From 22c6022186ecec24eec9e567fa28a8d6db94bad3 Mon Sep 17 00:00:00 2001 From: katagia Date: Mon, 11 Aug 2003 21:09:17 +0000 Subject: [PATCH] Modified lamdaemon.pl Don't run ssh as wwwrun anymore. Is was unsecure because apache needed an authorized key to log in without password. ssh-connection is now done as user logged in as admin. --- lam/docs/README.lamdaemon.pl | 32 +++++--------------------------- lam/lib/account.inc | 15 ++++++++++----- lam/lib/lamdaemon.pl | 31 ++++++++++++++++++++++++------- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/lam/docs/README.lamdaemon.pl b/lam/docs/README.lamdaemon.pl index 3b311fe2..970500f2 100644 --- a/lam/docs/README.lamdaemon.pl +++ b/lam/docs/README.lamdaemon.pl @@ -1,4 +1,3 @@ - lamdaemon.pl is used to modify quota and homedirs on a remote or local host via ssh. If you want wo use it you have to set up many @@ -7,39 +6,17 @@ thins to get it work. 1. Set values in LDAP Account manager * Set the remote or local host in the configuration (e.g. 127.0.0.1) - * Set the remote-path include filename of the script - (/srv/www/htdocs/lam/lib/lamdaemon.pl) - -2. Set up ssh - We have to connect to the remote host as the user - your webserver is running. Because we can't enter - the password for it we have to authenticate without - entering a password - * Switch to the user your webserver is running as - (e.g. su wwwrun) - * switch to homedir of the webserver user - (e.g. cd ~) - * create the ssh-keys, just press enter if you'll asked - for a password - (e.g. ssh-keygen -t dsa) - * Check if the user your webserver is running as does - also exists on remote-host - * Copy the content of ~/.ssh/id_dsa.pub from the system - LDAP Account manager into ~/.ssh/authorized_keys on the - remote machine - * Connect to the remote server via ssh $remotehost - Answer the next question with yes if the remote key is - valid. You should be asked for a password + 3. Set up sudo The perlskript has to run as root (very ugly I know but I haven't found any other solution). Therefor we need a wrapper, sudo. Edit /etc/sudoers and add the following line: - $wwwrun All= NOPASSWD: $path - $wwwrun is the user your webserer is running and $path + $admin All= NOPASSWD: $path + $admin is the adminuser from lam and $path is the path include the filename of lamdaemon.pl - e.g. wwwrun All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl + e.g. $admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl 4. Set up perl We need some external perl-modules, Quota and Net::LDAP @@ -47,6 +24,7 @@ thins to get it work. perl -MCPAN -e shell install Quota install Net::LDAP + install Net:SSH Please answer all questions to describe your system Every additional needed module should be installed automaticly diff --git a/lam/lib/account.inc b/lam/lib/account.inc index 21540cef..ca86f3cb 100644 --- a/lam/lib/account.inc +++ b/lam/lib/account.inc @@ -487,7 +487,8 @@ function getquotas($type,$user='+') { // Whis function will return the quotas fr $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get '; if ($type=='user') $towrite = $towrite.'u'; else $towrite = $towrite.'g'; - exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + //exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + exec("perl ".$_SESSION['config']->scriptPath." $towrite", $vals, $status); $vals = explode(':', $vals[0]); for ($i=0; $iscriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + if ($i!=0) exec($$_SESSION['config']->scriptPath." $towrite", $vals); + //if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); } function remquotas($user, $type) { // Whis function will remove the quotas from the specified user. @@ -523,20 +525,23 @@ function remquotas($user, $type) { // Whis function will remove the quotas from $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota set '; if ($type=='user') $towrite = $towrite.'u '; else $towrite = $towrite.'g '; - exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + exec($_SESSION['config']->scriptPath." $towrite", $vals); + //exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); } function addhomedir($user) { // Create Homedirectory $ldap_q = $_SESSION['ldap']->decrypt(); $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add'; - exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + exec($_SESSION['config']->scriptPath." $towrite", $vals); + //exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); } function remhomedir($user) { // Remove Homedirectory $ldap_q = $_SESSION['ldap']->decrypt(); $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem'; - exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); + exec($_SESSION['config']->scriptPath." $towrite", $vals); + //exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); } diff --git a/lam/lib/lamdaemon.pl b/lam/lib/lamdaemon.pl index ab3d9ec6..a8221cc0 100755 --- a/lam/lib/lamdaemon.pl +++ b/lam/lib/lamdaemon.pl @@ -21,16 +21,17 @@ # # # LDAP Account Manager daemon to create and delete homedirecotries and quotas -# Drop root Previleges -($<, $>) = ($>, $<); - ###################################################### # Configure-Options # change only variables starting from here # list of valid admins @admins = ('cn=Manager,dc=my-domain,dc=com'); -$server="127.0.0.1"; # IP or DNS of ldap-server -$server_port='389'; # Port used from ldap +$server_ldap="127.0.0.1"; # IP or DNS of ldap-server +$server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, .... +$server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa"; +$server_ssh_known = "/var/lib/wwwrun/.ssh/knownhosts"; + +$server_ldap_port='389'; # Port used from ldap $server_tls='no'; # Use TLS? $server_tls_verify='require'; # none,optional or require a valid server certificated $server_tls_clientcert=''; # path to client certificate @@ -90,14 +91,16 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas # ***************** Check values -#if ($debug == true) { print "Input values: @vals\n"; } +if ($( == 0 ) { +# Drop root Previleges +($<, $>) = ($>, $<); foreach my $admin (@admins) { # Check if user is admin if ($admin eq $vals[0]) { $found=true; } } if ($found==true) { # Connect to ldap-server and check if password is valid. - $ldap = Net::LDAP->new($server, port => $server_port, version => 3) or die ('Can\'t connect to ldapserver.'); + $ldap = Net::LDAP->new($server_ldap, port => $server_ldap_port, version => 3) or die ('Can\'t connect to ldapserver.'); if ($server_tls eq 'yes') { $mesg = $ldap->start_tls( verify => $server_tls_verify, @@ -213,3 +216,17 @@ if ($found==true) { } else { $return = "Invalid User"; } print "$return\n"; +} +else { + use Net::SSH::Perl; + @username = split (',', $vals[0]); + $username[0] =~ s/uid=//; + my $ssh = Net::SSH::Perl->new($server_ssh, options=>[ + "IdentityFile $server_ssh_ident", + "UserKnownHostsFile $server_ssh_known" + ]); + $ssh->login($username[0], $vals[1]); + #$path = "/srv/www/htdocs/lam/lib/lamdaemon.pl"; + ($stdout, $stderr, $exit) = $ssh->cmd("sudo $0 @ARGV"); + print "$stdout"; + } \ No newline at end of file