1: | <?php |
2: | declare(strict_types=1); |
3: | |
4: | |
5: | |
6: | |
7: | |
8: | |
9: | |
10: | |
11: | |
12: | |
13: | |
14: | |
15: | use Opcenter\Filesystem\Quota; |
16: | use Opcenter\Role\User; |
17: | |
18: | |
19: | |
20: | |
21: | |
22: | |
23: | class User_Module extends Module_Skeleton implements \Module\Skeleton\Contracts\Hookable |
24: | { |
25: | const DEPENDENCY_MAP = [ |
26: | 'siteinfo', |
27: | |
28: | 'apache' |
29: | ]; |
30: | const MIN_UID = USER_MIN_UID; |
31: | |
32: | |
33: | const VIRT_MIN_UID = 20000; |
34: | |
35: | |
36: | public const USER_MAXLEN = 32; |
37: | |
38: | |
39: | |
40: | |
41: | |
42: | |
43: | protected $uid_mappings = array(); |
44: | |
45: | protected $exportedFunctions = [ |
46: | '*' => PRIVILEGE_SITE, |
47: | 'flush' => PRIVILEGE_SITE | PRIVILEGE_USER, |
48: | 'get_user_home' => PRIVILEGE_ALL, |
49: | 'get_home' => PRIVILEGE_ALL, |
50: | 'get_users' => PRIVILEGE_SITE | PRIVILEGE_USER, |
51: | 'change_gecos' => PRIVILEGE_SITE | PRIVILEGE_USER, |
52: | 'get_uid_from_username' => PRIVILEGE_SITE | PRIVILEGE_USER, |
53: | 'get_username_from_uid' => PRIVILEGE_ALL, |
54: | 'exists' => PRIVILEGE_SITE | PRIVILEGE_USER, |
55: | 'get_quota' => PRIVILEGE_SITE | PRIVILEGE_USER, |
56: | 'getpwnam' => PRIVILEGE_SITE | PRIVILEGE_USER, |
57: | 'resolve_uid' => PRIVILEGE_ADMIN |
58: | ]; |
59: | |
60: | |
61: | |
62: | |
63: | |
64: | |
65: | |
66: | |
67: | |
68: | |
69: | |
70: | public function change_quota($user, $diskquota, $filequota = 0) |
71: | { |
72: | if (!IS_CLI) { |
73: | return $this->query('user_change_quota', $user, $diskquota, $filequota); |
74: | } |
75: | if ($user == $this->getServiceValue('siteinfo', 'admin_user')) { |
76: | return error('cannot set quota for administrator'); |
77: | } |
78: | |
79: | if (!$this->exists($user)) { |
80: | return false; |
81: | } |
82: | if (floatval($diskquota) != $diskquota || $diskquota < 0) { |
83: | return error($diskquota . ': invalid disk quota'); |
84: | } |
85: | $limit = $this->site_get_account_quota()['qhard'] ?? PHP_INT_MAX; |
86: | if ($diskquota > $limit) { |
87: | warn('%d: quota exceeds site limit (%d), defaulting to unlimited', $diskquota, $limit); |
88: | $diskquota = 0; |
89: | } |
90: | |
91: | if ((int)$filequota != $filequota || $filequota < 0) { |
92: | return error($filequota . ': invalid file quota'); |
93: | } |
94: | |
95: | return Quota::setUser( |
96: | $this->get_uid_from_username($user), |
97: | (int)round($diskquota * 1024), |
98: | $filequota, |
99: | max(0, (int)round($diskquota * 1024) - 16), |
100: | $filequota |
101: | ); |
102: | } |
103: | |
104: | |
105: | |
106: | |
107: | |
108: | |
109: | |
110: | |
111: | |
112: | public function exists($user) |
113: | { |
114: | return $this->get_uid_from_username($user) !== false; |
115: | } |
116: | |
117: | public function get_uid_from_username($username) |
118: | { |
119: | $user = $this->getpwnam($username); |
120: | if (!$user) { |
121: | return false; |
122: | } |
123: | |
124: | return $user['uid']; |
125: | } |
126: | |
127: | |
128: | |
129: | |
130: | |
131: | |
132: | |
133: | |
134: | |
135: | |
136: | |
137: | |
138: | |
139: | |
140: | public function getpwnam($user = null) |
141: | { |
142: | if (!$user) { |
143: | $user = $this->username; |
144: | } |
145: | $virtpwnam = $this->domain_fs_path() . '/etc/passwd'; |
146: | $cache = Cache_Account::spawn($this->getAuthContext()); |
147: | if (!IS_CLI) { |
148: | $gen = $cache->hGet('users', 'gen'); |
149: | if ($gen === filemtime($virtpwnam)) { |
