diff --git a/lam/HISTORY b/lam/HISTORY index e2639806..0bfbf687 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -3,6 +3,7 @@ October 2009 2.8.0 - compatibility with PHP 5.3 - one central button to change passwords on account pages - removed support for Samba 2 accounts + - removed lamdaemonOld script 05.08.2009 2.7.0 diff --git a/lam/docs/README.lamdaemon.txt b/lam/docs/README.lamdaemon.txt index 2cc806a9..09a43af4 100644 --- a/lam/docs/README.lamdaemon.txt +++ b/lam/docs/README.lamdaemon.txt @@ -1,14 +1,8 @@ + This document describes the installation of lamdaemon which is responsible for managing quotas and creating home directories. -Attention! The old version of lamdaemon is no longer supported. However, -if you do not install libssh2 then LAM will fall back to the old mechanismn. -If you want to stay with the old lamdaemon then change your /etc/sudoers entries -to point to lamdaemonOld.pl. -Do NOT mix lamdaemon and lamdaemonOld.pl! - - Setting up lamdaemon: ===================== diff --git a/lam/docs/README.lamdaemonOld.txt b/lam/docs/README.lamdaemonOld.txt deleted file mode 100644 index 77c2da19..00000000 --- a/lam/docs/README.lamdaemonOld.txt +++ /dev/null @@ -1,139 +0,0 @@ - -ATTENTION! This version of lamdaemon is no longer supported, please use the new lamdaemon instead! - - - Setting up lamdaemon: - - - LamdaemonOld.pl is used to modify quota and home directories on a remote or local host via ssh. - If you want wo use it you have to set up some things to get it to work: - - -1. Setup values in LDAP Account Manager - * Set the remote or local host in the configuration - (e.g. 127.0.0.1) - * Path to lamdaemonOld.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemonOld.pl - If you installed a Debian or RPM package then the script may be located at - /usr/share/ldap-account-manager/lib or /var/www/html/lam/lib. - - -2. Set up sudo - The perl script has to run as root. Therefore we need - a wrapper, sudo. - Edit /etc/sudoers on host where homedirs or quotas should be used - and add the following line: - - $admin All= NOPASSWD: $path - - $admin is the adminuser from LAM and $path is the path to lamdaemonOld.pl - e.g. "$admin All= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemonOld.pl" - At the moment the password is a paramteter of lamdaemonOld.pl - therefore you should disable logging so the password does not - appear in any logfile. - This can be done by adding the following line to /etc/sudoers: - - Defaults:$admin !syslog - - -3. Set up Perl - We need some external Perl modules, Quota and Net::SSH::Perl - To install them, run: - - perl -MCPAN -e shell - install Quota # required - install Net::SSH::Perl # required - install Math::BigInt::GMP # optional but very poor performance if not installed - - If your Perl executable is not located in /usr/bin/perl you will have to edit - the path in the first line of lamdaemonOld.pl. - If you have problems compiling the Perl modules try installing a newer release - of your GCC compiler and the "make" application. - - Debian users can install Net::SSH:Perl with dh-make-perl: - - apt-get install dh-make-perl - dh-make-perl --build --cpan Net::SSH::Perl - dpkg -i libnet-ssh-perl_1.25-1_all.deb - - -4. Set up SSH - Your SSH daemon must offer the password authentication method. - To activate it just use this configuration option in /etc/ssh/sshd_config: - - PasswordAuthentication yes - - -5. Test lamdaemonOld.pl - There is a test-function in lamdaemonOld.pl. Please run lamdaemonOld.pl - with the following parameters to test it: - - lamdaemonOld.pl $ssh-server $lam_path_on_host $admin-username $admin-password *test - - $ssh-server is the remote host lamdaemonOld.pl should be run on - $lam_path_on_host is the path to lamdaemonOld.pl on remote host - $admin-username is the name of the user which is allowed to run lamdaemonOld.pl - as root. It is the same