Fixed #3196

Till Brehm

2016-06-30 437887f7cc8482aaf9a641ffc08694e4bea91f1a

 server/plugins-available/shelluser_jailkit_plugin.inc.php

@@ -59,11 +59,11 @@
      /*
      Register for the events
      */

		
      $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
      $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
      $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');

		

   }

@@ -71,8 +71,23 @@
   function insert($event_name, $data) {
      global $app, $conf;

      $app->uses('system');
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
      $app->uses('system,getconf');
		
      $security_config = $app->getconf->get_security_config('permissions');
      if($security_config['allow_shell_user'] != 'yes') {
         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
         return false;
      }
		
		
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']);

      if(!$app->system->is_allowed_user($data['new']['username'], false, false)
         || !$app->system->is_allowed_user($data['new']['puser'], true, true)
         || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {
         $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);
         return false;
      }

      if($app->system->is_user($data['new']['puser'])) {
         // Get the UID of the parent user
@@ -136,8 +151,22 @@
   function update($event_name, $data) {
      global $app, $conf;

      $app->uses('system');
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
      $app->uses('system,getconf');
		
      $security_config = $app->getconf->get_security_config('permissions');
      if($security_config['allow_shell_user'] != 'yes') {
         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
         return false;
      }
		
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']);

      if(!$app->system->is_allowed_user($data['new']['username'], false, false)
         || !$app->system->is_allowed_user($data['new']['puser'], true, true)
         || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {
         $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);
         return false;
      }

      if($app->system->is_user($data['new']['puser'])) {
         // Get the UID of the parent user
@@ -195,9 +224,15 @@
   function delete($event_name, $data) {
      global $app, $conf;

      $app->uses('system');
      $app->uses('system,getconf');
		
      $security_config = $app->getconf->get_security_config('permissions');
      if($security_config['allow_shell_user'] != 'yes') {
         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
         return false;
      }

      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']);
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']);

      if ($data['old']['chroot'] == "jailkit")
      {
@@ -210,11 +245,19 @@
         //exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);

         $app->system->web_folder_protection($web['document_root'], false);
			
         $userid = intval($app->system->getuid($data['old']['username']));
         $command = 'killall -u '.escapeshellcmd($data['old']['username']).' ; ';
         $command .= 'userdel -f '.escapeshellcmd($data['old']['username']).' &> /dev/null';
         exec($command);
			
         // Remove the jailed user from passwd and shadow file inside the jail
         $app->system->removeLine($data['old']['dir'].'/etc/passwd', $data['old']['username']);
         $app->system->removeLine($data['old']['dir'].'/etc/shadow', $data['old']['username']);

         if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) {
            $command = 'userdel -f';
            $command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';
            exec($command);
            $this->_delete_homedir($data['old']['dir'].$jailkit_chroot_userhome,$userid,$data['old']['parent_domain_id']);
				
            $app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);
         }

@@ -245,7 +288,7 @@

         //add bash.bashrc script
         //we need to collect the domain name to be used as the HOSTNAME in the bashrc script
         $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"]));
         $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ?", $this->data['new']["parent_domain_id"]);

         $this->app->load('tpl');

@@ -262,7 +305,7 @@
         file_put_contents($bashrc, $tpl->grab());
         unset($tpl);

         $this->app->log("Added bashrc script : ".$bashrc, LOGLEVEL_DEBUG);
         $this->app->log("Added bashrc script: ".$bashrc, LOGLEVEL_DEBUG);

         $tpl = new tpl();
         $tpl->newTemplate("motd.master");
@@ -279,13 +322,21 @@

   function _add_jailkit_programs()
   {
      //copy over further programs and its libraries
      $command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh';
      $command .= ' '.escapeshellcmd($this->data['new']['dir']);
      $command .= ' \''.$this->jailkit_config['jailkit_chroot_app_programs'].'\'';
      exec($command.' 2>/dev/null');
      $jailkit_chroot_app_programs = preg_split("/[\s,]+/", $this->jailkit_config['jailkit_chroot_app_programs']);
      if(is_array($jailkit_chroot_app_programs) && !empty($jailkit_chroot_app_programs)){
         foreach($jailkit_chroot_app_programs as $jailkit_chroot_app_program){
            $jailkit_chroot_app_program = trim($jailkit_chroot_app_program);
            if(is_file($jailkit_chroot_app_program) || is_dir($jailkit_chroot_app_program)){			
               //copy over further programs and its libraries
               $command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh';
               $command .= ' '.escapeshellcmd($this->data['new']['dir']);
               $command .= ' '.$jailkit_chroot_app_program;
               exec($command.' 2>/dev/null');

