sign and check signature on scripts for remote execution

This commit is contained in:
mad 2018-09-23 17:25:17 +02:00
parent 223090c0e4
commit 85ca124520
4 changed files with 30 additions and 21 deletions

View File

@ -17,6 +17,7 @@ php <br/>
socat <br/> socat <br/>
sqlite3 / mariadb (only sqlite3 for now) <br/> sqlite3 / mariadb (only sqlite3 for now) <br/>
usermode-utilities <br/> usermode-utilities <br/>
openssl (for managing remote servers) <br/>
**Manual install:** <br/> **Manual install:** <br/>
become root <br/> become root <br/>
@ -28,5 +29,7 @@ ln -sf ${PWD}/nlvmi/wrap-nlvmi /usr/bin/ <br/>
ln -sf ${PWD}/nlvmi/web /var/www/localhost/htdocs/nlvmi <br/> ln -sf ${PWD}/nlvmi/web /var/www/localhost/htdocs/nlvmi <br/>
chown root:nlvmi nlvmi/*nlvmi <br/> chown root:nlvmi nlvmi/*nlvmi <br/>
chmod +s nlvmi/wrap-nlvmi <br/> chmod +s nlvmi/wrap-nlvmi <br/>
#not yet implemented... <br/>
mkdir /etc/nginx/nlvmi <br/> mkdir /etc/nginx/nlvmi <br/>
add an "include nlvmi/*.conf" statement within nginx.conf's server declaration. <br/> add an "include nlvmi/*.conf" statement within nginx.conf's server declaration. <br/>

