ISPConfig3 devel
blame | history | patch | commit | commitdiff | ignore whitespace
Till Brehm
2014-10-29 c91c7a6249cdbcd235fc17f6bc4104d6da93a1d9 
 server/plugins-available/shelluser_jailkit_plugin.inc.php


@@ -33,6 +33,7 @@


   //* $plugin_name and $class_name have to be the same then the name of this class


   var $plugin_name = 'shelluser_jailkit_plugin';


   var $class_name = 'shelluser_jailkit_plugin';


   var $min_uid = 499;




   //* This function is called during ispconfig installation to determine


   //  if a symlink shall be created for this plugin.


@@ -58,11 +59,11 @@


      /*


      Register for the events


      */




		


      $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');


      $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');


      $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');




		




   }




@@ -70,53 +71,78 @@


   function insert($event_name, $data) {


      global $app, $conf;




      $app->uses('system');


      $app->uses('system,getconf');


		


      $security_config = $app->getconf->get_security_config('permissions');


      if($security_config['allow_shell_user'] != 'yes') {


         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);


         return false;


      }


		


		


      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);




      if($app->system->is_user($data['new']['username'])) {


      if(!$app->system->is_allowed_user($data['new']['username'], false, false)


         || !$app->system->is_allowed_user($data['new']['puser'], true, true)


         || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {


         $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);


         return false;


      }




         /**


          * Setup Jailkit Chroot System If Enabled


          */


      if($app->system->is_user($data['new']['puser'])) {


         // Get the UID of the parent user


         $uid = intval($app->system->getuid($data['new']['puser']));


         if($uid > $this->min_uid) {


			


            if($app->system->is_user($data['new']['username'])) {




               /**


               * Setup Jailkit Chroot System If Enabled


               */




               if ($data['new']['chroot'] == "jailkit")


               {






         if ($data['new']['chroot'] == "jailkit")


         {


                  // load the server configuration options


                  $app->uses("getconf");


                  $this->data = $data;


                  $this->app = $app;


                  $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');




                  $this->_update_website_security_level();




            // load the server configuration options


            $app->uses("getconf");


            $this->data = $data;


            $this->app = $app;


            $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');


                  $app->system->web_folder_protection($web['document_root'], false);




            $this->_update_website_security_level();


                  $this->_setup_jailkit_chroot();




            $app->system->web_folder_protection($web['document_root'], false);


                  $this->_add_jailkit_user();




            $this->_setup_jailkit_chroot();


                  //* call the ssh-rsa update function


                  $this->_setup_ssh_rsa();




            $this->_add_jailkit_user();


                  //$command .= 'usermod -s /usr/sbin/jk_chrootsh -U '.escapeshellcmd($data['new']['username']);


                  //exec($command);


                  $app->system->usermod($data['new']['username'], 0, 0, '', '/usr/sbin/jk_chrootsh', '', '');




            //* call the ssh-rsa update function


            $this->_setup_ssh_rsa();


                  //* Unlock user


                  $command = 'usermod -U '.escapeshellcmd($data['new']['username']).' 2>/dev/null';


                  exec($command);




            //$command .= 'usermod -s /usr/sbin/jk_chrootsh -U '.escapeshellcmd($data['new']['username']);


            //exec($command);


            $app->system->usermod($data['new']['username'], 0, 0, '', '/usr/sbin/jk_chrootsh', '', '');


                  $this->_update_website_security_level();


                  $app->system->web_folder_protection($web['document_root'], true);


               }




            //* Unlock user


            $command = 'usermod -U '.escapeshellcmd($data['new']['username']).' 2>/dev/null';


            exec($command);


               $app->log("Jailkit Plugin -> insert username:".$data['new']['username'], LOGLEVEL_DEBUG);




            $this->_update_website_security_level();


            $app->system->web_folder_protection($web['document_root'], true);


            } else {


               $app->log("Jailkit Plugin -> insert username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);


            }


         } else {


            $app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);


         }




         $app->log("Jailkit Plugin -> insert username:".$data['new']['username'], LOGLEVEL_DEBUG);




      } else {


         $app->log("Jailkit Plugin -> insert username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);


         $app->log("Skipping insertion of user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);


      }




   }


@@ -125,44 +151,68 @@


   function update($event_name, $data) {


      global $app, $conf;




      $app->uses('system');


      $app->uses('system,getconf');


		


      $security_config = $app->getconf->get_security_config('permissions');


      if($security_config['allow_shell_user'] != 'yes') {


         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);


         return false;


      }


		


