From d87f76019fc231ec20d95126a7fee0487e7be5f0 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Tue, 14 Aug 2012 10:56:20 -0400
Subject: [PATCH] - Added new web folder named private to web folder layout. The folder is intended to store data that shall not be visible in the web directory, it is owned by the user of the web. - Changed ownership of web root directory to root user in all security modes to prevent symlink attacks. - Apache log files are now owned by user root. - Improved functions in system library.
---
server/plugins-available/shelluser_base_plugin.inc.php | 111 +++++++++++++++++++++++++++++++++++++++++++++----------
1 files changed, 90 insertions(+), 21 deletions(-)
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 58858a3..d63b6b2 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -72,7 +72,18 @@
$app->uses('system');
+ //* Check if the resulting path is inside the docroot
+ $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
+ if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+ $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+ return false;
+ }
+
if($app->system->is_user($data['new']['puser'])) {
+
+ //* Remove webfolder protection
+ $app->system->web_folder_protection($web['document_root'],false);
+
// Get the UID of the parent user
$uid = intval($app->system->getuid($data['new']['puser']));
if($uid > $this->min_uid) {
@@ -107,6 +118,9 @@
exec($command);
$app->log("Disabling shelluser temporarily: ".$command,LOGLEVEL_DEBUG);
}
+
+ //* Add webfolder protection again
+ $app->system->web_folder_protection($web['document_root'],true);
} else {
$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.",LOGLEVEL_ERROR);
@@ -121,12 +135,20 @@
$app->uses('system');
+ //* Check if the resulting path is inside the docroot
+ $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
+ if(substr(realpath($data['new']['dir']),0,strlen($web['document_root'])) != $web['document_root']) {
+ $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+ return false;
+ }
+
if($app->system->is_user($data['new']['puser'])) {
// Get the UID of the parent user
$uid = intval($app->system->getuid($data['new']['puser']));
if($uid > $this->min_uid) {
// Check if the user that we want to update exists, if not, we insert it
if($app->system->is_user($data['old']['username'])) {
+ /*
$command = 'usermod';
$command .= ' --home '.escapeshellcmd($data['new']['dir']);
$command .= ' --gid '.escapeshellcmd($data['new']['pgroup']);
@@ -139,6 +161,9 @@
exec($command);
$app->log("Executed command: $command ",LOGLEVEL_DEBUG);
+ */
+ $groupinfo = posix_getgrnam($data['new']['pgroup']);
+ $app->system->usermod($data['old']['username'],0, $groupinfo[gid], $data['new']['dir'], $data['new']['shell'], $data['new']['password'], $data['new']['username']);
$app->log("Updated shelluser: ".$data['old']['username'],LOGLEVEL_DEBUG);
// call the ssh-rsa update function
@@ -195,6 +220,7 @@
}
private function _setup_ssh_rsa() {
+ global $app;
$this->app->log("ssh-rsa setup shelluser_base",LOGLEVEL_DEBUG);
// Get the client ID, username, and the key
$domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id']));
@@ -207,45 +233,88 @@
unset($client_data);
// ssh-rsa authentication variables
- $sshrsa = escapeshellcmd($this->data['new']['ssh_rsa']);
+ $sshrsa = $this->data['new']['ssh_rsa'];
$usrdir = escapeshellcmd($this->data['new']['dir']);
$sshdir = $usrdir.'/.ssh';
$sshkeys= $usrdir.'/.ssh/authorized_keys';
+ $app->uses('file');
+ $sshrsa = $app->file->unix_nl($sshrsa);
+ $sshrsa = $app->file->remove_blank_lines($sshrsa,0);
+
// If this user has no key yet, generate a pair
- if ($userkey == '' && $id>0)
- {
+ if ($userkey == '' && $id > 0){
//Generate ssh-rsa-keys
exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');
+
+ // use the public key that has been generated
+ $userkey = file_get_contents('/tmp/id_rsa.pub');
+
// save keypair in client table
- $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".file_get_contents('/tmp/id_rsa')."', ssh_rsa = '".file_get_contents('/tmp/id_rsa.pub')."' WHERE client_id = ".$id);
- // and use the public key that has been generated
- $userkey = file_get_contents('/tmp/id_rsa.pub')
- ;
+ $this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".file_get_contents('/tmp/id_rsa')."', ssh_rsa = '".$userkey."' WHERE client_id = ".$id);
+
exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub');
$this->app->log("ssh-rsa keypair generated for ".$username,LOGLEVEL_DEBUG);
};
-
- if (!file_exists($sshkeys))
- {
+
+ if (!file_exists($sshkeys)){
// add root's key
- exec("mkdir '$sshdir'");
- exec("cat /root/.ssh/authorized_keys > '$sshkeys'");
- exec("echo '' >> '$sshkeys'");
+ $app->file->mkdirs($sshdir, '0700');
+ if(is_file('/root/.ssh/authorized_keys')) file_put_contents($sshkeys, file_get_contents('/root/.ssh/authorized_keys'));
+ // Remove duplicate keys
+ $existing_keys = @file($sshkeys);
+ $new_keys = explode("\n", $userkey);
+ $final_keys_arr = @array_merge($existing_keys, $new_keys);
+ $new_final_keys_arr = array();
+ if(is_array($final_keys_arr) && !empty($final_keys_arr)){
+ foreach($final_keys_arr as $key => $val){
+ $new_final_keys_arr[$key] = trim($val);
+ }
+ }
+ $final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
+
// add the user's key
- exec("echo '$userkey' >> '$sshkeys'");
- exec("echo '' >> '$sshkeys'");
+ file_put_contents($sshkeys, $final_keys);
+ $app->file->remove_blank_lines($sshkeys);
$this->app->log("ssh-rsa authorisation keyfile created in ".$sshkeys,LOGLEVEL_DEBUG);
}
- if ($sshrsa!=''){
- // add the custom key
- exec("echo '$sshrsa' >> '$sshkeys'");
- exec("echo '' >> '$sshkeys'");
- $this->app->log("ssh-rsa key updated in ".$sshkeys,LOGLEVEL_DEBUG);
+
+ //* Get the keys
+ $existing_keys = file($sshkeys);
+ $new_keys = explode("\n", $sshrsa);
+ $old_keys = explode("\n",$this->data['old']['ssh_rsa']);
+
+ //* Remove all old keys
+ if(is_array($old_keys)) {
+ foreach($old_keys as $key => $val) {
+ $k = array_search(trim($val),$existing_keys);
+ unset($existing_keys[$k]);
+ }
}
+
+ //* merge the remaining keys and the ones fom the ispconfig database.
+ if(is_array($new_keys)) {
+ $final_keys_arr = array_merge($existing_keys, $new_keys);
+ } else {
+ $final_keys_arr = $existing_keys;
+ }
+
+ $new_final_keys_arr = array();
+ if(is_array($final_keys_arr) && !empty($final_keys_arr)){
+ foreach($final_keys_arr as $key => $val){
+ $new_final_keys_arr[$key] = trim($val);
+ }
+ }
+ $final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
+
+ // add the custom key
+ file_put_contents($sshkeys, $final_keys);
+ $app->file->remove_blank_lines($sshkeys);
+ $this->app->log("ssh-rsa key updated in ".$sshkeys,LOGLEVEL_DEBUG);
+
// set proper file permissions
- exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$usrdir);
+ exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$sshdir);
exec("chmod 600 '$sshkeys'");
}
--
Gitblit v1.9.1