shelluser_base_plugin.inc.php 13.4 KB
Newer Older
tbrehm's avatar
tbrehm committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
<?php

/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimer in the documentation
      and/or other materials provided with the distribution.
    * Neither the name of ISPConfig nor the names of its contributors
      may be used to endorse or promote products derived from this software without
      specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

class shelluser_base_plugin {
32

tbrehm's avatar
tbrehm committed
33 34 35
	var $plugin_name = 'shelluser_base_plugin';
	var $class_name = 'shelluser_base_plugin';
	var $min_uid = 499;
36

tbrehm's avatar
tbrehm committed
37 38 39 40
	//* This function is called during ispconfig installation to determine
	//  if a symlink shall be created for this plugin.
	function onInstall() {
		global $conf;
41

tbrehm's avatar
tbrehm committed
42 43 44 45 46
		if($conf['services']['web'] == true) {
			return true;
		} else {
			return false;
		}
47

tbrehm's avatar
tbrehm committed
48
	}
49 50


tbrehm's avatar
tbrehm committed
51 52 53
	/*
	 	This function is called when the plugin is loaded
	*/
54

tbrehm's avatar
tbrehm committed
55 56
	function onLoad() {
		global $app;
57

tbrehm's avatar
tbrehm committed
58 59 60 61
		/*
		Register for the events
		*/

62 63 64 65 66
		$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
		$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
		$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');


tbrehm's avatar
tbrehm committed
67
	}
68 69 70


	function insert($event_name, $data) {
tbrehm's avatar
tbrehm committed
71
		global $app, $conf;
72

tbrehm's avatar
tbrehm committed
73
		$app->uses('system');
74

75 76
		//* Check if the resulting path is inside the docroot
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
77 78 79 80 81 82
		if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) {
			$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
			return false;
		}
		if(strpos($data['new']['dir'], '/../') !== false || substr($data['new']['dir'],-3) == '/..') {
			$app->log('Directory of the shell user is not valid.',LOGLEVEL_WARN);
83 84
			return false;
		}
85

tbrehm's avatar
tbrehm committed
86
		if($app->system->is_user($data['new']['puser'])) {
87

88
			//* Remove webfolder protection
89 90
			$app->system->web_folder_protection($web['document_root'], false);

tbrehm's avatar
tbrehm committed
91 92 93 94
			// Get the UID of the parent user
			$uid = intval($app->system->getuid($data['new']['puser']));
			if($uid > $this->min_uid) {
				$command = 'useradd';
tbrehm's avatar
tbrehm committed
95 96 97 98 99 100
				$command .= ' -d '.escapeshellcmd($data['new']['dir']);
				$command .= ' -g '.escapeshellcmd($data['new']['pgroup']);
				$command .= ' -o '; // non unique
				if($data['new']['password'] != '') $command .= ' -p '.escapeshellcmd($data['new']['password']);
				$command .= ' -s '.escapeshellcmd($data['new']['shell']);
				$command .= ' -u '.escapeshellcmd($uid);
tbrehm's avatar
tbrehm committed
101
				$command .= ' '.escapeshellcmd($data['new']['username']);
102

tbrehm's avatar
tbrehm committed
103
				exec($command);
104 105 106
				$app->log("Executed command: ".$command, LOGLEVEL_DEBUG);
				$app->log("Added shelluser: ".$data['new']['username'], LOGLEVEL_DEBUG);

107 108 109 110 111
				// call the ssh-rsa update function
				$app->uses("getconf");
				$this->data = $data;
				$this->app = $app;
				$this->_setup_ssh_rsa();
112

