ISPConfig3 devel
blame | history | patch | commit | commitdiff | ignore whitespace
tbrehm
2013-02-22 526b997c9891a796b152cdbab8e329b356b1f596 
 server/plugins-available/shelluser_base_plugin.inc.php


@@ -72,7 +72,18 @@


      


      $app->uses('system');


      


      //* Check if the resulting path is inside the docroot


      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));


      if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {


         $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);


         return false;


      }


		


      if($app->system->is_user($data['new']['puser'])) {


			


         //* Remove webfolder protection


         $app->system->web_folder_protection($web['document_root'],false);


			


         // Get the UID of the parent user


         $uid = intval($app->system->getuid($data['new']['puser']));


         if($uid > $this->min_uid) {


@@ -96,17 +107,20 @@


            $this->_setup_ssh_rsa();


            


            //* Create .bash_history file


            touch(escapeshellcmd($data['new']['dir']).'/.bash_history');


            chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);


            chown(escapeshellcmd($data['new']['dir']).'/.bash_history', escapeshellcmd($data['new']['username']));


            chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history', escapeshellcmd($data['new']['pgroup']));


            $app->system->touch(escapeshellcmd($data['new']['dir']).'/.bash_history');


            $app->system->chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);


            $app->system->chown(escapeshellcmd($data['new']['dir']).'/.bash_history', $data['new']['username']);


            $app->system->chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history', $data['new']['pgroup']);


            


            //* Disable shell user temporarily if we use jailkit


            if($data['new']['chroot'] == 'jailkit') {


               $command = 'usermod -s /bin/false -L '.escapeshellcmd($data['new']['username']);


               $command = 'usermod -s /bin/false -L '.escapeshellcmd($data['new']['username']).' 2>/dev/null';


               exec($command);


               $app->log("Disabling shelluser temporarily: ".$command,LOGLEVEL_DEBUG);


            }


				


            //* Add webfolder protection again


            $app->system->web_folder_protection($web['document_root'],true);


         


         } else {


            $app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.",LOGLEVEL_ERROR);


@@ -121,12 +135,20 @@


      


      $app->uses('system');


      


      //* Check if the resulting path is inside the docroot


      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));


      if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {


         $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);


         return false;


      }


		


      if($app->system->is_user($data['new']['puser'])) {


         // Get the UID of the parent user


         $uid = intval($app->system->getuid($data['new']['puser']));


         if($uid > $this->min_uid) {


            // Check if the user that we want to update exists, if not, we insert it


            if($app->system->is_user($data['old']['username'])) {


               /*


               $command = 'usermod';


               $command .= ' --home '.escapeshellcmd($data['new']['dir']);


               $command .= ' --gid '.escapeshellcmd($data['new']['pgroup']);


@@ -139,6 +161,9 @@


         


               exec($command);


               $app->log("Executed command: $command ",LOGLEVEL_DEBUG);


               */


               $groupinfo = posix_getgrnam($data['new']['pgroup']);


               $app->system->usermod($data['old']['username'],0, $groupinfo[gid], $data['new']['dir'], $data['new']['shell'], $data['new']['password'], $data['new']['username']);


               $app->log("Updated shelluser: ".$data['old']['username'],LOGLEVEL_DEBUG);


                           


               // call the ssh-rsa update function


@@ -149,10 +174,10 @@


               


               //* Create .bash_history file


               if(!is_file($data['new']['dir']).'/.bash_history') {


                  touch(escapeshellcmd($data['new']['dir']).'/.bash_history');


                  chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);


                  chown(escapeshellcmd($data['new']['dir']).'/.bash_history',escapeshellcmd($data['new']['username']));


                  chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history',escapeshellcmd($data['new']['pgroup']));


                  $app->system->touch(escapeshellcmd($data['new']['dir']).'/.bash_history');


                  $app->system->chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);


                  $app->system->chown(escapeshellcmd($data['new']['dir']).'/.bash_history',escapeshellcmd($data['new']['username']));


                  $app->system->chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history',escapeshellcmd($data['new']['pgroup']));


               }


               


            } else {


@@ -179,8 +204,7 @@


            // We delete only non jailkit users, jailkit users will be deleted by the jailkit plugin.


            if ($data['old']['chroot'] != "jailkit") {


               $command = 'userdel -f';


