data-stream_ru
Moderator
Posts: 471
Joined: Jan 2009
Reputation: 7
|
RE: CronJob Russian Solution
Управления разрешениями и запретами Крона из админки.
В общем то это излишесто для тех, кому влом в файлах всё проставить или не знает как
Открываем базу в пхпмайадмине.
В таблицу config вставить строки CUSTOM_CRON_ALLOWED_CMD CUSTOM_CRON_ALLOWED_EXT
CUSTOM_CRON_STOP_WORD
Ох уш мне эта параноидальная защита! Вот самим им влом создаваться.
admin/domain_detais.tpl
admin/settings.tpl
Добавляем где нить между настройками мыла и "прочими настройками"
PHP Code:
<td colspan="2" class="content3"><strong>{TR_CRON_SETTINGS}</strong></td> </tr> <tr> <td> </td> <td class="content2">{TR_CRON_ALLOWED_CMD}</td> <td class="content"><input class="textinput" maxwidth="20" size="40" name="cron_allowed_commands" id="cron_allowed_commands" value="{CUSTOM_CRON_ALLOWED_CMD}"> </td> </tr> <tr> <td> </td> <td class="content2">{TR_CRON_ALLOWED_EXT}</td> <td class="content"><input class="textinput" maxwidth="20" size="40" name="cron_allowed_extension" id="cron_allowed_extension" value="{CUSTOM_CRON_ALLOWED_EXT}"> </td> </tr> <tr> <td> </td> <td class="content2">{TR_CRON_STOP_WORD}</td> <td class="content"><input class="textinput" maxwidth="20" size="40" name="cron_stop_words" id="cron_stop_words" value="{CUSTOM_CRON_STOP_WORD}"> </td> </tr> <tr> <td> </td>
admin/settings.php
Добавляем следующие строки (первая строка после которой надо добавить и образаем внимание на запятые в массивах)
PHP Code:
$max_subdnames_labels = clean_input($_POST['max_subdnames_labels']); $cron_allowed_commands = $_POST['cron_allowed_commands']; $cron_allowed_extension = $_POST['cron_allowed_extension']; $cron_stop_words = $_POST['cron_stop_words'];
'TR_MAX_SUBDNAMES_LABELS' => tr('Maximal number of labels for subdomains'), 'TR_CRON_ALLOWED_CMD' => tr('Allowed commands in only'), 'TR_CRON_ALLOWED_EXT' => tr('Allowed files extensions'), 'TR_CRON_STOP_WORD' => tr('Denied words')
setConfig_Value('MAX_SUBDNAMES_LABELS', $max_subdnames_labels); setConfig_Value('CUSTOM_CRON_ALLOWED_CMD', $cron_allowed_commands); setConfig_Value('CUSTOM_CRON_ALLOWED_EXT', $cron_allowed_extension); setConfig_Value('CUSTOM_CRON_STOP_WORD', $cron_stop_words); set_page_message(tr('Settings saved !'));
'MAX_SUBDNAMES_LABELS_VALUE' => Config::get('MAX_SUBDNAMES_LABELS'), 'CUSTOM_CRON_ALLOWED_CMD' => Config::get('CUSTOM_CRON_ALLOWED_CMD'), 'CUSTOM_CRON_ALLOWED_EXT' => Config::get('CUSTOM_CRON_ALLOWED_EXT'), 'CUSTOM_CRON_STOP_WORD' => Config::get('CUSTOM_CRON_STOP_WORD'), 'TR_CRON_SETTINGS' => tr('Set CronJobs Rights (Separator is a COMMA!)')