      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);




      if($app->system->is_user($data['new']['username'])) {


      if(!$app->system->is_allowed_user($data['new']['username'], false, false)


         || !$app->system->is_allowed_user($data['new']['puser'], true, true)


         || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {


         $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);


         return false;


      }




      if($app->system->is_user($data['new']['puser'])) {


         // Get the UID of the parent user


         $uid = intval($app->system->getuid($data['new']['puser']));


         if($uid > $this->min_uid) {


			


			


            if($app->system->is_user($data['new']['username'])) {




               /**


               * Setup Jailkit Chroot System If Enabled


               */


               if ($data['new']['chroot'] == "jailkit")


               {




         /**


          * Setup Jailkit Chroot System If Enabled


          */


         if ($data['new']['chroot'] == "jailkit")


         {


                  // load the server configuration options


                  $app->uses("getconf");


                  $this->data = $data;


                  $this->app = $app;


                  $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');




            // load the server configuration options


            $app->uses("getconf");


            $this->data = $data;


            $this->app = $app;


            $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');


                  $this->_update_website_security_level();




            $this->_update_website_security_level();


                  $app->system->web_folder_protection($web['document_root'], false);




            $app->system->web_folder_protection($web['document_root'], false);


                  $this->_setup_jailkit_chroot();


                  $this->_add_jailkit_user();




            $this->_setup_jailkit_chroot();


            $this->_add_jailkit_user();


                  //* call the ssh-rsa update function


                  $this->_setup_ssh_rsa();




            //* call the ssh-rsa update function


            $this->_setup_ssh_rsa();


                  $this->_update_website_security_level();




            $this->_update_website_security_level();


                  $app->system->web_folder_protection($web['document_root'], true);


               }




            $app->system->web_folder_protection($web['document_root'], true);


               $app->log("Jailkit Plugin -> update username:".$data['new']['username'], LOGLEVEL_DEBUG);




            } else {


               $app->log("Jailkit Plugin -> update username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);


            }


         } else {


            $app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);


         }




         $app->log("Jailkit Plugin -> update username:".$data['new']['username'], LOGLEVEL_DEBUG);




      } else {


         $app->log("Jailkit Plugin -> update username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);


         $app->log("Skipping update for user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);


      }




   }


@@ -174,7 +224,13 @@


   function delete($event_name, $data) {


      global $app, $conf;




      $app->uses('system');


      $app->uses('system,getconf');


		


      $security_config = $app->getconf->get_security_config('permissions');


      if($security_config['allow_shell_user'] != 'yes') {


         $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);


         return false;


      }




      $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']);




@@ -191,9 +247,13 @@


         $app->system->web_folder_protection($web['document_root'], false);




         if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) {


            $command = 'userdel -f';


            $userid = intval($app->system->getuid($data['old']['username']));


            $command = 'killall -u '.escapeshellcmd($data['old']['username']).' ; userdel -f';


            $command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';


            exec($command);


				


            $this->_delete_homedir($data['old']['dir'].$jailkit_chroot_userhome,$userid,$data['old']['parent_domain_id']);


				


            $app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);


         }




@@ -467,6 +527,48 @@


      exec("chmod 600 '$sshkeys'");




   }


	


   private function _delete_homedir($homedir,$userid,$parent_domain_id) {


      global $app, $conf;


		


      // check if we have to delete the dir


            $check = $app->db->queryOneRecord('SELECT shell_user_id FROM `shell_user` WHERE `dir` = \'' . $app->db->quote($homedir) . '\'');


				


            if(!$check && is_dir($homedir)) {


               $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($parent_domain_id));


               $app->system->web_folder_protection($web['document_root'], false);


					


               // delete dir


               if(substr($homedir, -1) !== '/') $homedir .= '/';


               $files = array('.bash_logout', '.bash_history', '.bashrc', '.profile');


               $dirs = array('.ssh', '.cache');


               foreach($files as $delfile) {


                  if(is_file($homedir . $delfile) && fileowner($homedir . $delfile) == $userid) unlink($homedir . $delfile);


               }


               foreach($dirs as $deldir) {


                  if(is_dir($homedir . $deldir) && fileowner($homedir . $deldir) == $userid) exec('rm -rf ' . escapeshellarg($homedir . $deldir));


               }


               $empty = true;


               $dirres = opendir($homedir);


               if($dirres) {


                  while(($entry = readdir($dirres)) !== false) {


                     if($entry != '.' && $entry != '..') {


                        $empty = false;


                        break;


                     }


                  }


                  closedir($dirres);


               }


               if($empty == true) {


                  rmdir($homedir);


               }


               unset($files);


               unset($dirs);


					


               $app->system->web_folder_protection($web['document_root'], true);


            }


	


   }




} // end class