               $command .= ' '.escapeshellcmd($data['old']['username']);


			


               $command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';


               exec($command);


               $app->log("Deleted shelluser: ".$data['old']['username'],LOGLEVEL_DEBUG);


            }


@@ -223,24 +247,25 @@


         exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');


         


         // use the public key that has been generated


         $userkey = file_get_contents('/tmp/id_rsa.pub');


         $userkey = $app->system->file_get_contents('/tmp/id_rsa.pub');


         


         // save keypair in client table


         $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".file_get_contents('/tmp/id_rsa')."', ssh_rsa = '".$userkey."' WHERE client_id = ".$id);


         $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id);


         


         exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub');


         $app->system->unlink('/tmp/id_rsa');


         $app->system->unlink('/tmp/id_rsa.pub');


         $this->app->log("ssh-rsa keypair generated for ".$username,LOGLEVEL_DEBUG);


      };




      if (!file_exists($sshkeys)){


         // add root's key


         $app->file->mkdirs($sshdir, '0755');


         file_put_contents($sshkeys, file_get_contents('/root/.ssh/authorized_keys'));


         $app->file->mkdirs($sshdir, '0700');


         if(is_file('/root/.ssh/authorized_keys')) $app->system->file_put_contents($sshkeys, $app->system->file_get_contents('/root/.ssh/authorized_keys'));


      


         // Remove duplicate keys


         $existing_keys = file($sshkeys);


         $existing_keys = @file($sshkeys);


         $new_keys = explode("\n", $userkey);


         $final_keys_arr = array_merge($existing_keys, $new_keys);


         $final_keys_arr = @array_merge($existing_keys, $new_keys);


         $new_final_keys_arr = array();


         if(is_array($final_keys_arr) && !empty($final_keys_arr)){


            foreach($final_keys_arr as $key => $val){


@@ -250,30 +275,46 @@


         $final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));


         


         // add the user's key


         file_put_contents($sshkeys, $final_keys);


         $app->system->file_put_contents($sshkeys, $final_keys);


         $app->file->remove_blank_lines($sshkeys);


         $this->app->log("ssh-rsa authorisation keyfile created in ".$sshkeys,LOGLEVEL_DEBUG);


      }


      if ($sshrsa != ''){


         // Remove duplicate keys


         $existing_keys = file($sshkeys);


         $new_keys = explode("\n", $sshrsa);


         $final_keys_arr = array_merge($existing_keys, $new_keys);


         $new_final_keys_arr = array();


         if(is_array($final_keys_arr) && !empty($final_keys_arr)){


            foreach($final_keys_arr as $key => $val){


               $new_final_keys_arr[$key] = trim($val);


            }


         }


         $final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));


         


         // add the custom key 


         file_put_contents($sshkeys, $final_keys);


         $app->file->remove_blank_lines($sshkeys);


         $this->app->log("ssh-rsa key updated in ".$sshkeys,LOGLEVEL_DEBUG);


      //* Get the keys


      $existing_keys = file($sshkeys);


      $new_keys = explode("\n", $sshrsa);


      $old_keys = explode("\n",$this->data['old']['ssh_rsa']);


			


      //* Remove all old keys


      if(is_array($old_keys)) {


         foreach($old_keys as $key => $val) {


            $k = array_search(trim($val),$existing_keys);


            unset($existing_keys[$k]);


         }


      }


			


      //* merge the remaining keys and the ones fom the ispconfig database.


      if(is_array($new_keys)) {


         $final_keys_arr = array_merge($existing_keys, $new_keys);


      } else {


         $final_keys_arr = $existing_keys;


      }


			


      $new_final_keys_arr = array();


      if(is_array($final_keys_arr) && !empty($final_keys_arr)){


         foreach($final_keys_arr as $key => $val){


            $new_final_keys_arr[$key] = trim($val);


         }


      }


      $final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));


			


      // add the custom key 


      $app->system->file_put_contents($sshkeys, $final_keys);


      $app->file->remove_blank_lines($sshkeys);


      $this->app->log("ssh-rsa key updated in ".$sshkeys,LOGLEVEL_DEBUG);


		


      // set proper file permissions


      exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$usrdir);


      exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$sshdir);


      exec("chmod 600 '$sshkeys'");


      


   }