client/cronjob_add.php
PHP Code:
<?php /* * (с) 2009, Russia, Moscow * Serge Obookhoff AKA Hong Lee * www.data-stream.ru && www.veterinars.ru * Last Revision at 01/2009 * Written for ispCP Team (www.isp-control.net) ONLY. * Written using the old, dead blanks VHCS. * All Functions rewritten. * * Notice: If you use this script you have own risks. * */
//bypass ispCP HTML input control
$min = implode ("," , $_POST['min']); $hour = implode ("," , $_POST['hour']); $day_of_month = implode ("," , $_POST['day_of_month']); $month = implode ("," , $_POST['month']); $day_of_week = implode ("," , $_POST['day_of_week']);
unset($_POST['month'], $_POST['day_of_week'], $_POST['min'], $_POST['hour'], $_POST['day_of_month']);
require '../include/ispcp-lib.php';
check_login(__FILE__);
$tpl = new pTemplate(); $tpl->define_dynamic('page', Config::get('CLIENT_TEMPLATE_PATH') . '/cronjobs_add.tpl'); $tpl->define_dynamic('page_message', 'page'); $tpl->define_dynamic('logged_from', 'page');
$theme_color = Config::get('USER_INITIAL_THEME');
$tpl->assign( array('TR_CLIENT_CRONJOBS_TITLE' => tr('ispCP - Client/Cronjob Manager'), 'THEME_COLOR_PATH' => "../themes/$theme_color", 'THEME_CHARSET' => tr('encoding'), 'ISP_LOGO' => get_logo($_SESSION['user_id']) ) );
function add_cron_job(&$tpl, &$sql, $user_id, &$file_type, &$min, &$hour, &$day_of_month, &$month, &$day_of_week) {
if (!isset($_POST['Submit'])) { return; }
if ((empty($min) | empty($hour) | empty($day_of_month) | empty($month) | empty($day_of_week) | empty($_POST['name']) | empty($_POST['description']) | empty($_POST['command_line'])) && isset($_POST['Submit'])) {
set_page_message(tr('Please type All Fields and choise all Values!')); return; }
foreach($_POST as $key => $value) { $a = $key; $$a = $value; }
//do all checks of command_line /* Start (c) Vladimir Sinitsyn*/ // Vladimir Sinitsyn aka SenatoR // Russia, Yekaterinburg // Русские, привет! =) // $command_line mey be "perl /var/www/virtual/hackers.ru/htdocs/cgi-bin/decoder.pl?file=/etc/passwd-" // We must use security check!
# $stop_word = array('/etc/','password','passwd','groups'); //STOP Words!
$stop_word = Config::get('CUSTOM_CRON_STOP_WORD'); //STOP Words! $stop_word = explode(",", $stop_word);
//Let`s start our work!
$temp = explode(" ", $command_line); //We`ve divided line two parts - command (php) and values.
$command = $temp[0]; $stream = $temp[1];
unset($temp);
//We have only 3 commands, so, make it without "cool" things, use simle code..
$cron_allowed_commands = Config::get('CUSTOM_CRON_ALLOWED_CMD'); $cron_allowed_commands = explode(",", $cron_allowed_commands);
$flag = 0;
foreach($cron_allowed_commands as $k=>$v) { if(strpos($command,$v) === 0) { $flag++; break; //Stop } }
unset ($cron_allowed_commands);
if ($flag == 0) { set_page_message(tr('Comand not Allowed!')); return; }
foreach($stop_word as $k=>$v) { if(strpos($stream,$v) == true) { set_page_message(tr('Are you a cunning Hacker ?! But I am not only stupid machine!!! I will write delation to Admin!')); write_log("WARNING: Perhaps hacking! ". $_SESSION['user_logged'] . ": add Cron Job: " . $name . " with comnd: " . $command_line); return; } //Hackers ALLERT... `stop word' }
$flag = 0; //Use one thing!
foreach($file_type as $k=>$v) //Start {
if(strpos($stream,$v) == true) //Works fast!!! (its important) { $flag++; //Yeah! Its good! $file = preg_replace("/(\\".".".$v.").*/i","\\1",$stream); //CUT ALL!!! Only filename in $file! break; //Stop } }
if($flag == 0) { set_page_message(tr('File type wrong!')); return; }//File type wrong!
//Check files and permission
if(!file_exists($file)) { set_page_message(tr('File not found! '.$file)); return; } //No file!
if(!is_readable($file)) { set_page_message(tr('File not readable!')); return; }; //Wrong permissions!
