shelluser_jailkit_plugin.inc.php 18 KB
Newer Older
tbrehm's avatar
tbrehm committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
<?php

/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimer in the documentation
      and/or other materials provided with the distribution.
    * Neither the name of ISPConfig nor the names of its contributors
      may be used to endorse or promote products derived from this software without
      specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

class shelluser_jailkit_plugin {
32

tbrehm's avatar
tbrehm committed
33 34 35
	//* $plugin_name and $class_name have to be the same then the name of this class
	var $plugin_name = 'shelluser_jailkit_plugin';
	var $class_name = 'shelluser_jailkit_plugin';
36
	var $min_uid = 499;
37

tbrehm's avatar
tbrehm committed
38 39 40 41
	//* This function is called during ispconfig installation to determine
	//  if a symlink shall be created for this plugin.
	function onInstall() {
		global $conf;
42

tbrehm's avatar
tbrehm committed
43 44 45 46 47
		if($conf['services']['web'] == true) {
			return true;
		} else {
			return false;
		}
48

tbrehm's avatar
tbrehm committed
49
	}
50 51


tbrehm's avatar
tbrehm committed
52 53 54
	/*
	 	This function is called when the plugin is loaded
	*/
55

tbrehm's avatar
tbrehm committed
56 57
	function onLoad() {
		global $app;
58

tbrehm's avatar
tbrehm committed
59 60 61 62
		/*
		Register for the events
		*/

63 64 65 66 67
		$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
		$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
		$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');


tbrehm's avatar
tbrehm committed
68
	}
69

tbrehm's avatar
tbrehm committed
70
	//* This function is called, when a shell user is inserted in the database
71
	function insert($event_name, $data) {
tbrehm's avatar
tbrehm committed
72
		global $app, $conf;
73

tbrehm's avatar
tbrehm committed
74
		$app->uses('system');
75
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
76

77 78 79 80 81 82
		if($app->system->is_user($data['new']['puser'])) {
			// Get the UID of the parent user
			$uid = intval($app->system->getuid($data['new']['puser']));
			if($uid > $this->min_uid) {
			
				if($app->system->is_user($data['new']['username'])) {
83

84 85 86
					/**
					* Setup Jailkit Chroot System If Enabled
					*/
87

88 89
					if ($data['new']['chroot'] == "jailkit")
					{
90 91


92 93 94 95 96
						// load the server configuration options
						$app->uses("getconf");
						$this->data = $data;
						$this->app = $app;
						$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
97

98
						$this->_update_website_security_level();
99

100
						$app->system->web_folder_protection($web['document_root'], false);
101

102
						$this->_setup_jailkit_chroot();
103

104
						$this->_add_jailkit_user();
105

106 107
						//* call the ssh-rsa update function
						$this->_setup_ssh_rsa();
108

109 110 111
						//$command .= 'usermod -s /usr/sbin/jk_chrootsh -U '.escapeshellcmd($data['new']['username']);
						//exec($command);
						$app->system->usermod($data['new']['username'], 0, 0, '', '/usr/sbin/jk_chrootsh', '', '');
112

113 114 115
						//* Unlock user
						$command = 'usermod -U '.escapeshellcmd($data['new']['username']).' 2>/dev/null';
						exec($command);
116

117 118 119
						$this->_update_website_security_level();
						$app->system->web_folder_protection($web['document_root'], true);
					}
120

121
					$app->log("Jailkit Plugin -> insert username:".$data['new']['username'], LOGLEVEL_DEBUG);
122

123 124 125 126 127 128
				} else {
					$app->log("Jailkit Plugin -> insert username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);
				}
			} else {
				$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);
			}
tbrehm's avatar
tbrehm committed
129
		} else {
130
			$app->log("Skipping insertion of user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);
tbrehm's avatar
tbrehm committed
131
		}
132

tbrehm's avatar
tbrehm committed
133
	}
134

tbrehm's avatar
tbrehm committed
135
	//* This function is called, when a shell user is updated in the database
136
	function update($event_name, $data) {
tbrehm's avatar
tbrehm committed
137
		global $app, $conf;
138

tbrehm's avatar
tbrehm committed
139
		$app->uses('system');
140
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
141

142 143 144 145 146 147 148
		if($app->system->is_user($data['new']['puser'])) {
			// Get the UID of the parent user
			$uid = intval($app->system->getuid($data['new']['puser']));
			if($uid > $this->min_uid) {
			
			
				if($app->system->is_user($data['new']['username'])) {
149

150 151 152 153 154
					/**
					* Setup Jailkit Chroot System If Enabled
					*/
					if ($data['new']['chroot'] == "jailkit")
					{
155