28
nlvmi
View File

@ -134,6 +134,7 @@ function vmstart {
if [ ! -z ${array[6]} ]; then SMP="-smp ${array[6]}"; fi if [ ! -z ${array[6]} ]; then SMP="-smp ${array[6]}"; fi
if [ ! -z ${array[7]} ]; then MEMORY="-m ${array[7]}"; fi if [ ! -z ${array[7]} ]; then MEMORY="-m ${array[7]}"; fi
if [ ! -z ${array[8]} ]; then USBDEV="-usb -device usb-ehci,id=ehci -device usb-${array[8]},bus=usb-bus.0"; fi if [ ! -z ${array[8]} ]; then USBDEV="-usb -device usb-ehci,id=ehci -device usb-${array[8]},bus=usb-bus.0"; fi
if [ ! -z ${array[9]} ]; then KB="-k ${array[9]}"; fi
if [ ! -z ${array[10]} ]; then CUSTOM="${array[10]}"; fi if [ ! -z ${array[10]} ]; then CUSTOM="${array[10]}"; fi
if [ ! -z ${array[13]} ]; then DRIVE1="-drive file=${array[13]}"; echo "chown ${array[2]}:nlvmi ${array[13]}" >>$TMPF; fi if [ ! -z ${array[13]} ]; then DRIVE1="-drive file=${array[13]}"; echo "chown ${array[2]}:nlvmi ${array[13]}" >>$TMPF; fi
if [ ! -z ${array[14]} ]; then FORMAT1=",format=${array[14]},if=virtio"; fi if [ ! -z ${array[14]} ]; then FORMAT1=",format=${array[14]},if=virtio"; fi
@ -153,17 +154,19 @@ function vmstart {
if [ ! -z ${array[28]} ]; then BRDEV3="${array[28]}"; echo "brctl addif ${array[28]} ${array[26]}" >>$TMPF; fi if [ ! -z ${array[28]} ]; then BRDEV3="${array[28]}"; echo "brctl addif ${array[28]} ${array[26]}" >>$TMPF; fi
if [ ! -z ${array[30]} ]; then WEBSOCK=",websocket=${array[30]}"; else WEBSOCK=""; fi if [ ! -z ${array[30]} ]; then WEBSOCK=",websocket=${array[30]}"; else WEBSOCK=""; fi
if [ ! -z ${array[29]} ]; then VNCPORT="-vnc :${array[29]}$WEBSOCK,password"; fi if [ ! -z ${array[29]} ]; then VNCPORT="-vnc :${array[29]}$WEBSOCK,password"; fi
COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV -k ${array[9]} -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\") COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV $KB -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\")
if [ $LOGLEVEL -gt "1" ]; then echo ${COMMAND[@]}; fi if [ $LOGLEVEL -gt "1" ]; then echo ${COMMAND[@]}; fi
echo "${COMMAND[@]}" >>$TMPF echo "${COMMAND[@]}" >>$TMPF
#Set VNC Password #Set VNC Password
echo "echo \"change vnc password ${array[31]}\" | socat - unix-connect:$RUNDIRECTORY/${array[1]}.mon >/dev/null" >>$TMPF echo "echo \"change vnc password ${array[31]}\" | socat - unix-connect:$RUNDIRECTORY/${array[1]}.mon >/dev/null" >>$TMPF
if [ ! -z "${array[34]}" ]; then if [ ! -z "${array[34]}" ]; then
echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF
su nlvmi -c "scp $TMPF ${array[34]}:/home/nlvmi/" echo "chmod g+r $RUNDIRECTORY/${array[1]}.pid" >>$TMPF
openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out /home/nlvmi/${array[1]}.tmp.sha512 $TMPF
su nlvmi -c "scp $TMPF* ${array[34]}:/home/nlvmi/"
su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\"" su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\""
su nlvmi -c "ssh ${array[34]} \"rm $TMPF\"" su nlvmi -c "ssh ${array[34]} \"rm $TMPF $TMPF.sha512\""
rm $TMPF rm $TMPF $TMPF.sha512
else else
/bin/bash $TMPF /bin/bash $TMPF
rm $TMPF rm $TMPF
@ -187,15 +190,20 @@ function vmstop {
STOPPED="no" STOPPED="no"
COUNTER=0 COUNTER=0
while [ $STOPPED = "no" ]; do while [ $STOPPED = "no" ]; do
if [ $COUNTER == 200 ]; then if [ $COUNTER == 2 ]; then
if [ -z ${array[2]} ]; then if [ -z ${array[2]} ]; then
kill `cat $RUNDIRECTORY/${array[1]}.pid` kill `cat $RUNDIRECTORY/${array[1]}.pid`
echo "${array[1]} forcefully killed!"; echo "${array[1]} forcefully killed!";
STOPPED="yes" STOPPED="yes"
else else
su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\"" TMPF=/home/nlvmi/${array[1]}.tmp
echo "kill \$(<\"$RUNDIRECTORY/${array[1]}.pid\")" >$TMPF
openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out $TMPF.sha512 $TMPF
su nlvmi -c "scp $TMPF* ${array[2]}:/home/nlvmi/"
# su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\""
su nlvmi -c "ssh ${array[2]} \"/usr/bin/nlvmi remote /home/nlvmi/${array[1]}.tmp stop\"" su nlvmi -c "ssh ${array[2]} \"/usr/bin/nlvmi remote /home/nlvmi/${array[1]}.tmp stop\""
su nlvmi -c "ssh ${array[2]} \"rm /home/nlvmi/${array[1]}.tmp\"" su nlvmi -c "ssh ${array[2]} \"rm $TMPF $TMPF.sha512\""
rm $TMPF $TMPF.sha512
echo "remotekill" echo "remotekill"
STOPPED="yes" STOPPED="yes"
fi fi
@ -278,9 +286,6 @@ if [ $# -gt 0 ]; then
if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi) if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi)
elif [ $1 == "stopall" ]; then elif [ $1 == "stopall" ]; then
stopall stopall
elif [ $1 == "checkvm" ]; then
if [ -z $2 ]; then echo "checkvm needs a vmname!"; exit 1; fi
if [ -e $RUNDIRECTORY/$2.mon ]; then echo $2 running; else echo $2 stopped; fi
elif [ $1 == "listdir" ]; then elif [ $1 == "listdir" ]; then
if [ -z $2 ] || [ -z $3 ]; then echo listdir needs two more arguments; exit 1; fi if [ -z $2 ] || [ -z $3 ]; then echo listdir needs two more arguments; exit 1; fi
listdir $2 $3 listdir $2 $3
@ -288,7 +293,8 @@ if [ $# -gt 0 ]; then
if [ ! -z $MASTERSERVER ]; then if [ ! -z $MASTERSERVER ]; then
if `echo $SSH_CLIENT | grep "$MASTERSERVER " &>/dev/null`; then if `echo $SSH_CLIENT | grep "$MASTERSERVER " &>/dev/null`; then
if [ -e $2 ]; then if [ -e $2 ]; then
/bin/bash $2; openssl dgst -sha512 -verify <(openssl x509 -in "/nlvmi/nlvmi_sign.crt" -pubkey -noout) -signature $2.sha512 $2 >/dev/null && /bin/bash $2 || echo "signature failed!!"
# /bin/bash $2;
fi fi
else else
echo "not allowed"; echo "not allowed";

BIN
web/.sha512 Normal file

Binary file not shown.

View File

@ -589,7 +589,7 @@ if (isset($_SESSION['username'])){
$button = "stop"; $button = "stop";
$buttonc = "btn-warning"; $buttonc = "btn-warning";
} }
$vncport = sprintf("%02d", $row[vncport]); $vncport = sprintf("%02d", $row['vncport']);
echo "<div class=col style=\"margin:5px;padding:5px;border:solid 1px;max-width:295px;\"><h3>$row[vmname]</h3>$row[server]</br>$row[cpus] CPUs, $row[memory] MB RAM</br>$row[drive1]</br>"; echo "<div class=col style=\"margin:5px;padding:5px;border:solid 1px;max-width:295px;\"><h3>$row[vmname]</h3>$row[server]</br>$row[cpus] CPUs, $row[memory] MB RAM</br>$row[drive1]</br>";
echo "VNC port: 59$vncport</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> "; echo "VNC port: 59$vncport</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> ";
echo "<a href=# onclick=\"post('?', {'$button': '$row[vmname]'});\"class=\"btn $buttonc\">$button</a> "; echo "<a href=# onclick=\"post('?', {'$button': '$row[vmname]'});\"class=\"btn $buttonc\">$button</a> ";