if(strpos("cgi",$file) || strpos("pl",$file)) // only for cgi and pl and so.. { if(!is_executable($file)) { set_page_message(tr('Wrong permissions!')); return; }; //Wrong permissions! } /* End (c) */
//get user gid & uid
$query = " SELECT `domain_uid`, `domain_gid` FROM `domain` WHERE `domain_admin_id` = ? ";
$rs = exec_query($sql, $query, array($user_id)); $uid = 'vu' . $rs->fields['domain_uid']; $gid = 'vu' . $rs->fields['domain_gid'];
// add cron_job in the ispcp DB; $query = " INSERT INTO `hcrondtab` (`min`, `hour`, `day`, `mon`, `dow`, `uid`, `gid`, `cmd`, `name`, `runonce`, `activ`, `coment`, `domain`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
"; $rs = exec_query($sql, $query, array($min, $hour, $day_of_month, $month, $day_of_week, $uid, $gid, $command_line, $name, $runonce, $activ, $description, $user_id));
$query = " SELECT `id` `name` FROM `hcrondtab` WHERE `name` = ? ";
$rs = exec_query($sql, $query, array($name)); $cron_name = $rs->fields['name'];
# send_request(); write_log($_SESSION['user_logged'] . ": add Cron Job: " . $name); set_page_message(tr('Cron Job successfully added!')); user_goto('cronjobs_overview.php');
} // End of add_cron_job();
function get_cron_domain(&$tpl, &$sql, $user_id) {
$query = " SELECT `admin_name` FROM `admin` WHERE admin_id = ? "; $rs = exec_query($sql, $query, array($user_id));
return $rs->fields['admin_name']; }
/* * * static page messages. * */
gen_client_mainmenu($tpl, Config::get('CLIENT_TEMPLATE_PATH') . '/main_menu_webtools.tpl'); gen_client_menu($tpl, Config::get('CLIENT_TEMPLATE_PATH') . '/menu_webtools.tpl');
gen_logged_from($tpl);
check_permissions($tpl);
# $file_type = array('.php','.php4','.php5','.cgi','.pl','.py'); //List of GOOD files ;-) $file_type = Config::get('CUSTOM_CRON_ALLOWED_EXT'); //List of GOOD files ;-) $file_type = explode (",", $file_type); $new_value = implode (",", $file_type);
add_cron_job($tpl, $sql, $_SESSION['user_id'], $file_type, $min, $hour, $day_of_month, $month, $day_of_week);
if (isset($_POST['command_line'])) {$example = $_POST['command_line'];} else { $example = 'php ' . Config::get('APACHE_WWW_DIR') . '/' . get_cron_domain($tpl, $sql, $_SESSION['user_id']) . '/htdocs/test.php' ; }
if (isset($_POST['activ']) && $_POST['activ'] == 0) {$active_no = 'selected'; $active_yes = '';} else {$active_yes = 'selected'; $active_no = '';} if (isset($_POST['runonce']) && $_POST['runonce'] == 1) {$runonce_yes = 'selected'; $runonce_no = '';} else {$runonce_no = 'selected'; $runonce_yes = '';} if (isset($_POST['name'])) {$name = $_POST['name'];} else {$name='';} if (isset($_POST['description'])) {$description = $_POST['description'];} else {$description='';}
$tpl->assign( array('TR_CRON_MANAGER' => tr('Cronjob Manager'), 'TR_ADD_CRONJOB' => tr('Add Cronjob'), 'TR_NAME' => tr('Name'), 'TR_DESCRIPTION' => tr('Description'), 'TR_ACTIVE' => tr('Active'), 'YES' => tr('Yes'), 'NO' => tr('No'), 'TR_CRONJOB' => tr('Cronjob'), 'TR_COMMAND' => tr('Command to run:'), 'TR_MIN' => tr('Minute(s):'), 'TR_HOUR' => tr('Hour(s):'), 'TR_DAY' => tr('Day(s):'), 'TR_MONTHS' => tr('Month(s):'), 'TR_WEEKDAYS' => tr('Weekday(s):'), 'TR_ADD' => tr('Add'), 'TR_RESET' => tr('Reset'), 'TR_CANCEL' => tr('Cancel'), 'EXAMPLE' => $example, 'ALLOWED' => 'php, perl, python', 'FILETYPE' => $new_value, 'ACTIVE_YES' => $active_yes, 'ACTIVE_NO' => $active_no, 'RUNONCE_YES' => $runonce_yes, 'RUNONCE_NO' => $runonce_no, 'NAME' => $name, 'DESCRIPTION' => $description, ) );
gen_page_message($tpl);
$tpl->parse('PAGE', 'page'); $tpl->prnt();
if (Config::get('DUMP_GUI_DEBUG')) dump_gui_debug();
unset_messages();
?>
client/cronjob_edit.php
PHP Code:
<?php /* * (с) 2009, Russia, Moscow * Serge Obookhoff AKA Hong Lee * www.data-stream.ru && www.veterinars.ru * Last Revision at 01/2009 * Written for ispCP Team (www.isp-control.net) ONLY. * Written using the old, dead blanks VHCS. * All Functions rewritten. * * Notice: If you use this script you have own risks. * */
//bypass ispCP HTML input control
$min = implode ("," , $_POST['min']); $hour = implode ("," , $_POST['hour']); $day_of_month = implode ("," , $_POST['day_of_month']); $month = implode ("," , $_POST['month']); $day_of_week = implode ("," , $_POST['day_of_week']);
unset($_POST['month'], $_POST['day_of_week'], $_POST['min'], $_POST['hour'], $_POST['day_of_month']);
require '../include/ispcp-lib.php';
check_login(__FILE__);
$tpl = new pTemplate(); $tpl->define_dynamic('page', Config::get('CLIENT_TEMPLATE_PATH') . '/cronjobs_edit.tpl'); $tpl->define_dynamic('page_message', 'page'); $tpl->define_dynamic('logged_from', 'page');
$theme_color = Config::get('USER_INITIAL_THEME');
$tpl->assign( array('TR_CLIENT_CRONJOBS_TITLE' => tr('ispCP - Client/Cronjob Manager'), 'THEME_COLOR_PATH' => "../themes/$theme_color", 'THEME_CHARSET' => tr('encoding'), 'ISP_LOGO' => get_logo($_SESSION['user_id']) ) );
if (!isset($_GET['cron_id']) && !isset($_POST['Submit'])) { set_page_message(tr('Nothing to do!')); user_goto('cronjobs_overview.php'); }
if (isset($_GET['cron_id']) && $_GET['cron_id'] !== '') { $cron_id = $_GET['cron_id'];}
function update_cron_job(&$tpl, &$sql, $cron_id, $user_id, &$min, &$hour, &$day_of_month, &$month, &$day_of_week, &$file_type) {
/* if ((empty($min) | empty($hour) | empty($day_of_month) | empty($month) | empty($day_of_week) | empty($_POST['name']) | empty($_POST['description']) | empty($_POST['command_line'])) && isset($_POST['Submit'])) { * * set_page_message(tr('Please type All Fields and choise all Values!')); * return; * } */ foreach($_POST as $key => $value) { $a = $key; $$a = $value; }
//do all checks of command_line /* Start (c) Vladimir Sinitsyn*/ // Vladimir Sinitsyn aka SenatoR // Russia, Yekaterinburg // Русские, привет! =) // $command_line mey be "perl /var/www/virtual/hackers.ru/htdocs/cgi-bin/decoder.pl?file=/etc/passwd-" // We must use security check!
# $stop_word = array('/etc/','password','passwd','groups'); //STOP Words!
$stop_word = Config::get('CUSTOM_CRON_STOP_WORD'); //STOP Words! $stop_word = explode(",", $stop_word); //Let`s start our work!
$temp = explode(" ", $command_line); //We`ve divided line two parts - command (php) and values.
$command = $temp[0]; $stream = $temp[1];
unset($temp);
//We have commands, so, make it without "cool" things, use simle code..
$cron_allowed_commands = Config::get('CUSTOM_CRON_ALLOWED_CMD'); $cron_allowed_commands = explode(",", $cron_allowed_commands);
$flag = 0;
foreach($cron_allowed_commands as $k=>$v) { if(strpos($command,$v) === 0) { $flag++; break; //Stop } }
unset ($cron_allowed_commands);
if ($flag == 0) { set_page_message(tr('Comand not Allowed!')); return; }
foreach($stop_word as $k=>$v) { if(strpos($stream,$v) == true) { set_page_message(tr('Are you a cunning Hacker ?! But I am not only stupid machine!!! I will write delation to Admin!')); write_log("WARNING: Perhaps hacking! ". $_SESSION['user_logged'] . ": add Cron Job: " . $name . " with comnd: " . $command_line); user_goto('cronjobs_edit.php'); return 0; } //Hackers ALLERT... `stop word' }
$flag = 0; //Use one thing!
foreach($file_type as $k=>$v) //Start { if(strpos($stream,$v) == true) //Works fast!!! (its important) { $flag++; //Yeah! Its good! $file = preg_replace("/(\\".".".$v.").*/i","\\1",$stream); //CUT ALL!!! Only filename in $file!
break; //Stop } }
if($flag == 0) { set_page_message(tr('File type wrong!')); return; }//File type wrong!
