']); |
|
282 |
$command .= ' \''.$this->jailkit_config['jailkit_chroot_app_sections'].'\''; |
|
283 |
exec($command.' 2>/dev/null'); |
|
284 |
|
|
285 |
$this->app->log("Added jailkit chroot with command: ".$command, LOGLEVEL_DEBUG); |
|
286 |
|
|
287 |
$this->_add_jailkit_programs(); |
|
288 |
|
|
289 |
//add bash.bashrc script |
|
290 |
//we need to collect the domain name to be used as the HOSTNAME in the bashrc script |
cc7a82
|
291 |
$web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ?", $this->data['new']["parent_domain_id"]); |
7fe908
|
292 |
|
MC |
293 |
$this->app->load('tpl'); |
|
294 |
|
|
295 |
$tpl = new tpl(); |
|
296 |
$tpl->newTemplate("bash.bashrc.master"); |
|
297 |
|
|
298 |
$tpl->setVar('jailkit_chroot', true); |
|
299 |
$tpl->setVar('domain', $web['domain']); |
|
300 |
$tpl->setVar('home_dir', $this->_get_home_dir("")); |
|
301 |
|
|
302 |
$bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc'; |
|
303 |
if(@is_file($bashrc) || @is_link($bashrc)) unlink($bashrc); |
|
304 |
|
|
305 |
file_put_contents($bashrc, $tpl->grab()); |
|
306 |
unset($tpl); |
|
307 |
|
d22277
|
308 |
$this->app->log("Added bashrc script: ".$bashrc, LOGLEVEL_DEBUG); |
7fe908
|
309 |
|
MC |
310 |
$tpl = new tpl(); |
|
311 |
$tpl->newTemplate("motd.master"); |
|
312 |
|
|
313 |
$tpl->setVar('domain', $web['domain']); |
|
314 |
|
|
315 |
$motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd'; |
|
316 |
if(@is_file($motd) || @is_link($motd)) unlink($motd); |
|
317 |
|
|
318 |
$app->system->file_put_contents($motd, $tpl->grab()); |
|
319 |
|
|
320 |
} |
396f0e
|
321 |
} |
7fe908
|
322 |
|
396f0e
|
323 |
function _add_jailkit_programs() |
T |
324 |
{ |
d22277
|
325 |
$jailkit_chroot_app_programs = preg_split("/[\s,]+/", $this->jailkit_config['jailkit_chroot_app_programs']); |
MB |
326 |
if(is_array($jailkit_chroot_app_programs) && !empty($jailkit_chroot_app_programs)){ |
|
327 |
foreach($jailkit_chroot_app_programs as $jailkit_chroot_app_program){ |
|
328 |
$jailkit_chroot_app_program = trim($jailkit_chroot_app_program); |
|
329 |
if(is_file($jailkit_chroot_app_program) || is_dir($jailkit_chroot_app_program)){ |
|
330 |
//copy over further programs and its libraries |
|
331 |
$command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh'; |
|
332 |
$command .= ' '.escapeshellcmd($this->data['new']['dir']); |
|
333 |
$command .= ' '.$jailkit_chroot_app_program; |
|
334 |
exec($command.' 2>/dev/null'); |
7fe908
|
335 |
|
d22277
|
336 |
$this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG); |
MB |
337 |
} |
|
338 |
} |
|
339 |
} |
396f0e
|
340 |
} |
7fe908
|
341 |
|
396f0e
|
342 |
function _get_home_dir($username) |
T |
343 |
{ |
7fe908
|
344 |
return str_replace("[username]", escapeshellcmd($username), $this->jailkit_config['jailkit_chroot_home']); |
396f0e
|
345 |
} |
7fe908
|
346 |
|
396f0e
|
347 |
function _add_jailkit_user() |
T |
348 |
{ |
7fe908
|
349 |
global $app; |
MC |
350 |
|
|
351 |
//add the user to the chroot |
|
352 |
$jailkit_chroot_userhome = $this->_get_home_dir($this->data['new']['username']); |
|
353 |
$jailkit_chroot_puserhome = $this->_get_home_dir($this->data['new']['puser']); |
|
354 |
|
|
355 |
if(!is_dir($this->data['new']['dir'].'/etc')) mkdir($this->data['new']['dir'].'/etc', 0755); |
|
356 |
if(!is_file($this->data['new']['dir'].'/etc/passwd')) touch($this->data['new']['dir'].'/etc/passwd', 0755); |
|
357 |
|
|
358 |
// IMPORTANT! |
|
359 |
// ALWAYS create the user. Even if the user was created before |
|
360 |
// if we check if the user exists, then a update (no shell -> jailkit) will not work |
|
361 |
