From 6a31925d00c3530a940f6a52cf9f492d636234bc Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Fri, 14 May 2010 10:14:19 +0000
Subject: [PATCH] specify lamdaemon commands on command line

---
 lam/HISTORY                           |  1 +
 lam/docs/manual-sources/howto.xml     |  5 +--
 lam/lib/lamdaemon.inc                 |  4 +--
 lam/lib/lamdaemon.pl                  | 50 ++++++++++++---------------
 lam/templates/tests/lamdaemonTest.php | 13 ++++---
 5 files changed, 34 insertions(+), 39 deletions(-)

diff --git a/lam/HISTORY b/lam/HISTORY
index 70ad9d30..0a378a88 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -2,6 +2,7 @@ June 2010 3.1.0
   - Asterisk voicemail support
   - new hosts module for user accounts to define valid login workstations (replaces inetOrgPerson schema hack) (2951116)
   - PDF editor: descriptive fields
+  - lamdaemon: sudo entry needs to be changed to ".../lamdaemon.pl *"
   - LAM Pro
    -> custom scripts: new options to hide executed commands and define if output is HTML or plain text
   - fixed bugs:
diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index c9190917..99d4ea3a 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -2941,7 +2941,7 @@ Have fun!
       sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
       and add the following line:</para>
 
-      <para>$admin All= NOPASSWD: $path_to_lamdaemon</para>
+      <para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>
 
       <para><emphasis condition="">$admin</emphasis> is the admin user from
       LAM (must be a valid Unix account) and
@@ -2950,7 +2950,8 @@ Have fun!
 
       <para><emphasis role="bold">Example:</emphasis></para>
 
-      <para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl</para>
+      <para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
+      *</para>
 
       <para>You might need to run the sudo command once manually to init sudo.
       The command "sudo -l" will show all possible sudo commands of the
diff --git a/lam/lib/lamdaemon.inc b/lam/lib/lamdaemon.inc
index f16af894..af5efc5a 100644
--- a/lam/lib/lamdaemon.inc
+++ b/lam/lib/lamdaemon.inc
@@ -43,7 +43,6 @@ function lamdaemon($command, $server) {
 	if (!function_exists('ssh2_connect')) {
 		return array('ERROR,' . _('This module requires the PHP ssh2 extension.'));
 	}
-	$command = $command . "\n";
 	// get username and password of the current lam-admin
 	$credentials = $_SESSION['ldap']->decrypt_login();
 	$serverNameParts = explode(",", $server);
@@ -66,8 +65,7 @@ function lamdaemon($command, $server) {
 		}
 		$userName = $entry[0]['uid'][0];
 		if (@ssh2_auth_password($handle, $userName, $credentials[1])) {
-			$shell = ssh2_exec($handle, "sudo " . $_SESSION['config']->get_scriptPath());
-			fwrite($shell, $command);
+			$shell = ssh2_exec($handle, "sudo " . $_SESSION['config']->get_scriptPath() . ' ' . escapeshellarg($command));
 			$return = array();
 			$time = time() + 30;
 			while (sizeof($return) < 1) {
diff --git a/lam/lib/lamdaemon.pl b/lam/lib/lamdaemon.pl
index 9f7fd7b1..a5c1b6a2 100755
--- a/lam/lib/lamdaemon.pl
+++ b/lam/lib/lamdaemon.pl
@@ -105,34 +105,30 @@ if ($< != 0 ) {
 
