WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Modified lamdaemon.pl 

Don't run ssh as wwwrun anymore.
Is was unsecure because apache needed
an authorized key to log in without password.
ssh-connection is now done as
user logged in as admin.
This commit is contained in:
katagia 2003-08-11 21:09:17 +00:00
parent f3f5a170cd
commit 22c6022186
3 changed files with 39 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
lam/docs/README.lamdaemon.pl
View File

@ -1,4 +1,3 @@
lamdaemon.pl is used to modify quota and homedirs lamdaemon.pl is used to modify quota and homedirs
on a remote or local host via ssh. on a remote or local host via ssh.
If you want wo use it you have to set up many If you want wo use it you have to set up many
@ -7,39 +6,17 @@ thins to get it work.
1. Set values in LDAP Account manager 1. Set values in LDAP Account manager
* Set the remote or local host in the configuration * Set the remote or local host in the configuration
(e.g. 127.0.0.1) (e.g. 127.0.0.1)
* Set the remote-path include filename of the script
(/srv/www/htdocs/lam/lib/lamdaemon.pl)
2. Set up ssh
We have to connect to the remote host as the user
your webserver is running. Because we can't enter
the password for it we have to authenticate without
entering a password
* Switch to the user your webserver is running as
(e.g. su wwwrun)
* switch to homedir of the webserver user
(e.g. cd ~)
* create the ssh-keys, just press enter if you'll asked
for a password
(e.g. ssh-keygen -t dsa)
* Check if the user your webserver is running as does
also exists on remote-host
* Copy the content of ~/.ssh/id_dsa.pub from the system
LDAP Account manager into ~/.ssh/authorized_keys on the
remote machine
* Connect to the remote server via ssh $remotehost
Answer the next question with yes if the remote key is
valid. You should be asked for a password
3. Set up sudo 3. Set up sudo
The perlskript has to run as root (very ugly I know but The perlskript has to run as root (very ugly I know but
I haven't found any other solution). Therefor we need I haven't found any other solution). Therefor we need
a wrapper, sudo. a wrapper, sudo.
Edit /etc/sudoers and add the following line: Edit /etc/sudoers and add the following line:
$wwwrun All= NOPASSWD: $path $admin All= NOPASSWD: $path
$wwwrun is the user your webserer is running and $path $admin is the adminuser from lam and $path
is the path include the filename of lamdaemon.pl is the path include the filename of lamdaemon.pl
e.g. wwwrun All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl e.g. $admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
4. Set up perl 4. Set up perl
We need some external perl-modules, Quota and Net::LDAP We need some external perl-modules, Quota and Net::LDAP
@ -47,6 +24,7 @@ thins to get it work.
perl -MCPAN -e shell perl -MCPAN -e shell
install Quota install Quota
install Net::LDAP install Net::LDAP
install Net:SSH
Please answer all questions to describe your system Please answer all questions to describe your system
Every additional needed module should be installed Every additional needed module should be installed
automaticly automaticly

15
lam/lib/account.inc
View File

@ -487,7 +487,8 @@ function getquotas($type,$user='+') { // Whis function will return the quotas fr
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get '; $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota get ';
if ($type=='user') $towrite = $towrite.'u'; if ($type=='user') $towrite = $towrite.'u';
else $towrite = $towrite.'g'; else $towrite = $towrite.'g';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); //exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
exec("perl ".$_SESSION['config']->scriptPath." $towrite", $vals, $status);
$vals = explode(':', $vals[0]); $vals = explode(':', $vals[0]);
for ($i=0; $i<sizeof($vals); $i++) { for ($i=0; $i<sizeof($vals); $i++) {
$vals2 = explode(',', $vals[$i]); $vals2 = explode(',', $vals[$i]);
@ -515,7 +516,8 @@ function setquotas($values,$type,$values_old=false) { // Whis function will set
} }
$i++; $i++;
} }
if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); if ($i!=0) exec($$_SESSION['config']->scriptPath." $towrite", $vals);
//if ($i!=0) exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
} }
function remquotas($user, $type) { // Whis function will remove the quotas from the specified user. function remquotas($user, $type) { // Whis function will remove the quotas from the specified user.
@ -523,20 +525,23 @@ function remquotas($user, $type) { // Whis function will remove the quotas from
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota set '; $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' quota set ';
if ($type=='user') $towrite = $towrite.'u '; if ($type=='user') $towrite = $towrite.'u ';
else $towrite = $towrite.'g '; else $towrite = $towrite.'g ';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
} }
function addhomedir($user) { // Create Homedirectory function addhomedir($user) { // Create Homedirectory
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add'; $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home add';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
} }
function remhomedir($user) { // Remove Homedirectory function remhomedir($user) { // Remove Homedirectory
$ldap_q = $_SESSION['ldap']->decrypt(); $ldap_q = $_SESSION['ldap']->decrypt();
$towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem'; $towrite = $ldap_q[0].' '.$ldap_q[1].' '.$user.' home rem';
exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals); exec($_SESSION['config']->scriptPath." $towrite", $vals);
//exec("/usr/bin/ssh ".$_SESSION['config']->scriptServer." sudo ".$_SESSION['config']->scriptPath." $towrite", $vals);
} }

