From 5045c7ee88c4dd07586179268799415b176e624c Mon Sep 17 00:00:00 2001
From: moglia <moglia@ispconfig3>
Date: Wed, 12 May 2010 14:41:58 -0400
Subject: [PATCH] Improved database list for turns end user life easy. If you are admin you need back to client list do consult id. Only admin can view CLIEND_ID for example and limited users can not know your id using easy way. This issue reported by my ispconfig end users. Direct show of end database user name resolve all of these steps on a single step.
---
server/plugins-available/mysql_clientdb_plugin.inc.php | 147 +++++++++++++++++++++++++++++++++----------------
1 files changed, 99 insertions(+), 48 deletions(-)
diff --git a/server/plugins-available/mysql_clientdb_plugin.inc.php b/server/plugins-available/mysql_clientdb_plugin.inc.php
index 602fae4..fdececf 100644
--- a/server/plugins-available/mysql_clientdb_plugin.inc.php
+++ b/server/plugins-available/mysql_clientdb_plugin.inc.php
@@ -66,6 +66,54 @@
}
+ function process_host_list($action, $database_name, $database_user, $database_password, $host_list, $link, $database_rename_user = "") {
+ global $app;
+
+ $action = strtoupper($action);
+
+ // set to all hosts if none given
+ if(trim($host_list) == "") $host_list = "%";
+
+ // process arrays and comma separated strings
+ if(!is_array($host_list)) $host_list = split(",", $host_list);
+
+ $success = true;
+
+ // loop through hostlist
+ foreach($host_list as $db_host) {
+ $db_host = trim($db_host);
+
+ // check if entry is valid ip address
+ $valid = true;
+ if($db_host == "%") {
+ $valid = true;
+ } elseif(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $db_host)) {
+ $groups = explode(".", $db_host);
+ foreach($groups as $group){
+ if($group<0 OR $group>255)
+ $valid=false;
+ }
+ } else {
+ $valid = false;
+ }
+
+ if($valid == false) continue;
+
+ if($action == "GRANT") {
+ if(!mysql_query("GRANT ALL ON ".mysql_real_escape_string($database_name,$link).".* TO '".mysql_real_escape_string($database_user,$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($database_password,$link)."';",$link)) $success = false;
+ } elseif($action == "REVOKE") {
+ //mysql_query("REVOKE ALL PRIVILEGES ON ".mysql_real_escape_string($database_name,$link).".* FROM '".mysql_real_escape_string($database_user,$link)."';",$link);
+ } elseif($action == "DROP") {
+ if(!mysql_query("DROP USER '".mysql_real_escape_string($database_user,$link)."'@'$db_host';",$link)) $success = false;
+ } elseif($action == "RENAME") {
+ if(!mysql_query("RENAME USER '".mysql_real_escape_string($database_user,$link)."'@'$db_host' TO '".mysql_real_escape_string($database_rename_user,$link)."'@'$db_host'",$link)) $success = false;
+ } elseif($action == "PASSWORD") {
+ if(!mysql_query("SET PASSWORD FOR '".mysql_real_escape_string($database_user,$link)."'@'$db_host' = PASSWORD('".mysql_real_escape_string($database_password,$link)."');",$link)) $success = false;
+ }
+ }
+
+ return $success;
+ }
function db_insert($event_name,$data) {
global $app, $conf;
@@ -73,6 +121,11 @@
if($data["new"]["type"] == 'mysql') {
if(!include(ISPC_LIB_PATH.'/mysql_clientdb.conf')) {
$app->log('Unable to open'.ISPC_LIB_PATH.'/mysql_clientdb.conf',LOGLEVEL_ERROR);
+ return;
+ }
+
+ if($data["new"]["database_user"] == 'root') {
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
return;
}
@@ -101,14 +154,12 @@
if($data["new"]["active"] == 'y') {
if($data["new"]["remote_access"] == 'y') {
- $db_host = '%';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
- } else {
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
+ $this->process_host_list("GRANT", $data["new"]["database_name"], $data["new"]["database_user"], $data["new"]["database_password"], $data["new"]["remote_ips"], $link);
}
+
+ $db_host = 'localhost';
+ mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
+
}
@@ -126,6 +177,11 @@
return;
}
+ if($data["new"]["database_user"] == 'root') {
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ return;
+ }
+
//* Connect to the database
$link = mysql_connect($clientdb_host, $clientdb_user, $clientdb_password);
if (!$link) {
@@ -137,14 +193,11 @@
if($data["new"]["active"] == 'y' && $data["old"]["active"] == 'n') {
if($data["new"]["remote_access"] == 'y') {
- $db_host = '%';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
- } else {
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
+ $this->process_host_list("GRANT", $data["new"]["database_name"], $data["new"]["database_user"], $data["new"]["database_password"], $data["new"]["remote_ips"], $link);
}
+
+ $db_host = 'localhost';
+ mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
// mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
//echo "GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"]).".* TO '".mysql_real_escape_string($data["new"]["database_user"])."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"])."';";
@@ -154,17 +207,23 @@
if($data["new"]["active"] == 'n' && $data["old"]["active"] == 'y') {
if($data["old"]["remote_access"] == 'y') {
- $db_host = '%';
- } else {