156 157 158 159 160
						// load the server configuration options
						$app->uses("getconf");
						$this->data = $data;
						$this->app = $app;
						$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
161

162
						$this->_update_website_security_level();
163

164
						$app->system->web_folder_protection($web['document_root'], false);
165

166 167
						$this->_setup_jailkit_chroot();
						$this->_add_jailkit_user();
168

169 170
						//* call the ssh-rsa update function
						$this->_setup_ssh_rsa();
171

172
						$this->_update_website_security_level();
173

174 175
						$app->system->web_folder_protection($web['document_root'], true);
					}
176

177
					$app->log("Jailkit Plugin -> update username:".$data['new']['username'], LOGLEVEL_DEBUG);
178

179 180 181 182 183
				} else {
					$app->log("Jailkit Plugin -> update username:".$data['new']['username']." skipped, the user does not exist.", LOGLEVEL_WARN);
				}
			} else {
				$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);
tbrehm's avatar
tbrehm committed
184 185
			}
		} else {
186
			$app->log("Skipping update for user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);
tbrehm's avatar
tbrehm committed
187
		}
188

tbrehm's avatar
tbrehm committed
189
	}
190

tbrehm's avatar
tbrehm committed
191 192 193
	//* This function is called, when a shell user is deleted in the database
	/**
	 * TODO: Remove chroot user home and from the chroot passwd file
194 195
	 */
	function delete($event_name, $data) {
tbrehm's avatar
tbrehm committed
196
		global $app, $conf;
197

tbrehm's avatar
tbrehm committed
198
		$app->uses('system');
199

200
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']);
201

tbrehm's avatar
tbrehm committed
202 203 204 205
		if ($data['old']['chroot'] == "jailkit")
		{
			$app->uses("getconf");
			$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
206

tbrehm's avatar
tbrehm committed
207
			$jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']);
208

tbrehm's avatar
tbrehm committed
209 210
			//commented out proved to be dangerous on config errors
			//exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
211 212 213

			$app->system->web_folder_protection($web['document_root'], false);

tbrehm's avatar
tbrehm committed
214
			if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) {
215
				$command = 'userdel -f';
216
				$command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';
tbrehm's avatar
tbrehm committed
217
				exec($command);
218
				$app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);
tbrehm's avatar
tbrehm committed
219
			}
220 221 222

			$app->system->web_folder_protection($web['document_root'], true);

tbrehm's avatar
tbrehm committed
223
		}
224 225 226 227

		$app->log("Jailkit Plugin -> delete username:".$data['old']['username'], LOGLEVEL_DEBUG);


tbrehm's avatar
tbrehm committed
228
	}
229

tbrehm's avatar
tbrehm committed
230 231
	function _setup_jailkit_chroot()
	{
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277
		global $app;

		//check if the chroot environment is created yet if not create it with a list of program sections from the config
		if (!is_dir($this->data['new']['dir'].'/etc/jailkit'))
		{
			$command = '/usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh';
			$command .= ' '.escapeshellcmd($this->data['new']['dir']);
			$command .= ' \''.$this->jailkit_config['jailkit_chroot_app_sections'].'\'';
			exec($command.' 2>/dev/null');

			$this->app->log("Added jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);

			$this->_add_jailkit_programs();

			//add bash.bashrc script
			//we need to collect the domain name to be used as the HOSTNAME in the bashrc script
			$web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"]));

			$this->app->load('tpl');

			$tpl = new tpl();
			$tpl->newTemplate("bash.bashrc.master");

			$tpl->setVar('jailkit_chroot', true);
			$tpl->setVar('domain', $web['domain']);
			$tpl->setVar('home_dir', $this->_get_home_dir(""));

			$bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc';
			if(@is_file($bashrc) || @is_link($bashrc)) unlink($bashrc);

			file_put_contents($bashrc, $tpl->grab());
			unset($tpl);

			$this->app->log("Added bashrc script : ".$bashrc, LOGLEVEL_DEBUG);

			$tpl = new tpl();
			$tpl->newTemplate("motd.master");

			$tpl->setVar('domain', $web['domain']);

			$motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd';
			if(@is_file($motd) || @is_link($motd)) unlink($motd);

			$app->system->file_put_contents($motd, $tpl->grab());