31
lam/lib/lamdaemon.pl
View File

@ -21,16 +21,17 @@
# #
# #
# LDAP Account Manager daemon to create and delete homedirecotries and quotas # LDAP Account Manager daemon to create and delete homedirecotries and quotas
# Drop root Previleges
($<, $>) = ($>, $<);
###################################################### ######################################################
# Configure-Options # Configure-Options
# change only variables starting from here # change only variables starting from here
# list of valid admins # list of valid admins
@admins = ('cn=Manager,dc=my-domain,dc=com'); @admins = ('cn=Manager,dc=my-domain,dc=com');
$server="127.0.0.1"; # IP or DNS of ldap-server $server_ldap="127.0.0.1"; # IP or DNS of ldap-server
$server_port='389'; # Port used from ldap $server_ssh="127.0.0.1"; # IP or DNS of host to create homedirs, quota, ....
$server_ssh_ident = "/var/lib/wwwrun/.ssh/id_dsa";
$server_ssh_known = "/var/lib/wwwrun/.ssh/knownhosts";
$server_ldap_port='389'; # Port used from ldap
$server_tls='no'; # Use TLS? $server_tls='no'; # Use TLS?
$server_tls_verify='require'; # none,optional or require a valid server certificated $server_tls_verify='require'; # none,optional or require a valid server certificated
$server_tls_clientcert=''; # path to client certificate $server_tls_clientcert=''; # path to client certificate
@ -90,14 +91,16 @@ sub get_fs { # Load mountpoints from mtab if enabled quotas
# ***************** Check values # ***************** Check values
#if ($debug == true) { print "Input values: @vals\n"; }
if ($( == 0 ) {
# Drop root Previleges
($<, $>) = ($>, $<);
foreach my $admin (@admins) { # Check if user is admin foreach my $admin (@admins) { # Check if user is admin
if ($admin eq $vals[0]) { $found=true; } if ($admin eq $vals[0]) { $found=true; }
} }
if ($found==true) { if ($found==true) {
# Connect to ldap-server and check if password is valid. # Connect to ldap-server and check if password is valid.
$ldap = Net::LDAP->new($server, port => $server_port, version => 3) or die ('Can\'t connect to ldapserver.'); $ldap = Net::LDAP->new($server_ldap, port => $server_ldap_port, version => 3) or die ('Can\'t connect to ldapserver.');
if ($server_tls eq 'yes') { if ($server_tls eq 'yes') {
$mesg = $ldap->start_tls( $mesg = $ldap->start_tls(
verify => $server_tls_verify, verify => $server_tls_verify,
@ -213,3 +216,17 @@ if ($found==true) {
} }
else { $return = "Invalid User"; } else { $return = "Invalid User"; }
print "$return\n"; print "$return\n";
}
else {
use Net::SSH::Perl;
@username = split (',', $vals[0]);
$username[0] =~ s/uid=//;
my $ssh = Net::SSH::Perl->new($server_ssh, options=>[
"IdentityFile $server_ssh_ident",
"UserKnownHostsFile $server_ssh_known"
]);
$ssh->login($username[0], $vals[1]);
#$path = "/srv/www/htdocs/lam/lib/lamdaemon.pl";
($stdout, $stderr, $exit) = $ssh->cmd("sudo $0 @ARGV");
print "$stdout";
}