113
				//* Create .bash_history file
114 115 116 117
				$app->system->touch(escapeshellcmd($data['new']['dir']).'/.bash_history');
				$app->system->chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);
				$app->system->chown(escapeshellcmd($data['new']['dir']).'/.bash_history', $data['new']['username']);
				$app->system->chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history', $data['new']['pgroup']);
118

tbrehm's avatar
tbrehm committed
119 120
				//* Disable shell user temporarily if we use jailkit
				if($data['new']['chroot'] == 'jailkit') {
121
					$command = 'usermod -s /bin/false -L '.escapeshellcmd($data['new']['username']).' 2>/dev/null';
tbrehm's avatar
tbrehm committed
122
					exec($command);
123
					$app->log("Disabling shelluser temporarily: ".$command, LOGLEVEL_DEBUG);
tbrehm's avatar
tbrehm committed
124
				}
125

126
				//* Add webfolder protection again
127 128
				$app->system->web_folder_protection($web['document_root'], true);

tbrehm's avatar
tbrehm committed
129
			} else {
130
				$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);
tbrehm's avatar
tbrehm committed
131 132
			}
		} else {
133
			$app->log("Skipping insertion of user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);
tbrehm's avatar
tbrehm committed
134 135
		}
	}
136 137

	function update($event_name, $data) {
tbrehm's avatar
tbrehm committed
138
		global $app, $conf;
139

tbrehm's avatar
tbrehm committed
140
		$app->uses('system');
141

142 143
		//* Check if the resulting path is inside the docroot
		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
144 145 146 147 148 149 150
		if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) {
			$app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
			return false;
		}
		
		if(strpos($data['new']['dir'], '/../') !== false || substr($data['new']['dir'],-3) == '/..') {
			$app->log('Directory of the shell user is not valid.',LOGLEVEL_WARN);
151 152
			return false;
		}
153

tbrehm's avatar
tbrehm committed
154 155 156 157 158 159
		if($app->system->is_user($data['new']['puser'])) {
			// Get the UID of the parent user
			$uid = intval($app->system->getuid($data['new']['puser']));
			if($uid > $this->min_uid) {
				// Check if the user that we want to update exists, if not, we insert it
				if($app->system->is_user($data['old']['username'])) {
160
					/*
tbrehm's avatar
tbrehm committed
161 162 163 164 165 166 167 168 169
					$command = 'usermod';
					$command .= ' --home '.escapeshellcmd($data['new']['dir']);
					$command .= ' --gid '.escapeshellcmd($data['new']['pgroup']);
					// $command .= ' --non-unique ';
					$command .= ' --password '.escapeshellcmd($data['new']['password']);
					if($data['new']['chroot'] != 'jailkit') $command .= ' --shell '.escapeshellcmd($data['new']['shell']);
					// $command .= ' --uid '.escapeshellcmd($uid);
					$command .= ' --login '.escapeshellcmd($data['new']['username']);
					$command .= ' '.escapeshellcmd($data['old']['username']);
170

tbrehm's avatar
tbrehm committed
171
					exec($command);
tbrehm's avatar
tbrehm committed
172
					$app->log("Executed command: $command ",LOGLEVEL_DEBUG);
173
					*/
174
					//$groupinfo = $app->system->posix_getgrnam($data['new']['pgroup']);
175 176 177 178 179
					if($data['new']['dir'] != $data['old']['dir'] && !is_dir($data['new']['dir'])){
						$app->file->mkdirs(escapeshellcmd($data['new']['dir']), '0700');
						$app->system->chown(escapeshellcmd($data['new']['dir']),escapeshellcmd($data['new']['username']));
						$app->system->chgrp(escapeshellcmd($data['new']['dir']),escapeshellcmd($data['new']['pgroup']));
					}
180 181 182
					$app->system->usermod($data['old']['username'], 0, $app->system->getgid($data['new']['pgroup']), $data['new']['dir'], $data['new']['shell'], $data['new']['password'], $data['new']['username']);
					$app->log("Updated shelluser: ".$data['old']['username'], LOGLEVEL_DEBUG);

183 184 185 186 187
					// call the ssh-rsa update function
					$app->uses("getconf");
					$this->data = $data;
					$this->app = $app;
					$this->_setup_ssh_rsa();
188