//Check files and permission
if(!file_exists($file)) { set_page_message(tr('File not found!')); return; } //No file!
if(!is_readable($file)) { set_page_message(tr('File not readable!')); return; }; //Wrong permissions!
if(strpos("cgi",$file) || strpos("pl",$file)) // only for cgi and pl and so.. { if(!is_executable($file)) { set_page_message(tr('Wrong permissions!')); return; }; //Wrong permissions! } /* End (c) */
$query = " UPDATE hcrondtab SET name = ?, coment = ?, min = ?, hour = ?, day = ?, mon = ?, dow = ?, cmd = ?, activ = ?, runonce = ?, lastrun = ? WHERE id = ? ";
$rs = exec_query($sql, $query, array($name, $description, $min, $hour, $day_of_month, $month, $day_of_week, $command_line, $activ, $runonce, $lastrun =0, $cron_id));
write_log($_SESSION['user_logged'] . ": updeted Cron Job: " . $name); set_page_message(tr('Cron Job successfully updated!')); user_goto('cronjobs_overview.php');
} // End of update_cron_job();
function gen_cron_job(&$tpl, &$sql, $cron_id, $user_id, &$new_value) {
$query = " SELECT `id`, `domain`, `name`, `coment`, `min`, `hour`, `day`, `mon`, `dow`, `cmd`, `runonce`,`lastrun`, `activ` FROM `hcrondtab` WHERE domain = $user_id AND id = $cron_id ";
$rs = exec_query($sql, $query, $cron_id);
if ($rs->RecordCount() == 0) { set_page_message(tr('No CronJob with this ID!')); header('Location: cronjobs_overview.php'); exit(0); }
if ($rs->fields['activ'] == 1) {$active_yes = 'selected'; $active_no = '';} else {$active_no = 'selected'; $active_yes = '';} if ($rs->fields['runonce'] == 1) {$runonce_yes = 'selected'; $runonce_no = '';} else {$runonce_no = 'selected'; $runonce_yes = '';} $tpl->assign( array('NAME' => $rs->fields['name'], 'DESCRIPTION' => $rs->fields['coment'], 'COMMAND_LINE' => $rs->fields['cmd'], 'ACTIVE' => $rs->fields['activ'], 'ACTIVE_YES' => $active_yes, 'ACTIVE_NO' => $active_no, 'ID' => $rs->fields['id'], 'ALLOWED' => 'php, perl, python', 'FILETYPE' => $new_value, 'RUNONCE_YES' => $runonce_yes, 'RUNONCE_NO' => $runonce_no, ) );
} // End of gen_cron_job();
/* * * static page messages. * */
gen_client_mainmenu($tpl, Config::get('CLIENT_TEMPLATE_PATH') . '/main_menu_webtools.tpl'); gen_client_menu($tpl, Config::get('CLIENT_TEMPLATE_PATH') . '/menu_webtools.tpl');
gen_logged_from($tpl);
check_permissions($tpl);
# $file_type = array('.php','.php4','.php5','.cgi','.pl','.py'); //List of GOOD files ;-) $file_type = Config::get('CUSTOM_CRON_ALLOWED_EXT'); //List of GOOD files ;-) $file_type = explode (",", $file_type); $new_value = implode (",", $file_type);
if (isset($_GET['cron_id']) && is_numeric($_GET['cron_id']) && isset($_POST['Submit'])) update_cron_job($tpl, $sql, $_GET['cron_id'], $_SESSION['user_id'], $min, $hour, $day_of_month, $month, $day_of_week, $file_type);
gen_cron_job($tpl, $sql, $cron_id, $_SESSION['user_id'], $new_value);
$tpl->assign( array('TR_CRON_MANAGER' => tr('Cronjob Manager'), 'TR_EDIT_CRONJOB' => tr('Edit Cronjob'), 'TR_NAME' => tr('Name'), 'TR_DESCRIPTION' => tr('Description'), 'TR_ACTIVE' => tr('Active'), 'YES' => tr('Yes'), 'NO' => tr('No'), 'TR_CRONJOB' => tr('Cronjob'), 'TR_COMMAND' => tr('Command to run:'), 'TR_MIN' => tr('Minute(s):'), 'TR_HOUR' => tr('Hour(s):'), 'TR_DAY' => tr('Day(s):'), 'TR_MONTHS' => tr('Month(s):'), 'TR_WEEKDAYS' => tr('Weekday(s):'), 'TR_UPDATE' => tr('Update'), 'TR_CANCEL' => tr('Cancel') ) );
gen_page_message($tpl);
$tpl->parse('PAGE', 'page'); $tpl->prnt();
if (Config::get('DUMP_GUI_DEBUG')) dump_gui_debug();
unset_messages();
?>
Вуаля!
Если кто то что то не понял или у кого то что то неработает, курим бамбук и ждём пока я всё это собиру в новый пакет.
|
|