      $this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
               $this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
            }
         }
      }
   }

   function _get_home_dir($username)
@@ -339,7 +390,10 @@
            }
         }*/

      $app->system->usermod($this->data['new']['username'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, '/usr/sbin/jk_chrootsh');
      $shell = '/usr/sbin/jk_chrootsh';
      if($this->data['new']['active'] != 'y') $shell = '/bin/false';
		
      $app->system->usermod($this->data['new']['username'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, $shell);
      $app->system->usermod($this->data['new']['puser'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, '/usr/sbin/jk_chrootsh');

      $this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG);
@@ -368,7 +422,7 @@
      $web_config = $app->getconf->get_server_config($conf["server_id"], 'web');

      // Get the parent website of this shell user
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']);
      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $this->data['new']['parent_domain_id']);

      //* If the security level is set to high
      if($web_config['security_level'] == 20 && is_array($web)) {
@@ -392,11 +446,11 @@
      global $app;
      $this->app->log("ssh-rsa setup shelluser_jailkit", LOGLEVEL_DEBUG);
      // Get the client ID, username, and the key
      $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id']));
      $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = '.intval($domain_data['sys_groupid']));
      $domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = ?', $this->data['new']['parent_domain_id']);
      $sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = ?', $domain_data['sys_groupid']);
      $id = intval($sys_group_data['client_id']);
      $username= $sys_group_data['name'];
      $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = '.$id);
      $client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = ?', $id);
      $userkey = $client_data['ssh_rsa'];
      unset($domain_data);
      unset($client_data);
@@ -420,7 +474,7 @@
         $userkey = $app->system->file_get_contents('/tmp/id_rsa.pub');

         // save keypair in client table
         $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id);
         $this->app->db->query("UPDATE client SET created_at = UNIX_TIMESTAMP(), id_rsa = ? ssh_rsa = ? WHERE client_id = ?", $app->system->file_get_contents('/tmp/id_rsa'), $userkey, $id);

         $app->system->unlink('/tmp/id_rsa');
         $app->system->unlink('/tmp/id_rsa.pub');
@@ -488,6 +542,48 @@
      exec("chmod 600 '$sshkeys'");

   }
	
   private function _delete_homedir($homedir,$userid,$parent_domain_id) {
      global $app, $conf;
		
      // check if we have to delete the dir
            $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = ?', $homedir);
				
            if(!$check && is_dir($homedir)) {
               $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $parent_domain_id);
               $app->system->web_folder_protection($web['document_root'], false);
					
               // delete dir
               if(substr($homedir, -1) !== '/') $homedir .= '/';
               $files = array('.bash_logout', '.bash_history', '.bashrc', '.profile');
               $dirs = array('.ssh', '.cache');
               foreach($files as $delfile) {
                  if(is_file($homedir . $delfile) && fileowner($homedir . $delfile) == $userid) unlink($homedir . $delfile);
               }
               foreach($dirs as $deldir) {
                  if(is_dir($homedir . $deldir) && fileowner($homedir . $deldir) == $userid) exec('rm -rf ' . escapeshellarg($homedir . $deldir));
               }
               $empty = true;
               $dirres = opendir($homedir);
               if($dirres) {
                  while(($entry = readdir($dirres)) !== false) {
                     if($entry != '.' && $entry != '..') {
                        $empty = false;
                        break;
                     }
                  }
                  closedir($dirres);
               }
               if($empty == true) {
                  rmdir($homedir);
               }
               unset($files);
               unset($dirs);
					
               $app->system->web_folder_protection($web['document_root'], true);
            }
	
   }

} // end class