189 190
					//* Create .bash_history file
					if(!is_file($data['new']['dir']).'/.bash_history') {
191 192
						$app->system->touch(escapeshellcmd($data['new']['dir']).'/.bash_history');
						$app->system->chmod(escapeshellcmd($data['new']['dir']).'/.bash_history', 0755);
193 194
						$app->system->chown(escapeshellcmd($data['new']['dir']).'/.bash_history', escapeshellcmd($data['new']['username']));
						$app->system->chgrp(escapeshellcmd($data['new']['dir']).'/.bash_history', escapeshellcmd($data['new']['pgroup']));
195
					}
196

tbrehm's avatar
tbrehm committed
197 198
				} else {
					// The user does not exist, so we insert it now
199
					$this->insert($event_name, $data);
tbrehm's avatar
tbrehm committed
200 201
				}
			} else {
202
				$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.", LOGLEVEL_ERROR);
tbrehm's avatar
tbrehm committed
203 204
			}
		} else {
205
			$app->log("Skipping update for user:".$data['new']['username'].", parent user ".$data['new']['puser']." does not exist.", LOGLEVEL_WARN);
tbrehm's avatar
tbrehm committed
206 207
		}
	}
208 209

	function delete($event_name, $data) {
tbrehm's avatar
tbrehm committed
210
		global $app, $conf;
211

tbrehm's avatar
tbrehm committed
212
		$app->uses('system');
213

tbrehm's avatar
tbrehm committed
214 215 216 217
		if($app->system->is_user($data['old']['username'])) {
			// Get the UID of the user
			$userid = intval($app->system->getuid($data['old']['username']));
			if($userid > $this->min_uid) {
218 219 220
				// We delete only non jailkit users, jailkit users will be deleted by the jailkit plugin.
				if ($data['old']['chroot'] != "jailkit") {
					$command = 'userdel -f';
221
					$command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';
222
					exec($command);
223
					$app->log("Deleted shelluser: ".$data['old']['username'], LOGLEVEL_DEBUG);
224
				}
225

tbrehm's avatar
tbrehm committed
226
			} else {
227
				$app->log("UID = $userid for shelluser:".$data['old']['username']." not allowed.", LOGLEVEL_ERROR);
tbrehm's avatar
tbrehm committed
228 229
			}
		} else {
230
			$app->log("User:".$data['new']['username']." does not exist in in /etc/passwd, skipping delete.", LOGLEVEL_WARN);
tbrehm's avatar
tbrehm committed
231
		}
232

tbrehm's avatar
tbrehm committed
233
	}
234

235
	private function _setup_ssh_rsa() {
236
		global $app;
237
		$this->app->log("ssh-rsa setup shelluser_base", LOGLEVEL_DEBUG);
238
		// Get the client ID, username, and the key
239 240
		$domain_data = $this->app->db->queryOneRecord('SELECT sys_groupid FROM web_domain WHERE web_domain.domain_id = '.intval($this->data['new']['parent_domain_id']));
		$sys_group_data = $this->app->db->queryOneRecord('SELECT * FROM sys_group WHERE sys_group.groupid = '.intval($domain_data['sys_groupid']));
241 242
		$id = intval($sys_group_data['client_id']);
		$username= $sys_group_data['name'];
243
		$client_data = $this->app->db->queryOneRecord('SELECT * FROM client WHERE client.client_id = '.$id);
244 245 246
		$userkey = $client_data['ssh_rsa'];
		unset($domain_data);
		unset($client_data);
247

248
		// ssh-rsa authentication variables
249 250 251 252 253 254 255 256 257
		//$sshrsa = $this->data['new']['ssh_rsa'];
		$sshrsa = '';
		$ssh_users = $app->db->queryAllRecords("SELECT ssh_rsa FROM shell_user WHERE parent_domain_id = ".intval($this->data['new']['parent_domain_id']));
		if(is_array($ssh_users)) {
			foreach($ssh_users as $sshu) {
				if($sshu['ssh_rsa'] != '') $sshrsa .= "\n".$sshu['ssh_rsa'];
			}
		}
		$sshrsa = trim($sshrsa);
258 259 260
		$usrdir = escapeshellcmd($this->data['new']['dir']);
		$sshdir = $usrdir.'/.ssh';
		$sshkeys= $usrdir.'/.ssh/authorized_keys';
261