// and the user has FULL ACCESS to the root of the server! |
|
362 |
$command = '/usr/local/ispconfig/server/scripts/create_jailkit_user.sh'; |
|
363 |
$command .= ' '.escapeshellcmd($this->data['new']['username']); |
|
364 |
$command .= ' '.escapeshellcmd($this->data['new']['dir']); |
|
365 |
$command .= ' '.$jailkit_chroot_userhome; |
|
366 |
$command .= ' '.escapeshellcmd($this->data['new']['shell']); |
|
367 |
$command .= ' '.$this->data['new']['puser']; |
|
368 |
$command .= ' '.$jailkit_chroot_puserhome; |
|
369 |
exec($command.' 2>/dev/null'); |
|
370 |
|
|
371 |
//* Change the homedir of the shell user and parent user |
|
372 |
//* We have to do this manually as the usermod command fails |
|
373 |
//* when the user is logged in or a command is running under that user |
|
374 |
/* |
8cf78b
|
375 |
$passwd_file_array = file('/etc/passwd'); |
T |
376 |
$passwd_out = ''; |
|
377 |
if(is_array($passwd_file_array)) { |
|
378 |
foreach($passwd_file_array as $line) { |
|
379 |
$line = trim($line); |
|
380 |
$parts = explode(':',$line); |
|
381 |
if($parts[0] == $this->data['new']['username']) { |
|
382 |
$parts[5] = escapeshellcmd($this->data['new']['dir'].'/.'.$jailkit_chroot_userhome); |
|
383 |
$parts[6] = escapeshellcmd('/usr/sbin/jk_chrootsh'); |
|
384 |
$new_line = implode(':',$parts); |
|
385 |
copy('/etc/passwd','/etc/passwd~'); |
|
386 |
chmod('/etc/passwd~',0600); |
|
387 |
$app->uses('system'); |
|
388 |
$app->system->replaceLine('/etc/passwd',$line,$new_line,1,0); |
|
389 |
} |
|
390 |
} |
ff6a68
|
391 |
}*/ |
7fe908
|
392 |
|
a71305
|
393 |
$shell = '/usr/sbin/jk_chrootsh'; |
MB |
394 |
if($this->data['new']['active'] != 'y') $shell = '/bin/false'; |
|
395 |
|
|
396 |
$app->system->usermod($this->data['new']['username'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, $shell); |
7fe908
|
397 |
$app->system->usermod($this->data['new']['puser'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, '/usr/sbin/jk_chrootsh'); |
MC |
398 |
|
|
399 |
$this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG); |
|
400 |
|
|
401 |
if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0755, true); |
|
402 |
$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['username']); |
|
403 |
$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['pgroup']); |
|
404 |
|
|
405 |
$this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG); |
|
406 |
|
|
407 |
if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0755, true); |
|
408 |
$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['puser']); |
|
409 |
$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']); |
|
410 |
|
|
411 |
$this->app->log("Added jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome, LOGLEVEL_DEBUG); |
|
412 |
|
8cf78b
|
413 |
|
396f0e
|
414 |
} |
7fe908
|
415 |
|
8db8f3
|
416 |
//* Update the website root directory permissions depending on the security level |
T |
417 |
function _update_website_security_level() { |
7fe908
|
418 |
global $app, $conf; |
MC |
419 |
|
8db8f3
|
420 |
// load the server configuration options |
T |
421 |
$app->uses("getconf"); |
|
422 |
$web_config = $app->getconf->get_server_config($conf["server_id"], 'web'); |
7fe908
|
423 |
|
8db8f3
|
424 |
// Get the parent website of this shell user |
cc7a82
|
425 |
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->data['new']['parent_domain_id']); |
7fe908
|
426 |
|
8db8f3
|
427 |
//* If the security level is set to high |
ff6a68
|
428 |
if($web_config['security_level'] == 20 && is_array($web)) { |
7fe908
|
429 |
$app->system->web_folder_protection($web["document_root"], false); |
MC |
430 |
$app->system->chmod($web["document_root"], 0755); |