		}
tbrehm's avatar
tbrehm committed
278
	}
279

tbrehm's avatar
tbrehm committed
280 281 282 283 284 285
	function _add_jailkit_programs()
	{
		//copy over further programs and its libraries
		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh';
		$command .= ' '.escapeshellcmd($this->data['new']['dir']);
		$command .= ' \''.$this->jailkit_config['jailkit_chroot_app_programs'].'\'';
286
		exec($command.' 2>/dev/null');
287 288

		$this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
tbrehm's avatar
tbrehm committed
289
	}
290

tbrehm's avatar
tbrehm committed
291 292
	function _get_home_dir($username)
	{
293
		return str_replace("[username]", escapeshellcmd($username), $this->jailkit_config['jailkit_chroot_home']);
tbrehm's avatar
tbrehm committed
294
	}
295

tbrehm's avatar
tbrehm committed
296 297
	function _add_jailkit_user()
	{
298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323
		global $app;

		//add the user to the chroot
		$jailkit_chroot_userhome = $this->_get_home_dir($this->data['new']['username']);
		$jailkit_chroot_puserhome = $this->_get_home_dir($this->data['new']['puser']);

		if(!is_dir($this->data['new']['dir'].'/etc')) mkdir($this->data['new']['dir'].'/etc', 0755);
		if(!is_file($this->data['new']['dir'].'/etc/passwd')) touch($this->data['new']['dir'].'/etc/passwd', 0755);

		// IMPORTANT!
		// ALWAYS create the user. Even if the user was created before
		// if we check if the user exists, then a update (no shell -> jailkit) will not work
		// and the user has FULL ACCESS to the root of the server!
		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_user.sh';
		$command .= ' '.escapeshellcmd($this->data['new']['username']);
		$command .= ' '.escapeshellcmd($this->data['new']['dir']);
		$command .= ' '.$jailkit_chroot_userhome;
		$command .= ' '.escapeshellcmd($this->data['new']['shell']);
		$command .= ' '.$this->data['new']['puser'];
		$command .= ' '.$jailkit_chroot_puserhome;
		exec($command.' 2>/dev/null');

		//* Change the homedir of the shell user and parent user
		//* We have to do this manually as the usermod command fails
		//* when the user is logged in or a command is running under that user
		/*
324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339
			$passwd_file_array = file('/etc/passwd');
			$passwd_out = '';
			if(is_array($passwd_file_array)) {
				foreach($passwd_file_array as $line) {
					$line = trim($line);
					$parts = explode(':',$line);
					if($parts[0] == $this->data['new']['username']) {
						$parts[5] = escapeshellcmd($this->data['new']['dir'].'/.'.$jailkit_chroot_userhome);
						$parts[6] = escapeshellcmd('/usr/sbin/jk_chrootsh');
						$new_line = implode(':',$parts);
						copy('/etc/passwd','/etc/passwd~');
						chmod('/etc/passwd~',0600);
						$app->uses('system');
						$app->system->replaceLine('/etc/passwd',$line,$new_line,1,0);
					}
				}
340
			}*/
341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358

		$app->system->usermod($this->data['new']['username'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, '/usr/sbin/jk_chrootsh');
		$app->system->usermod($this->data['new']['puser'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, '/usr/sbin/jk_chrootsh');

		$this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG);

		if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0755, true);
		$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['username']);
		$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['pgroup']);

		$this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);

		if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0755, true);
		$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['puser']);
		$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']);

		$this->app->log("Added jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome, LOGLEVEL_DEBUG);

359

tbrehm's avatar
tbrehm committed
360
	}
361

362 363
	//* Update the website root directory permissions depending on the security level
	function _update_website_security_level() {
364 365
		global $app, $conf;

366 367 368
		// load the server configuration options
		$app->uses("getconf");
		$web_config = $app->getconf->get_server_config($conf["server_id"], 'web');
369

370 371
		// Get the parent website of this shell user
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']);
372

373
		//* If the security level is set to high
374
		if($web_config['security_level'] == 20 && is_array($web)) {
375 376 377 378 379
			$app->system->web_folder_protection($web["document_root"], false);
			$app->system->chmod($web["document_root"], 0755);
			$app->system->chown($web["document_root"], 'root');
			$app->system->chgrp($web["document_root"], 'root');
			$app->system->web_folder_protection($web["document_root"], true);
380
		}
381

382
	}
383

tbrehm's avatar
tbrehm committed
384 385 386
	//* Wrapper for exec function for easier debugging
	private function _exec($command) {
		global $app;
387
		$app->log('exec: '.$command, LOGLEVEL_DEBUG);
tbrehm's avatar
tbrehm committed
388 389
		exec($command);
	}
tbrehm's avatar
tbrehm committed
390