user as in /etc/sudoers - $admin-password is the password of the admin user - *test is the command which tells lamdaemonOld.pl to test settings - - You have to run the command as the user your webserver is running, e.g. - - wwwrun@tilo:/srv/www/htdocs/lam/lib> /srv/www/htdocs/lam/lib/lamdaemonOld.pl \ - 127.0.0.1 /srv/www/htdocs/lam/lib/lamdaemonOld.pl adminuser secret *test - - You should get the following response: - - Net::SSH::Perl successfully installed. - Perl quota module successfully installed. - If you have not seen any error lamdaemonOld.pl should be set up successfully. - - - !!! Attention !!! - Your password in LDAP has to be hashed with CRYPT. If you use something like SSHA - you will probably get "Access denied.". - - Now everything should work fine. - - -6. Debugging lamdaemon - If you set up all things as documented before and still get "Access denied" - then you can try to debug the problem. - - - Check /var/log/auth.log or the equivalent on your system - This file contains messages about all logins. If the ssh login - failed then you will find a description about the reason here. - - - Enable debug output in lamdaemon - In line 235 of lamdaemonOld.pl change the SSH options like this: - - my $ssh = Net::SSH::Perl->new($hostname, options=>[ - "UserKnownHostsFile /dev/null"], - protocol => "2,1", debug => 1 ); - - This will produce a lot of output when you do the lamdaemon test. - Check that there is a line like this: - - Authentication methods that can continue: publickey,password,keyboard-interactive. - - The "password" is the one which is important. - - - Set sshd in debug mode - In /etc/ssh/sshd_conf add these lines: - - SyslogFacility AUTH - LogLevel DEBUG3 - - Now check /var/log/syslog for messages from sshd. - - - Update Openssh - A Suse Linux user reported that upgrading Openssh solved the problem. - - -Security warning: ------------------ - - If you use PHP < 4.3 your admin user and password are passed as commandline argument. - This can be a security risk. Upgrade your PHP version for productive use. - - -Please send a mail to TiloLutz@gmx.de if you have any suggestions. diff --git a/lam/lib/lamdaemon.inc b/lam/lib/lamdaemon.inc index 53da1663..e6ee6ba6 100644 --- a/lam/lib/lamdaemon.inc +++ b/lam/lib/lamdaemon.inc @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam) - Copyright (C) 2004 - 2006 Roland Gruber + Copyright (C) 2004 - 2009 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,61 +40,6 @@ $Id$ * */ function lamdaemon($commands, $server) { - // use new PHP SSH mechanismn - if (function_exists("ssh2_connect")) { - return lamdaemonSSH($commands, $server); - } - - // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt_login(); - - $userstring = implode ("\n", $commands); - $output_array = array(); - $towrite = escapeshellarg($server)." ".escapeshellarg($_SESSION['config']->get_scriptPath())." - -"; - $descriptorspec = array( - 0 => array("pipe", "r"), // stdin - 1 => array("pipe", "w"), // stout - 2 => array("file", "/dev/null", "a") // sterr - ); - $process = proc_open(escapeshellarg($_SESSION['lampath']."lib/lamdaemonOld.pl")." ".$towrite, - $descriptorspec, - $pipes); - if (is_resource($process)) { - /* perl-script is running - * $pipes[0] is writeable handle to child stdin - * $pipes[1] is readable handle to child stdout - * any error is send to /dev/null - */ - // user+passwd - fwrite($pipes[0], $ldap_q[0] . "\n"); - fwrite($pipes[0], $ldap_q[1] . "\n"); - // Write to stdin - fwrite($pipes[0], $userstring); - } - fclose($pipes[0]); - while (!feof($pipes[1])) { - $output = fgets($pipes[1], 1024); - if ($output!