Modified lamdaemon.pl
Don't run ssh as wwwrun anymore. Is was unsecure because apache needed an authorized key to log in without password. ssh-connection is now done as user logged in as admin.
This commit is contained in:
parent
f3f5a170cd
commit
22c6022186
|
@ -1,4 +1,3 @@
|
|||
|
||||
lamdaemon.pl is used to modify quota and homedirs
|
||||
on a remote or local host via ssh.
|
||||
If you want wo use it you have to set up many
|
||||
|
@ -7,39 +6,17 @@ thins to get it work.
|
|||
1. Set values in LDAP Account manager
|
||||
* Set the remote or local host in the configuration
|
||||
(e.g. 127.0.0.1)
|
||||
* Set the remote-path include filename of the script
|
||||
(/srv/www/htdocs/lam/lib/lamdaemon.pl)
|
||||
|
||||
2. Set up ssh
|
||||
We have to connect to the remote host as the user
|
||||
your webserver is running. Because we can't enter
|
||||
the password for it we have to authenticate without
|
||||
entering a password
|
||||
* Switch to the user your webserver is running as
|
||||
(e.g. su wwwrun)
|
||||
* switch to homedir of the webserver user
|
||||
(e.g. cd ~)
|
||||
* create the ssh-keys, just press enter if you'll asked
|
||||
for a password
|
||||
(e.g. ssh-keygen -t dsa)
|
||||
* Check if the user your webserver is running as does
|
||||
also exists on remote-host
|
||||
* Copy the content of ~/.ssh/id_dsa.pub from the system
|
||||
LDAP Account manager into ~/.ssh/authorized_keys on the
|
||||
remote machine
|
||||
* Connect to the remote server via ssh $remotehost
|
||||
Answer the next question with yes if the remote key is
|
||||
valid. You should be asked for a password
|
||||
|
||||
|
||||
3. Set up sudo
|
||||
The perlskript has to run as root (very ugly I know but
|
||||
I haven't found any other solution). Therefor we need
|
||||
a wrapper, sudo.
|
||||
Edit /etc/sudoers and add the following line:
|
||||
$wwwrun All= NOPASSWD: $path
|
||||
$wwwrun is the user your webserer is running and $path
|
||||
$admin All= NOPASSWD: $path
|
||||
$admin is the adminuser from lam and $path
|
||||
is the path include the filename of lamdaemon.pl
|
||||
e.g. wwwrun All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
|
||||
e.g. $admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
|
||||
|
||||
4. Set up perl
|
||||
We need some external perl-modules, Quota and Net::LDAP
|
||||
|
@ -47,6 +24,7 @@ thins to get it work.
|
|||
perl -MCPAN -e shell
|
||||
install Quota
|
||||
install Net::LDAP
|
||||
install Net:SSH
|
||||
Please answer all questions to describe your system
|
||||
Every additional needed module should be installed
|
||||
automaticly
|
||||
|
|
|
@ -487,7 +487,8 @@ function getquotas($type,$user='+') { // Whis function will return the quotas fr
|
|||
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get ';
|
||||
if ($type=='user') $towrite = $towrite.'u';
|
||||
else $towrite = $towrite.'g';
|
||||
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
exec("perl ".$_SESSION['config']->scriptPath." $towrite", $vals, $status);
|
||||
$vals = explode(':', $vals[0]);
|
||||
for ($i=0; $i<sizeof($vals); $i++) {
|
||||
$vals2 = explode(',', $vals[$i]);
|
||||
|
@ -515,7 +516,8 @@ function setquotas($values,$type,$values_old=false) { // Whis function will set
|
|||
}
|
||||
$i++;
|
||||
}
|
||||
if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
if ($i!=0) exec($$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
//if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
}
|
||||
|
||||
function remquotas($user, $type) { // Whis function will remove the quotas from the specified user.
|
||||
|
@ -523,20 +525,23 @@ function remquotas($user, $type) { // Whis function will remove the quotas from
|
|||
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota set ';
|
||||
if ($type=='user') $towrite = $towrite.'u ';
|
||||
else $towrite = $towrite.'g ';
|
||||
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
exec($_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
}
|
||||
|
||||
|
||||
function addhomedir($user) { // Create Homedirectory
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add';
|
||||
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
exec($_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
}
|
||||
|
||||
function remhomedir($user) { // Remove Homedirectory
|
||||
$ldap_q = $_SESSION['ldap']->decrypt();
|
||||
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem';
|
||||
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
exec($_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -21,16 +21,17 @@
|
|||
#
|
||||
#
|
||||
# LDAP Account Manager daemon to create and delete homedirecotries and quotas
|
||||
# Drop root Previleges
|
||||
($<, $>) = ($>, $<);
|
||||
|
||||
######################################################
|
||||
# Configure-Options
|
||||
# change only variables starting from here
|
||||
# list of valid admins
|
||||
@admins = ('cn=Manager,dc=my-domain,dc=com');
|
||||
$server="127.0.0.1"; # IP or DNS of ldap-server
|
||||
$server_port='389'; # Port used from ldap
|
||||
$server_ldap="127.0.0.1"; # IP or DNS of ldap-server
|
||||
$server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, ....
|
||||
$server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa";
|
||||
$server_ssh_known = "/var/lib/wwwrun/.ssh/knownhosts";
|
||||
|
||||
$server_ldap_port='389'; # Port used from ldap
|
||||
$server_tls='no'; # Use TLS?
|
||||
$server_tls_verify='require'; # none,optional or require a valid server certificated
|
||||
$server_tls_clientcert=''; # path to client certificate
|
||||
|
@ -90,14 +91,16 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
|
|||
# ***************** Check values
|
||||
|
||||
|
||||
#if ($debug == true) { print "Input values: @vals\n"; }
|
||||
|
||||
if ($( == 0 ) {
|
||||
# Drop root Previleges
|
||||
($<, $>) = ($>, $<);
|
||||
foreach my $admin (@admins) { # Check if user is admin
|
||||
if ($admin eq $vals[0]) { $found=true; }
|
||||
}
|
||||
if ($found==true) {
|
||||
# Connect to ldap-server and check if password is valid.
|
||||
$ldap = Net::LDAP->new($server, port => $server_port, version => 3) or die ('Can\'t connect to ldapserver.');
|
||||
$ldap = Net::LDAP->new($server_ldap, port => $server_ldap_port, version => 3) or die ('Can\'t connect to ldapserver.');
|
||||
if ($server_tls eq 'yes') {
|
||||
$mesg = $ldap->start_tls(
|
||||
verify => $server_tls_verify,
|
||||
|
@ -213,3 +216,17 @@ if ($found==true) {
|
|||
}
|
||||
else { $return = "Invalid User"; }
|
||||
print "$return\n";
|
||||
}
|
||||
else {
|
||||
use Net::SSH::Perl;
|
||||
@username = split (',', $vals[0]);
|
||||
$username[0] =~ s/uid=//;
|
||||
my $ssh = Net::SSH::Perl->new($server_ssh, options=>[
|
||||
"IdentityFile $server_ssh_ident",
|
||||
"UserKnownHostsFile $server_ssh_known"
|
||||
]);
|
||||
$ssh->login($username[0], $vals[1]);
|
||||
#$path = "/srv/www/htdocs/lam/lib/lamdaemon.pl";
|
||||
($stdout, $stderr, $exit) = $ssh->cmd("sudo $0 @ARGV");
|
||||
print "$stdout";
|
||||
}
|
Loading…
Reference in New Issue