150: | $users = $cache->hGet('users', 'pwd'); |
151: | if ($users && isset($users[$user])) { |
152: | return $users[$user]; |
153: | } |
154: | } |
155: | |
156: | return $this->query('user_getpwnam', $user); |
157: | } |
158: | $pwd = User::bindTo($this->domain_fs_path())->getpwnam(null); |
159: | $cache = Cache_Account::spawn($this->getAuthContext()); |
160: | $cache->hMSet('users', |
161: | array( |
162: | 'gen' => filemtime($virtpwnam), |
163: | 'pwd' => $pwd, |
164: | ) |
165: | ); |
166: | $cache->expire('users', 7200); |
167: | |
168: | return array_get($pwd, $user, []); |
169: | } |
170: | |
171: | |
172: | |
173: | |
174: | |
175: | |
176: | |
177: | |
178: | |
179: | |
180: | |
181: | |
182: | public function add_user($user, $password, $gecos = '', $quota = 0, array $options = []) |
183: | { |
184: | deprecated_func('use user_add'); |
185: | return $this->add($user, $password, $gecos, $quota, $options); |
186: | } |
187: | |
188: | |
189: | |
190: | |
191: | |
192: | |
193: | |
194: | |
195: | |
196: | |
197: | |
198: | |
199: | |
200: | |
201: | |
202: | |
203: | |
204: | |
205: | |
206: | |
207: | |
208: | public function add($user, $password, $gecos = '', $quota = 0, array $options = array()) |
209: | { |
210: | if (!IS_CLI) { |
211: | if (!IS_SOAP && $user == 'test') { |
212: | return error('insecure, commonly-exploited username'); |
213: | } |
214: | |
215: | return $this->query('user_add', $user, $password, $gecos, $quota, $options); |
216: | } |
217: | if (null !== ($max = $this->getServiceValue('users', 'max'))) { |
218: | |
219: | if (\count($this->get_users()) > $max) { |
220: | return error('User limit %d reached', $max); |
221: | } |
222: | } |
223: | |
224: | $userorig = $user; |
225: | $user = strtolower((string)$user); |
226: | if ($user !== $userorig) { |
227: | warn("user `$user' converted to lowercase"); |
228: | } |
229: | if (!$user) { |
230: | return error('no username specified)'); |
231: | } |
232: | if (!preg_match(Regex::USERNAME, $user)) { |
233: | return error("invalid user `%s'", $user); |
234: | } |
235: | if (strlen($user) > self::USER_MAXLEN) { |
236: | return error('user max length %d', self::USER_MAXLEN); |
237: | } |
238: | |
239: | if (!$this->auth_password_permitted($password, $user)) { |
240: | return error('weak password disallowed'); |
241: | } |
242: | $units = $this->getServiceValue('diskquota', 'units'); |
243: | $quotamax = Formatter::changeBytes($this->getServiceValue('diskquota', 'quota'), 'MB', $units); |
244: | if (!isset($options['password']) || $options['password'] != 'crypted') { |
245: | $password = $this->auth_crypt($password); |
246: | } |
247: | if ($quota != (float)$quota || $quota < 0) { |
248: | return error( |
249: | "disk quota `%(quota)s' outside of range (min: 0, max: %(max)d %(unit)s)", |
250: | ['quota' => $quota, 'max' => $quotamax, 'unit' => $units] |
251: | ); |
252: | } else if ($quota > $quotamax) { |
253: | warn('quota %.1f exceeds limit %.1f: defaulting to %.1f', |
254: | $quota, $quotamax, $quotamax); |
255: | $quota = $quotamax; |
256: | } |
257: | $users = $this->get_users(); |
258: | if (isset($users[$user])) { |
259: | return error('username %s exists', $user); |
260: | } |
261: | |
262: | $smtp_enable = $this->email_enabled('smtp') && isset($options['smtp']) && $options['smtp'] != 0; |
263: | $imap_enable = $this->email_enabled('imap') && isset($options['imap']) && $options['imap'] != 0; |
264: | $ftp_enable = isset($options['ftp']) && $options['ftp'] != 0; |
265: | $cp_enable = isset($options['cp']) && $options['cp'] != 0; |