262 263
		$app->uses('file');
		$sshrsa = $app->file->unix_nl($sshrsa);
264 265
		$sshrsa = $app->file->remove_blank_lines($sshrsa, 0);

266
		// If this user has no key yet, generate a pair
267
		if ($userkey == '' && $id > 0){
268 269
			//Generate ssh-rsa-keys
			exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');
270

271
			// use the public key that has been generated
272
			$userkey = $app->system->file_get_contents('/tmp/id_rsa.pub');
273

274
			// save keypair in client table
275
			$this->app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".$app->db->quote($app->system->file_get_contents('/tmp/id_rsa'))."', ssh_rsa = '".$app->db->quote($userkey)."' WHERE client_id = ".$id);
276

277 278
			$app->system->unlink('/tmp/id_rsa');
			$app->system->unlink('/tmp/id_rsa.pub');
279
			$this->app->log("ssh-rsa keypair generated for ".$username, LOGLEVEL_DEBUG);
280
		};
281 282

		if (!file_exists($sshkeys)){
283
			// add root's key
284
			$app->file->mkdirs($sshdir, '0700');
285
			if(is_file('/root/.ssh/authorized_keys')) $app->system->file_put_contents($sshkeys, $app->system->file_get_contents('/root/.ssh/authorized_keys'));
286

287
			// Remove duplicate keys
288
			$existing_keys = @file($sshkeys);
289
			$new_keys = explode("\n", $userkey);
290
			$final_keys_arr = @array_merge($existing_keys, $new_keys);
291 292 293 294 295 296 297
			$new_final_keys_arr = array();
			if(is_array($final_keys_arr) && !empty($final_keys_arr)){
				foreach($final_keys_arr as $key => $val){
					$new_final_keys_arr[$key] = trim($val);
				}
			}
			$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
298

299
			// add the user's key
300
			$app->system->file_put_contents($sshkeys, $final_keys);
301
			$app->file->remove_blank_lines($sshkeys);
302
			$this->app->log("ssh-rsa authorisation keyfile created in ".$sshkeys, LOGLEVEL_DEBUG);
303
		}
304

305 306 307
		//* Get the keys
		$existing_keys = file($sshkeys);
		$new_keys = explode("\n", $sshrsa);
308 309
		$old_keys = explode("\n", $this->data['old']['ssh_rsa']);

310 311 312
		//* Remove all old keys
		if(is_array($old_keys)) {
			foreach($old_keys as $key => $val) {
313
				$k = array_search(trim($val), $existing_keys);
314
				unset($existing_keys[$k]);
315
			}
316
		}
317

318 319 320 321 322
		//* merge the remaining keys and the ones fom the ispconfig database.
		if(is_array($new_keys)) {
			$final_keys_arr = array_merge($existing_keys, $new_keys);
		} else {
			$final_keys_arr = $existing_keys;
323
		}
324

325 326 327 328 329 330 331
		$new_final_keys_arr = array();
		if(is_array($final_keys_arr) && !empty($final_keys_arr)){
			foreach($final_keys_arr as $key => $val){
				$new_final_keys_arr[$key] = trim($val);
			}
		}
		$final_keys = implode("\n", array_flip(array_flip($new_final_keys_arr)));
332 333

		// add the custom key
334
		$app->system->file_put_contents($sshkeys, $final_keys);
335
		$app->file->remove_blank_lines($sshkeys);
336 337
		$this->app->log("ssh-rsa key updated in ".$sshkeys, LOGLEVEL_DEBUG);

338
		// set proper file permissions
339
		exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$sshdir);
340
		exec("chmod 600 '$sshkeys'");
341

342
	}
343

tbrehm's avatar
tbrehm committed
344 345 346

} // end class

347
?>