='') $output_array[] = $output; - } - fclose($pipes[1]); - proc_close($process); - if (sizeof($output_array) > 0) { - return $output_array; - } - else { - return false; - } -} - -/** -* Sends commands to lamdaemon script via PHP SSH functions. -* -* @param array $commands List of command lines -* @param string $server remote server -* @return array Output of lamdaemon -* -*/ -function lamdaemonSSH($commands, $server) { $commands = implode("\n", $commands) . "\n"; // get username and password of the current lam-admin $credentials = $_SESSION['ldap']->decrypt_login(); diff --git a/lam/lib/lamdaemonOld.pl b/lam/lib/lamdaemonOld.pl deleted file mode 100755 index 1ee369c2..00000000 --- a/lam/lib/lamdaemonOld.pl +++ /dev/null @@ -1,271 +0,0 @@ -#! /usr/bin/perl - -# $Id$ -# -# This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam) -# Copyright (C) 2003 - 2006 Tilo Lutz -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# -# LDAP Account Manager daemon to create and delete homedirecotries and quotas - -# set a known path -my $path = ""; -if (-d "/sbin") { - if ($path eq "") { $path = "/sbin"; } - else { $path = "$path:/sbin"; } -} -if (-d "/usr/sbin") { - if ($path eq "") { $path = "/usr/sbin"; } - else { $path = "$path:/usr/sbin"; } -} -if (-l "/bin") { - if ($path eq "") { $path = "/usr/bin"; } - else { $path = "$path:/usr/bin"; } -} -else { - if ($path eq "") { $path = "/bin:/usr/bin"; } - else { $path = "$path:/bin:/usr/bin"; } -} -if (-d "/opt/sbin") { $path = "$path:/opt/sbin"; } -if (-d "/opt/bin") { $path = "$path:/opt/bin"; } -$ENV{"PATH"} = $path; - -#use strict; # Use strict for security reasons - -@quota_grp; -@quota_usr; # Filesystems with enabled userquotas - # vals = DN, PAssword, user, home, (add|rem), - # quota, (set|get),(u|g), (mountpoint,blocksoft,blockhard,filesoft,filehard)+ - # chown options -$|=1; # Disable buffering - -sub get_fs { # Load mountpoints from mtab if enabled quotas - Quota::setmntent(); - my $i=0; - my @args; - while (my @temp = Quota::getmntent()) { - $args[$i][0] = $temp[0]; - $args[$i][1] = $temp[1]; - $args[$i][2] = $temp[2]; - $args[$i][3] = $temp[3]; - $i++; - } - Quota::endmntent(); - my $j=0; my $k=0; $i=0; - while ($args[$i][0]) { - if ( $args[$i][3] =~ m/usrquota/ ) { - $quota_usr[$j][0] = $args[$i][0]; - $quota_usr[$j][1] = $args[$i][1]; - $quota_usr[$j][2] = $args[$i][2]; - $quota_usr[$j][3] = $args[$i][3]; - $j++; - } - if ( $args[$i][3] =~ m/grpquota/ ) { - $quota_grp[$k][0] = $args[$i][0]; - $quota_grp[$k][1] = $args[$i][1]; - $quota_grp[$k][2] = $args[$i][2]; - $quota_grp[$k][3] = $args[$i][3]; - $k++; - } - $i++; - } - } - -# ***************** Check values -if ($< == 0 ) { # we are root - # Drop root Previleges - ($<, $>) = ($>, $<); - if ($ARGV[0] eq "*test") { - use Quota; # Needed to get and set quotas - print "Perl quota module successfully installed.\n"; - print "If you haven't seen any errors lamdaemon.pl was set up successfully.\n"; - } - else { - # loop for every transmitted user - my $string = do {local $/;}; - @input = split ("\n", $string ); - for ($i=0; $i<=$#input; $i++) { - $return = ""; - @vals = split (' ', $input[$i]); - switch: { - # Get user information - if (($vals[3] eq 'user') || ($vals[1] eq 'home')) { @user = getpwnam($vals[0]); } - else { @user = getgrnam($vals[0]); } - $vals[1] eq 'home' && do { - switch2: { - $vals[2] eq 'add' && do { - # split homedir to set all directories below the last dir. to 0755 - my $path = $user[7]; - $path =~ s,/(?:[^/]*)$,,; - ($<, $>) = ($>, $<); # Get root privileges - if (! -e $path) { - system 'mkdir', '-m', '0755', '-p', $path; # Create paths to homedir - } - if (! -e $user[7]) { - system 'mkdir', '-m', '0755', $user[7]; # Create homedir itself - system ("(cd /etc/skel && tar cf - .) | (cd $user[7] && tar xmf -)"); # Copy /etc/sekl into homedir - system 'chown', '-hR', "$user[2]:$user[3]" , $user[7]; # Change owner to new user - if (-e '/usr/sbin/useradd.local') { - system '/usr/sbin/useradd.local', $user[0]; # run useradd-script - } - system 'chmod', $vals[3], $user[7]; # Edit chmod rights - } - else { - $return = "ERROR,Lamdaemon,Homedirectory already