|
431 |
$app->system->chown($web["document_root"], 'root'); |
|
432 |
$app->system->chgrp($web["document_root"], 'root'); |
|
433 |
$app->system->web_folder_protection($web["document_root"], true); |
8db8f3
|
434 |
} |
7fe908
|
435 |
|
8db8f3
|
436 |
} |
7fe908
|
437 |
|
07bdbd
|
438 |
//* Wrapper for exec function for easier debugging |
T |
439 |
private function _exec($command) { |
|
440 |
global $app; |
7fe908
|
441 |
$app->log('exec: '.$command, LOGLEVEL_DEBUG); |
07bdbd
|
442 |
exec($command); |
T |
443 |
} |
396f0e
|
444 |
|
00a055
|
445 |
private function _setup_ssh_rsa() { |
8ab3cd
|
446 |
global $app; |
7fe908
|
447 |
$this->app->log("ssh-rsa setup shelluser_jailkit", LOGLEVEL_DEBUG); |
00a055
|
448 |
// Get the client ID, username, and the key |
cc7a82
|
449 |
$domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = ?', $this->data['new']['parent_domain_id']); |
MC |
450 |
$sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = ?', $domain_data['sys_groupid']); |
00a055
|
451 |
$id = intval($sys_group_data['client_id']); |
L |
452 |
$username= $sys_group_data['name']; |
cc7a82
|
453 |
$client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = ?', $id); |
00a055
|
454 |
$userkey = $client_data['ssh_rsa']; |
L |
455 |
unset($domain_data); |
|
456 |
unset($client_data); |
7fe908
|
457 |
|
00a055
|
458 |
// ssh-rsa authentication variables |
8ab3cd
|
459 |
$sshrsa = $this->data['new']['ssh_rsa']; |
00a055
|
460 |
$usrdir = escapeshellcmd($this->data['new']['dir']).'/'.$this->_get_home_dir($this->data['new']['username']); |
8ab3cd
|
461 |
$sshdir = $usrdir.'/.ssh'; |
T |
462 |
$sshkeys= $usrdir.'/.ssh/authorized_keys'; |
7fe908
|
463 |
|
8ab3cd
|
464 |
$app->uses('file'); |
T |
465 |
$sshrsa = $app->file->unix_nl($sshrsa); |
7fe908
|
466 |
$sshrsa = $app->file->remove_blank_lines($sshrsa, 0); |
MC |
467 |
|
00a055
|
468 |
// If this user has no key yet, generate a pair |
8ab3cd
|
469 |
if ($userkey == '' && $id > 0){ |
00a055
|
470 |
//Generate ssh-rsa-keys |
L |
471 |
exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); |
7fe908
|
472 |
|
8ab3cd
|
473 |
// use the public key that has been generated |
4bd960
|
474 |
$userkey = $app->system->file_get_contents('/tmp/id_rsa.pub'); |
7fe908
|
475 |
|
00a055
|
476 |
// save keypair in client table |
cc7a82
|
477 |
$this->app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ? ssh_rsa = ? WHERE client_id = ?", $app->system->file_get_contents('/tmp/id_rsa'), $userkey, $id); |
8ab3cd
|
478 |
|
4bd960
|
479 |
$app->system->unlink('/tmp/id_rsa'); |
T |
480 |
$app->system->unlink('/tmp/id_rsa.pub'); |
7fe908
|
481 |
$this->app->log("ssh-rsa keypair generated for ".$username, LOGLEVEL_DEBUG); |
00a055
|
482 |
}; |
7fe908
|
483 |
|
8ab3cd
|
484 |
if (!file_exists($sshkeys)){ |
00a055
|
485 |
// add root's key |
8ab3cd
|
486 |
$app->file->mkdirs($sshdir, '0755'); |
4bd960
|
487 |
if(is_file('/root/.ssh/authorized_keys')) $app->system->file_put_contents($sshkeys, $app->system->file_get_contents('/root/.ssh/authorized_keys')); |
7fe908
|
488 |
|
8ab3cd
|
489 |
// Remove duplicate keys |
26c0fc
|
490 |
$existing_keys = @file($sshkeys); |
8ab3cd
|
491 |
$new_keys = explode("\n", $userkey); |
26c0fc
|
492 |
$final_keys_arr = @array_merge($existing_keys, $new_keys); |
8ab3cd
|
493 |
$new_final_keys_arr = array(); |
T |
494 |
if(is_array($final_keys_arr) && !empty($final_keys_arr)){ |
|
495 |
foreach($final_keys_arr as $key => $val){ |
|
496 |
$new_final_keys_arr[$key] = trim($val); |
|
497 |
} |
|
498 |
} |
|
499 |
$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr))); |
7fe908
|
500 |
|
00a055
|
501 |