- $db_host = 'localhost';
+ $this->process_host_list("DROP", "", $data["old"]["database_user"], "", $data["old"]["remote_ips"], $link);
}
- mysql_query("REVOKE ALL PRIVILEGES ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* FROM '".mysql_real_escape_string($data["new"]["database_user"],$link)."';",$link);
+ $db_host = 'localhost';
+ mysql_query("DROP USER '".mysql_real_escape_string($data["old"]["database_user"],$link)."'@'$db_host';",$link);
+
+
+ //mysql_query("REVOKE ALL PRIVILEGES ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* FROM '".mysql_real_escape_string($data["new"]["database_user"],$link)."';",$link);
}
//* Rename User
if($data["new"]["database_user"] != $data["old"]["database_user"]) {
- mysql_query("RENAME USER '".mysql_real_escape_string($data["old"]["database_user"],$link)."' TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'",$link);
+ $db_host = 'localhost';
+ mysql_query("RENAME USER '".mysql_real_escape_string($data["old"]["database_user"],$link)."'@'$db_host' TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host'",$link);
+ if($data["old"]["remote_access"] == 'y') {
+ $this->process_host_list("RENAME", "", $data["new"]["database_user"], "", $data["new"]["remote_ips"], $link, $data["new"]["database_user"]);
+ }
$app->log('Renaming mysql user: '.$data["old"]["database_user"].' to '.$data["new"]["database_user"],LOGLEVEL_DEBUG);
}
@@ -172,38 +231,29 @@
if($data["new"]["remote_access"] != $data["old"]["remote_access"]) {
//* revoke old priveliges
- mysql_query("REVOKE ALL PRIVILEGES ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* FROM '".mysql_real_escape_string($data["new"]["database_user"],$link)."';",$link);
+ //mysql_query("REVOKE ALL PRIVILEGES ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* FROM '".mysql_real_escape_string($data["new"]["database_user"],$link)."';",$link);
//* set new priveliges
- if($data["new"]["remote_access"] == 'y') {
- $db_host = '%';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
+ if($data["new"]["remote_access"] == 'y') {
+ $this->process_host_list("GRANT", $data["new"]["database_name"], $data["new"]["database_user"], $data["new"]["database_password"], $data["new"]["remote_ips"], $link);
} else {
- $db_host = 'localhost';
- mysql_query("GRANT ALL ON ".mysql_real_escape_string($data["new"]["database_name"],$link).".* TO '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' IDENTIFIED BY '".mysql_real_escape_string($data["new"]["database_password"],$link)."';",$link);
+ $this->process_host_list("DROP", "", $data["old"]["database_user"], "", $data["old"]["remote_ips"], $link);
}
$app->log('Changing mysql remote access priveliges for database: '.$data["new"]["database_name"],LOGLEVEL_DEBUG);
- }
-
- //* Get the db host setting for the access priveliges
- if($data["new"]["remote_access"] == 'y') {
- $db_host = '%';
- } else {
- $db_host = 'localhost';
- }
-
- /*
- //* Rename database
- if($data["new"]["database_name"] != $data["old"]["database_name"]) {
- mysql_query("",$link);
- }
- */
-
+ } elseif($data["new"]["remote_access"] == 'y' && $data["new"]["remote_ips"] != $data["old"]["remote_ips"]) {
+ //* Change remote access list
+ $this->process_host_list("DROP", "", $data["old"]["database_user"], "", $data["old"]["remote_ips"], $link);
+ $this->process_host_list("GRANT", $data["new"]["database_name"], $data["new"]["database_user"], $data["new"]["database_password"], $data["new"]["remote_ips"], $link);
+ }
+
//* Change password
if($data["new"]["database_password"] != $data["old"]["database_password"]) {
+ $db_host = 'localhost';
mysql_query("SET PASSWORD FOR '".mysql_real_escape_string($data["new"]["database_user"],$link)."'@'$db_host' = PASSWORD('".mysql_real_escape_string($data["new"]["database_password"],$link)."');",$link);
+
+ if($data["new"]["remote_access"] == 'y') {
+ $this->process_host_list("PASSWORD", "", $data["new"]["database_user"], $data["new"]["database_password"], $data["new"]["remote_ips"], $link);
+ }
$app->log('Changing mysql user password for: '.$data["new"]["database_user"],LOGLEVEL_DEBUG);
}
@@ -231,11 +281,13 @@
//* Get the db host setting for the access priveliges
if($data["old"]["remote_access"] == 'y') {
- $db_host = '%';
- } else {
- $db_host = 'localhost';
+ if($this->process_host_list("DROP", "", $data["old"]["database_user"], "", $data["old"]["remote_ips"], $link)) {
+ $app->log('Dropping mysql user: '.$data["old"]["database_user"],LOGLEVEL_DEBUG);
+ } else {
+ $app->log('Error while dropping mysql user: '.$data["old"]["database_user"].' '.mysql_error($link),LOGLEVEL_ERROR);
+ }
}
-
+ $db_host = 'localhost';
if(mysql_query("DROP USER '".mysql_real_escape_string($data["old"]["database_user"],$link)."'@'$db_host';",$link)) {
$app->log('Dropping mysql user: '.$data["old"]["database_user"],LOGLEVEL_DEBUG);
} else {
@@ -247,7 +299,6 @@
} else {
$app->log('Error while dropping mysql database: '.$data["old"]["database_name"].' '.mysql_error($link),LOGLEVEL_ERROR);
}
-
mysql_query("FLUSH PRIVILEGES;",$link);
mysql_close($link);
--
Gitblit v1.9.1