 # Drop root privileges
 ($<, $>) = ($>, $<);
-# loop for every transmitted user
-while (1) {
-	my $input = <STDIN>;
-	chop($input);
-	$return = "";
-	@vals = split ($SPLIT_DELIMITER, $input);
-	# Get user information
-	if (($vals[3] eq 'user') || ($vals[1] eq 'home')) { @user = getpwnam($vals[0]); }
-	else { @user = getgrnam($vals[0]); }
-	if ($vals[1] eq '') {
-		# empty line, nothing to do
-	}
-	elsif (($vals[1] eq 'test')) {
-		# run tests
-		runTest();
-	}
-	elsif ($vals[1] eq 'home') {
-		manageHomedirs();
-	}
-	elsif ($vals[1] eq 'quota') {
-		manageQuotas();
-	}
-	else {
-		$return = "ERROR,Lamdaemon ($hostname),Unknown command $vals[1].";
-		logMessage(LOG_ERR, "Unknown command $vals[1].");
-	}
-	print "$return\n";
+my $input = $ARGV[0];
+$return = "";
+@vals = split ($SPLIT_DELIMITER, $input);
+# Get user information
+if (($vals[3] eq 'user') || ($vals[1] eq 'home')) { @user = getpwnam($vals[0]); }
+else { @user = getgrnam($vals[0]); }
+if ($vals[1] eq '') {
+	# empty line, nothing to do
 }
+elsif (($vals[1] eq 'test')) {
+	# run tests
+	runTest();
+}
+elsif ($vals[1] eq 'home') {
+	manageHomedirs();
+}
+elsif ($vals[1] eq 'quota') {
+	manageQuotas();
+}
+else {
+	$return = "ERROR,Lamdaemon ($hostname),Unknown command $vals[1].";
+	logMessage(LOG_ERR, "Unknown command $vals[1].");
+}
+print "$return\n";
 
 #
 # Runs tests to check the environment
diff --git a/lam/templates/tests/lamdaemonTest.php b/lam/templates/tests/lamdaemonTest.php
index f1deff6c..02ae0d5d 100644
--- a/lam/templates/tests/lamdaemonTest.php
+++ b/lam/templates/tests/lamdaemonTest.php
@@ -128,7 +128,7 @@ function lamTestLamdaemon($command, $stopTest, $handle, $testText) {
 		echo "<tr class=\"userlist\">\n<td nowrap>" . $testText . "&nbsp;&nbsp;</td>\n";
 		flush();
 		$lamdaemonOk = false;
-		$shell = ssh2_exec($handle, "sudo " . $_SESSION['config']->get_scriptPath());
+		$shell = ssh2_exec($handle, "sudo " . $_SESSION['config']->get_scriptPath() . ' ' . escapeshellarg($command));
 		if (!$shell) {
 			echo "<td>" . $failImage . "&nbsp;&nbsp;</td>\n";
 			echo "<td>\n";
@@ -137,9 +137,8 @@ function lamTestLamdaemon($command, $stopTest, $handle, $testText) {
 			return true;
 		}
 		$stderr = ssh2_fetch_stream($shell, SSH2_STREAM_STDERR);
-		fwrite($shell, $command);
 		$return = array();
-		$time = time() + 20;
+		$time = time() + 30;
 		while (sizeof($return) < 1) {
 			if ($time < time()) {
 				$lamdaemonOk = false;
@@ -291,17 +290,17 @@ function lamRunLamdaemonTestSuite($serverName, $serverTitle, $testQuota) {
 
 	flush();
 	
-	$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "basic\n", $stopTest, $handle, _("Execute lamdaemon"));
+	$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "basic", $stopTest, $handle, _("Execute lamdaemon"));
 	$handle = lamTestConnectSSH($serverName);
 	@ssh2_auth_password($handle, $userName, $credentials[1]);
-	$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "nss" . $SPLIT_DELIMITER . "$userName\n", $stopTest, $handle, _("Lamdaemon: check NSS LDAP"));
+	$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "nss" . $SPLIT_DELIMITER . "$userName", $stopTest, $handle, _("Lamdaemon: check NSS LDAP"));
 	if ($testQuota) {
 		$handle = lamTestConnectSSH($serverName);
 		@ssh2_auth_password($handle, $userName, $credentials[1]);
-		$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "quota\n", $stopTest, $handle, _("Lamdaemon: Quota module installed"));
+		$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "test" . $SPLIT_DELIMITER . "quota", $stopTest, $handle, _("Lamdaemon: Quota module installed"));
 		$handle = lamTestConnectSSH($serverName);
 		@ssh2_auth_password($handle, $userName, $credentials[1]);
-		$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "quota" . $SPLIT_DELIMITER . "get" . $SPLIT_DELIMITER . "user\n", $stopTest, $handle, _("Lamdaemon: read quotas"));
+		$stopTest = lamTestLamdaemon("+" . $SPLIT_DELIMITER . "quota" . $SPLIT_DELIMITER . "get" . $SPLIT_DELIMITER . "user", $stopTest, $handle, _("Lamdaemon: read quotas"));
 	}
 
 	echo "</table><br>\n";