391
	private function _setup_ssh_rsa() {
392
		global $app;
393
		$this->app->log("ssh-rsa setup shelluser_jailkit", LOGLEVEL_DEBUG);
394
		// Get the client ID, username, and the key
395 396
		$domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id']));
		$sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = '.intval($domain_data['sys_groupid']));
397 398
		$id = intval($sys_group_data['client_id']);
		$username= $sys_group_data['name'];
399
		$client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = '.$id);
400 401 402
		$userkey = $client_data['ssh_rsa'];
		unset($domain_data);
		unset($client_data);
403

404
		// ssh-rsa authentication variables
405
		$sshrsa = $this->data['new']['ssh_rsa'];
406
		$usrdir = escapeshellcmd($this->data['new']['dir']).'/'.$this->_get_home_dir($this->data['new']['username']);
407 408
		$sshdir = $usrdir.'/.ssh';
		$sshkeys= $usrdir.'/.ssh/authorized_keys';
409

410 411
		$app->uses('file');
		$sshrsa = $app->file->unix_nl($sshrsa);
412 413
		$sshrsa = $app->file->remove_blank_lines($sshrsa, 0);

414
		// If this user has no key yet, generate a pair
415
		if ($userkey == '' && $id > 0){
416 417
			//Generate ssh-rsa-keys
			exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');
418

419
			// use the public key that has been generated
420
			$userkey = $app->system->file_get_contents('/tmp/id_rsa.pub');
421

422
			// save keypair in client table
423
			$this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id);
424

425 426
			$app->system->unlink('/tmp/id_rsa');
			$app->system->unlink('/tmp/id_rsa.pub');
427
			$this->app->log("ssh-rsa keypair generated for ".$username, LOGLEVEL_DEBUG);
428
		};
429

430
		if (!file_exists($sshkeys)){
431
			// add root's key
432
			$app->file->mkdirs($sshdir, '0755');
433
			if(is_file('/root/.ssh/authorized_keys')) $app->system->file_put_contents($sshkeys, $app->system->file_get_contents('/root/.ssh/authorized_keys'));
434

435
			// Remove duplicate keys
436
			$existing_keys = @file($sshkeys);
437
			$new_keys = explode("\n", $userkey);
438
			$final_keys_arr = @array_merge($existing_keys, $new_keys);
439 440 441 442 443 444 445
			$new_final_keys_arr = array();
			if(is_array($final_keys_arr) && !empty($final_keys_arr)){
				foreach($final_keys_arr as $key => $val){
					$new_final_keys_arr[$key] = trim($val);
				}
			}
			$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
446

447
			// add the user's key
448 449
			file_put_contents($sshkeys, $final_keys);
			$app->file->remove_blank_lines($sshkeys);
450
			$this->app->log("ssh-rsa authorisation keyfile created in ".$sshkeys, LOGLEVEL_DEBUG);
451
		}
452 453 454
		//* Get the keys
		$existing_keys = file($sshkeys);
		$new_keys = explode("\n", $sshrsa);
455 456
		$old_keys = explode("\n", $this->data['old']['ssh_rsa']);

457 458 459
		//* Remove all old keys
		if(is_array($old_keys)) {
			foreach($old_keys as $key => $val) {
460
				$k = array_search(trim($val), $existing_keys);
461
				unset($existing_keys[$k]);
462
			}
463
		}
464

465 466 467 468 469
		//* merge the remaining keys and the ones fom the ispconfig database.
		if(is_array($new_keys)) {
			$final_keys_arr = array_merge($existing_keys, $new_keys);
		} else {
			$final_keys_arr = $existing_keys;
470
		}
471

472 473 474 475 476 477 478
		$new_final_keys_arr = array();
		if(is_array($final_keys_arr) && !empty($final_keys_arr)){
			foreach($final_keys_arr as $key => $val){
				$new_final_keys_arr[$key] = trim($val);
			}
		}
		$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
479 480

		// add the custom key
481
		$app->system->file_put_contents($sshkeys, $final_keys);
482
		$app->file->remove_blank_lines($sshkeys);
483 484
		$this->app->log("ssh-rsa key updated in ".$sshkeys, LOGLEVEL_DEBUG);

485
		// set proper file permissions
486 487
		exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$sshdir);
		exec("chmod 700 ".$sshdir);
488
		exec("chmod 600 '$sshkeys'");
489

490
	}
491

tbrehm's avatar
tbrehm committed
492 493
} // end class

494
?>