exists.:$return"; - } - ($<, $>) = ($>, $<); # Give up root previleges - last switch2; - }; - $vals[2] eq 'rem' && do { - ($<, $>) = ($>, $<); # Get root previliges - if (-d $user[7] && $user[7] ne '/') { - if ((stat($user[7]))[4] eq $user[2]) { - system 'rm', '-R', $user[7]; # Delete Homedirectory - if (-e '/usr/sbin/userdel.local') { - system '/usr/sbin/userdel.local', $user[0]; - } - } - else { - $return = "ERROR,Lamdaemon,Homedirectory not owned by $user[2].:$return"; - } - } - else { - $return = "ERROR,Lamdaemon,Homedirectory doesn't exists.:$return"; - } - ($<, $>) = ($>, $<); # Give up root previleges - last switch2; - }; - } - # Show error if undfined command is used - $return = "ERROR,Lamdaemon,Unknown command $vals[2].:$return"; - last switch; - }; - $vals[1] eq 'quota' && do { - use Quota; # Needed to get and set quotas - get_fs(); # Load list of devices with enabled quotas - # Store quota information in array - @quota_temp1 = split (':', $vals[4]); - $group=0; - $i=0; - while ($quota_temp1[$i]) { - $j=0; - @temp = split (',', $quota_temp1[$i]); - while ($temp[$j]) { - $quota[$i][$j] = $temp[$j]; - $j++; - } - $i++; - } - if ($vals[3] eq 'user') { $group=false; } - else { - $group=1; - @quota_usr = @quota_grp; - } - switch2: { - $vals[2] eq 'rem' && do { - $i=0; - ($<, $>) = ($>, $<); # Get root privileges - while ($quota_usr[$i][0]) { - $dev = Quota::getqcarg($quota_usr[$i][1]); - $return = Quota::setqlim($dev,$user[2],0,0,0,0,1,$group); - $i++; - } - ($<, $>) = ($>, $<); # Give up root previleges - last switch2; - }; - $vals[2] eq 'set' && do { - $i=0; - ($<, $>) = ($>, $<); # Get root privileges - while ($quota_usr[$i][0]) { - $dev = Quota::getqcarg($quota[$i][0]); - $return = Quota::setqlim($dev,$user[2],$quota[$i][1],$quota[$i][2],$quota[$i][3],$quota[$i][4],1,$group); - $i++; - } - ($<, $>) = ($>, $<); # Give up root previleges - last switch2; - }; - $vals[2] eq 'get' && do { - $i=0; - ($<, $>) = ($>, $<); # Get root privileges - while ($quota_usr[$i][0]) { - if ($vals[0]ne'+') { - $dev = Quota::getqcarg($quota_usr[$i][1]); - @temp = Quota::query($dev,$user[2],$group); - if ($temp[0]ne'') { - $return = "$quota_usr[$i][1],$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7]:$return"; - } - else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; } - } - else { $return = "$quota_usr[$i][1],0,0,0,0,0,0,0,0:$return"; } - $i++; - } - ($<, $>) = ($>, $<); # Give up root previleges - last switch2; - }; - $return = "ERROR,Lamdaemon,Unknown command $vals[2].:$return"; - } - }; - last switch; - $return = "ERROR,Lamdaemon,Unknown command $vals[1].:$return"; - }; - print "$return\n"; - } - } - } -else { - $hostname = shift @ARGV; - $remotepath = shift @ARGV; - use Net::SSH::Perl; - if ($ARGV[2] eq "*test") { print "Net::SSH::Perl successfully installed.\n"; } - if (($ARGV[0] eq "-") and ($ARGV[1] eq "-")) { # user+passwd are in STDIN - $username = ; - chop($username); - @username = split (',', $username); - $username[0] =~ s/uid=//; - $username[0] =~ s/cn=//; - $username = $username[0]; - $password = ; - chop($password); - } - else { - @username = split (',', $ARGV[0]); - $username[0] =~ s/uid=//; - $username[0] =~ s/cn=//; - $username = $username[0]; - $password = $ARGV[1]; - } - # Put all transfered lines in one string - if ($ARGV[2] ne "*test") { - $string = do {local $/;}; - } - else { - $argv = "*test\n"; - $string = " \n"; - } - my $ssh = Net::SSH::Perl->new($hostname, options=>[ - "UserKnownHostsFile /dev/null"], - protocol => "2,1", debug => 0 ); - $ssh->login($username, $password); - # Change needed to prevent buffer overrun - @string2 = split ("\n", $string); - for ($i=0; $i<=$#string2; $i++) { - ($stdout2, $stderr, $exit) = $ssh->cmd("sudo $remotepath $argv", $string2[$i]); - $stdout .= $stdout2; - } - #($stdout, $stderr, $exit) = $ssh->cmd("sudo $remotepath $argv", $string); - print $stdout; - }