// add the user's key |
8ab3cd
|
502 |
file_put_contents($sshkeys, $final_keys); |
T |
503 |
$app->file->remove_blank_lines($sshkeys); |
7fe908
|
504 |
$this->app->log("ssh-rsa authorisation keyfile created in ".$sshkeys, LOGLEVEL_DEBUG); |
00a055
|
505 |
} |
8cf78b
|
506 |
//* Get the keys |
T |
507 |
$existing_keys = file($sshkeys); |
|
508 |
$new_keys = explode("\n", $sshrsa); |
7fe908
|
509 |
$old_keys = explode("\n", $this->data['old']['ssh_rsa']); |
MC |
510 |
|
8cf78b
|
511 |
//* Remove all old keys |
T |
512 |
if(is_array($old_keys)) { |
|
513 |
foreach($old_keys as $key => $val) { |
7fe908
|
514 |
$k = array_search(trim($val), $existing_keys); |
8cf78b
|
515 |
unset($existing_keys[$k]); |
T |
516 |
} |
00a055
|
517 |
} |
7fe908
|
518 |
|
8cf78b
|
519 |
//* merge the remaining keys and the ones fom the ispconfig database. |
T |
520 |
if(is_array($new_keys)) { |
|
521 |
$final_keys_arr = array_merge($existing_keys, $new_keys); |
|
522 |
} else { |
|
523 |
$final_keys_arr = $existing_keys; |
|
524 |
} |
7fe908
|
525 |
|
8cf78b
|
526 |
$new_final_keys_arr = array(); |
T |
527 |
if(is_array($final_keys_arr) && !empty($final_keys_arr)){ |
|
528 |
foreach($final_keys_arr as $key => $val){ |
|
529 |
$new_final_keys_arr[$key] = trim($val); |
|
530 |
} |
|
531 |
} |
|
532 |
$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr))); |
7fe908
|
533 |
|
MC |
534 |
// add the custom key |
4bd960
|
535 |
$app->system->file_put_contents($sshkeys, $final_keys); |
8cf78b
|
536 |
$app->file->remove_blank_lines($sshkeys); |
7fe908
|
537 |
$this->app->log("ssh-rsa key updated in ".$sshkeys, LOGLEVEL_DEBUG); |
MC |
538 |
|
00a055
|
539 |
// set proper file permissions |
8cf78b
|
540 |
exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$sshdir); |
T |
541 |
exec("chmod 700 ".$sshdir); |
00a055
|
542 |
exec("chmod 600 '$sshkeys'"); |
7fe908
|
543 |
|
00a055
|
544 |
} |
a7e4ec
|
545 |
|
TB |
546 |
private function _delete_homedir($homedir,$userid,$parent_domain_id) { |
|
547 |
global $app, $conf; |
|
548 |
|
|
549 |
// check if we have to delete the dir |
cc7a82
|
550 |
$check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = ?', $homedir); |
a7e4ec
|
551 |
|
TB |
552 |
if(!$check && is_dir($homedir)) { |
cc7a82
|
553 |
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $parent_domain_id); |
a7e4ec
|
554 |
$app->system->web_folder_protection($web['document_root'], false); |
TB |
555 |
|
|
556 |
// delete dir |
|
557 |
if(substr($homedir, -1) !== '/') $homedir .= '/'; |
|
558 |
$files = array('.bash_logout', '.bash_history', '.bashrc', '.profile'); |
65a0b9
|
559 |
$dirs = array('.ssh', '.cache'); |
a7e4ec
|
560 |
foreach($files as $delfile) { |
TB |
561 |
if(is_file($homedir . $delfile) && fileowner($homedir . $delfile) == $userid) unlink($homedir . $delfile); |
|
562 |
} |
|
563 |
foreach($dirs as $deldir) { |
|
564 |
if(is_dir($homedir . $deldir) && fileowner($homedir . $deldir) == $userid) exec('rm -rf ' . escapeshellarg($homedir . $deldir)); |
|
565 |
} |
|
566 |
$empty = true; |
|
567 |
$dirres = opendir($homedir); |
|
568 |
if($dirres) { |
|
569 |
while(($entry = readdir($dirres)) !== false) { |
|
570 |
if($entry != '.' && $entry != '..') { |
|
571 |
$empty = false; |
|
572 |
break; |
|
573 |
} |
|
574 |
} |
|
575 |
closedir($dirres); |
|
576 |
} |
|
577 |
if($empty == true) { |
|
578 |
rmdir($homedir); |
|
579 |
} |
|
580 |
unset($files); |
|
581 |
unset($dirs); |
|
582 |
|
|
583 |
$app->system->web_folder_protection($web['document_root'], true); |
|
584 |
} |
|
585 |
|
|
586 |
} |
7fe908
|
587 |
|
396f0e
|
588 |
} // end class |
T |
589 |
|
8e725d
|
590 |
?> |