From 85ca12452001c77756ffeb56104c54cab5d1adb3 Mon Sep 17 00:00:00 2001 From: mad Date: Sun, 23 Sep 2018 17:25:17 +0200 Subject: [PATCH] sign and check signature on scripts for remote execution --- README.md | 7 +++++-- nlvmi | 42 ++++++++++++++++++++++++------------------ web/.sha512 | Bin 0 -> 512 bytes web/index.php | 2 +- 4 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 web/.sha512 diff --git a/README.md b/README.md index fabea91..5d91667 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,9 @@ nginx / apache / lighttpd
openssh
php
socat
-sqlite3 / mariadb (only sqlite3 for now)
+sqlite3 / mariadb (only sqlite3 for now)
usermode-utilities
+openssl (for managing remote servers)
**Manual install:**
become root
@@ -28,5 +29,7 @@ ln -sf ${PWD}/nlvmi/wrap-nlvmi /usr/bin/
ln -sf ${PWD}/nlvmi/web /var/www/localhost/htdocs/nlvmi
chown root:nlvmi nlvmi/*nlvmi
chmod +s nlvmi/wrap-nlvmi
+ +#not yet implemented...
mkdir /etc/nginx/nlvmi
-add an "include nlvmi/*.conf" statement within nginx.conf's server declaration.
\ No newline at end of file +add an "include nlvmi/*.conf" statement within nginx.conf's server declaration.
diff --git a/nlvmi b/nlvmi index 116bd3b..8779236 100755 --- a/nlvmi +++ b/nlvmi @@ -34,7 +34,7 @@ function checkdb { echo "error accessing sqlite!" exit 1; fi -echo "sqlite ready to use"; + echo "sqlite ready to use"; elif [ $DATABASETYPE == "mariadb" ]; then DBCON="mysql --disable-pager -u $MARIAUSER -p$MARIAPASS -h $MARIAHOST $MARIADB" declare -a DBC=`echo "SHOW TABLES FROM $MARIADB; " | $DBCON | sed 1d` @@ -134,6 +134,7 @@ function vmstart { if [ ! -z ${array[6]} ]; then SMP="-smp ${array[6]}"; fi if [ ! -z ${array[7]} ]; then MEMORY="-m ${array[7]}"; fi if [ ! -z ${array[8]} ]; then USBDEV="-usb -device usb-ehci,id=ehci -device usb-${array[8]},bus=usb-bus.0"; fi + if [ ! -z ${array[9]} ]; then KB="-k ${array[9]}"; fi if [ ! -z ${array[10]} ]; then CUSTOM="${array[10]}"; fi if [ ! -z ${array[13]} ]; then DRIVE1="-drive file=${array[13]}"; echo "chown ${array[2]}:nlvmi ${array[13]}" >>$TMPF; fi if [ ! -z ${array[14]} ]; then FORMAT1=",format=${array[14]},if=virtio"; fi @@ -153,20 +154,22 @@ function vmstart { if [ ! -z ${array[28]} ]; then BRDEV3="${array[28]}"; echo "brctl addif ${array[28]} ${array[26]}" >>$TMPF; fi if [ ! -z ${array[30]} ]; then WEBSOCK=",websocket=${array[30]}"; else WEBSOCK=""; fi if [ ! -z ${array[29]} ]; then VNCPORT="-vnc :${array[29]}$WEBSOCK,password"; fi - COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV -k ${array[9]} -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\") + COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV $KB -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\") if [ $LOGLEVEL -gt "1" ]; then echo ${COMMAND[@]}; fi echo "${COMMAND[@]}" >>$TMPF #Set VNC Password echo "echo \"change vnc password ${array[31]}\" | socat - unix-connect:$RUNDIRECTORY/${array[1]}.mon >/dev/null" >>$TMPF if [ ! -z "${array[34]}" ]; then - echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF - su nlvmi -c "scp $TMPF ${array[34]}:/home/nlvmi/" - su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\"" - su nlvmi -c "ssh ${array[34]} \"rm $TMPF\"" - rm $TMPF - else - /bin/bash $TMPF - rm $TMPF + echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF + echo "chmod g+r $RUNDIRECTORY/${array[1]}.pid" >>$TMPF + openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out /home/nlvmi/${array[1]}.tmp.sha512 $TMPF + su nlvmi -c "scp $TMPF* ${array[34]}:/home/nlvmi/" + su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\"" + su nlvmi -c "ssh ${array[34]} \"rm $TMPF $TMPF.sha512\"" + rm $TMPF $TMPF.sha512 + else + /bin/bash $TMPF + rm $TMPF fi done export VMFOUND="yes" @@ -187,15 +190,20 @@ function vmstop { STOPPED="no" COUNTER=0 while [ $STOPPED = "no" ]; do - if [ $COUNTER == 200 ]; then + if [ $COUNTER == 2 ]; then if [ -z ${array[2]} ]; then kill `cat $RUNDIRECTORY/${array[1]}.pid` echo "${array[1]} forcefully killed!"; STOPPED="yes" else - su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\"" + TMPF=/home/nlvmi/${array[1]}.tmp + echo "kill \$(<\"$RUNDIRECTORY/${array[1]}.pid\")" >$TMPF + openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out $TMPF.sha512 $TMPF + su nlvmi -c "scp $TMPF* ${array[2]}:/home/nlvmi/" +# su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\"" su nlvmi -c "ssh ${array[2]} \"/usr/bin/nlvmi remote /home/nlvmi/${array[1]}.tmp stop\"" - su nlvmi -c "ssh ${array[2]} \"rm /home/nlvmi/${array[1]}.tmp\"" + su nlvmi -c "ssh ${array[2]} \"rm $TMPF $TMPF.sha512\"" + rm $TMPF $TMPF.sha512 echo "remotekill" STOPPED="yes" fi @@ -264,7 +272,7 @@ if [ $# -gt 0 ]; then export "$VMFOUND" vmstart $arrays done - if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi) + if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi) elif [ $1 == "stop" ]; then if [ -z $2 ]; then echo "stop needs a vmname!"; exit 1; fi VMFOUND="no" @@ -278,9 +286,6 @@ if [ $# -gt 0 ]; then if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi) elif [ $1 == "stopall" ]; then stopall - elif [ $1 == "checkvm" ]; then - if [ -z $2 ]; then echo "checkvm needs a vmname!"; exit 1; fi - if [ -e $RUNDIRECTORY/$2.mon ]; then echo $2 running; else echo $2 stopped; fi elif [ $1 == "listdir" ]; then if [ -z $2 ] || [ -z $3 ]; then echo listdir needs two more arguments; exit 1; fi listdir $2 $3 @@ -288,7 +293,8 @@ if [ $# -gt 0 ]; then if [ ! -z $MASTERSERVER ]; then if `echo $SSH_CLIENT | grep "$MASTERSERVER " &>/dev/null`; then if [ -e $2 ]; then - /bin/bash $2; + openssl dgst -sha512 -verify <(openssl x509 -in "/nlvmi/nlvmi_sign.crt" -pubkey -noout) -signature $2.sha512 $2 >/dev/null && /bin/bash $2 || echo "signature failed!!" +# /bin/bash $2; fi else echo "not allowed"; diff --git a/web/.sha512 b/web/.sha512 new file mode 100644 index 0000000000000000000000000000000000000000..12bb389ab91ca33207c6925165189690420857f4 GIT binary patch literal 512 zcmV+b0{{Jg0Mt$~4-=(h1p)3-1ri>heO17fMR;1t*9}~zxhDd2vGbaRxSkIP&Z5^A z&{*tPh%nS|%!nPw=3DRrkV(NQ03>Ac;8I?rvPPh_Ixu__UwCP8u11|`OP{XPwvWUF zCW->)tHs=p$OCxOclG??dN)cTF@-a#aoCj8^^qnAHgv28xg7g77-bJur~FI5e}Y*i zs%t9v&d*}?9?fW6tJ;xV6Bmi+Z99y#QG@Rw-8Bq#si30DOC%U75zPD-tcRoGPgWV_~< zgwN`OW}S=-Evr~&eNCnnp1b5)CQ__gQ1ot^N0BfbnSRdZo@sPncGCdV>4CnIG?`&V z`-h5(5A}V6`I}7Vhfrbo^t!LqTx~PGp4Ea6?)Nk39wvdK&pVuj1;it&jC z8_)S<&%{5`1N6bM!2p25-$X CU-{Yq literal 0 HcmV?d00001 diff --git a/web/index.php b/web/index.php index 248f047..4f4d814 100644 --- a/web/index.php +++ b/web/index.php @@ -589,7 +589,7 @@ if (isset($_SESSION['username'])){ $button = "stop"; $buttonc = "btn-warning"; } - $vncport = sprintf("%02d", $row[vncport]); + $vncport = sprintf("%02d", $row['vncport']); echo "

$row[vmname]

$row[server]
$row[cpus] CPUs, $row[memory] MB RAM
$row[drive1]
"; echo "VNC port: 59$vncport
edit "; echo "$button ";