Modified lamdaemon.pl

Don't run ssh as wwwrun anymore.
Is was unsecure because apache needed
an authorized key to log in without password.
ssh-connection is now done as
user logged in as admin.
This commit is contained in:
katagia 2003-08-11 21:09:17 +00:00
parent f3f5a170cd
commit 22c6022186
3 changed files with 39 additions and 39 deletions

View File

@ -1,4 +1,3 @@
lamdaemon.pl is used to modify quota and homedirs
on a remote or local host via ssh.
If you want wo use it you have to set up many
@ -7,39 +6,17 @@ thins to get it work.
1. Set values in LDAP Account manager
* Set the remote or local host in the configuration
(e.g. 127.0.0.1)
* Set the remote-path include filename of the script
(/srv/www/htdocs/lam/lib/lamdaemon.pl)
2. Set up ssh
We have to connect to the remote host as the user
your webserver is running. Because we can't enter
the password for it we have to authenticate without
entering a password
* Switch to the user your webserver is running as
(e.g. su wwwrun)
* switch to homedir of the webserver user
(e.g. cd ~)
* create the ssh-keys, just press enter if you'll asked
for a password
(e.g. ssh-keygen -t dsa)
* Check if the user your webserver is running as does
also exists on remote-host
* Copy the content of ~/.ssh/id_dsa.pub from the system
LDAP Account manager into ~/.ssh/authorized_keys on the
remote machine
* Connect to the remote server via ssh $remotehost
Answer the next question with yes if the remote key is
valid. You should be asked for a password
3. Set up sudo
The perlskript has to run as root (very ugly I know but
I haven't found any other solution). Therefor we need
a wrapper, sudo.
Edit /etc/sudoers and add the following line:
$wwwrun All= NOPASSWD: $path
$wwwrun is the user your webserer is running and $path
$admin All= NOPASSWD: $path
$admin is the adminuser from lam and $path
is the path include the filename of lamdaemon.pl
e.g. wwwrun All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
e.g. $admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
4. Set up perl
We need some external perl-modules, Quota and Net::LDAP
@ -47,6 +24,7 @@ thins to get it work.
perl -MCPAN -e shell
install Quota
install Net::LDAP
install Net:SSH
Please answer all questions to describe your system
Every additional needed module should be installed
automaticly

View File

@ -487,7 +487,8 @@ function getquotas($type,$user='+') { // Whis function will return the quotas fr
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get ';
if ($type=='user') $towrite = $towrite.'u';
else $towrite = $towrite.'g';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
exec("perl ".$_SESSION['config']->scriptPath." $towrite", $vals, $status);
$vals = explode(':', $vals[0]);
for ($i=0; $i<sizeof($vals); $i++) {
$vals2 = explode(',', $vals[$i]);
@ -515,7 +516,8 @@ function setquotas($values,$type,$values_old=false) { // Whis function will set
}
$i++;
}
if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
if ($i!=0) exec($$_SESSION['config']->scriptPath." $towrite", $vals);
//if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
}
function remquotas($user, $type) { // Whis function will remove the quotas from the specified user.
@ -523,20 +525,23 @@ function remquotas($user, $type) { // Whis function will remove the quotas from
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota set ';
if ($type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g ';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
}
function addhomedir($user) { // Create Homedirectory
$ldap_q = $_SESSION['ldap']->decrypt();
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
}
function remhomedir($user) { // Remove Homedirectory
$ldap_q = $_SESSION['ldap']->decrypt();
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
}

View File

@ -21,16 +21,17 @@
#
#
# LDAP Account Manager daemon to create and delete homedirecotries and quotas
# Drop root Previleges
($<, $>) = ($>, $<);
######################################################
# Configure-Options
# change only variables starting from here
# list of valid admins
@admins = ('cn=Manager,dc=my-domain,dc=com');
$server="127.0.0.1"; # IP or DNS of ldap-server
$server_port='389'; # Port used from ldap
$server_ldap="127.0.0.1"; # IP or DNS of ldap-server
$server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, ....
$server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa";
$server_ssh_known = "/var/lib/wwwrun/.ssh/knownhosts";
$server_ldap_port='389'; # Port used from ldap
$server_tls='no'; # Use TLS?
$server_tls_verify='require'; # none,optional or require a valid server certificated
$server_tls_clientcert=''; # path to client certificate
@ -90,14 +91,16 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
# ***************** Check values
#if ($debug == true) { print "Input values: @vals\n"; }
if ($( == 0 ) {
# Drop root Previleges
($<, $>) = ($>, $<);
foreach my $admin (@admins) { # Check if user is admin
if ($admin eq $vals[0]) { $found=true; }
}
if ($found==true) {
# Connect to ldap-server and check if password is valid.
$ldap = Net::LDAP->new($server, port => $server_port, version => 3) or die ('Can\'t connect to ldapserver.');
$ldap = Net::LDAP->new($server_ldap, port => $server_ldap_port, version => 3) or die ('Can\'t connect to ldapserver.');
if ($server_tls eq 'yes') {
$mesg = $ldap->start_tls(
verify => $server_tls_verify,
@ -213,3 +216,17 @@ if ($found==true) {
}
else { $return = "Invalid User"; }
print "$return\n";
}
else {
use Net::SSH::Perl;
@username = split (',', $vals[0]);
$username[0] =~ s/uid=//;
my $ssh = Net::SSH::Perl->new($server_ssh, options=>[
"IdentityFile $server_ssh_ident",
"UserKnownHostsFile $server_ssh_known"
]);
$ssh->login($username[0], $vals[1]);
#$path = "/srv/www/htdocs/lam/lib/lamdaemon.pl";
($stdout, $stderr, $exit) = $ssh->cmd("sudo $0 @ARGV");
print "$stdout";
}