266: | $dav_enable = isset($options['dav']) && $options['dav'] != 0; |
267: | $ssh_enable = $this->getServiceValue('ssh', |
268: | 'enabled') && isset($options['smtp'], $options['ssh']) && $options['ssh'] != 0; |
269: | |
270: | if ($this->auth_is_demo()) { |
271: | $blacklist = ['imap', 'smtp', 'dav', 'ssh', 'ftp']; |
272: | foreach ($blacklist as $svc) { |
273: | $var = $svc . '_enable'; |
274: | if ($$var) { |
275: | warn('%s access disabled in demo mode', strtoupper($svc)); |
276: | $$var = false; |
277: | } |
278: | } |
279: | } |
280: | |
281: | if (!$ftp_enable) { |
282: | info('FTP service not enabled. User will not be permitted FTP access'); |
283: | } |
284: | if (!$smtp_enable && $imap_enable) { |
285: | info('SMTP service not enabled. User will be able to receive mail, but not send'); |
286: | } else if ($smtp_enable && !$imap_enable) { |
287: | info('IMAP service not enabled. User will be able to send mail, but not receive'); |
288: | } else if ($this->email_configured() && !$smtp_enable && !$imap_enable) { |
289: | info('Email not enabled for user'); |
290: | } |
291: | $shell = $options['shell'] ?? '/bin/bash'; |
292: | if (!in_array($shell, $this->get_shells(), true)) { |
293: | return error("Unknown shell `%s'", $shell); |
294: | } |
295: | $instance = User::bindTo($this->domain_fs_path()); |
296: | $uid = $instance->captureUid($this->site_id); |
297: | $ret = $instance->create($user, [ |
298: | 'cpasswd' => $password, |
299: | 'gid' => $this->group_id, |
300: | 'gecos' => $gecos, |
301: | 'uid' => $uid, |
302: | 'shell' => $shell |
303: | ]); |
304: | if (!$ret) { |
305: | $instance->releaseUid($uid, $this->site_id); |
306: | |
307: | return false; |
308: | } |
309: | |
310: | (new \Opcenter\Database\PostgreSQL\Opcenter(\PostgreSQL::pdo()))->createUser( |
311: | $this->site_id, |
312: | $uid, |
313: | $user |
314: | ); |
315: | |
316: | $this->flush(); |
317: | |
318: | if ($quota) { |
319: | $this->user_change_quota($user, $quota); |
320: | } |
321: | if ($this->ssh_enabled() && $this->ssh_user_enabled($user)) { |
322: | $this->ssh_permit_user($user); |
323: | } |
324: | |
325: | if ($ftp_enable) { |
326: | $this->ftp_permit_user($user); |
327: | } |
328: | |
329: | if ($imap_enable) { |
330: | $this->email_permit_user($user, 'imap'); |
331: | } |
332: | |
333: | if ($smtp_enable) { |
334: | $this->email_permit_user($user, 'smtp'); |
335: | } |
336: | |
337: | if ($cp_enable) { |
338: | $this->auth_permit_user($user, 'cp'); |
339: | } |
340: | |
341: | if ($dav_enable) { |
342: | $this->auth_permit_user($user, 'dav'); |
343: | } |
344: | |
345: | if (!$this->exists($user)) { |
346: | return false; |
347: | } |
348: | |
349: | Util_Account_Hooks::instantiateContexted($this->getAuthContext())->run('create_user', [$user]); |
350: | |
351: | |
352: | return true; |
353: | } |
354: | |
355: | |
356: | |
357: | |
358: | |
359: | |
360: | |
361: | |
362: | |
363: | |
364: | |
365: | |
366: | |
367: | |
368: | |
369: | public function get_users() |
370: | { |
371: | if (!IS_CLI) { |
372: | $cache = Cache_Account::spawn($this->getAuthContext()); |
373: | |
374: | $gen = $cache->hGet('users', 'gen'); |
375: | $mtime = filemtime($this->domain_fs_path() . '/etc/passwd'); |
376: | if ($gen == $mtime) { |
377: | $users = $cache->hGet('users', 'list'); |
378: | if (!empty($users)) { |
379: | return $users; |
380: | } |
381: | } |
382: | |
383: | return $this->query('user_get_users'); |
384: | } |
385: | $fp = fopen($this->domain_fs_path('/etc/shadow'), 'r'); |
386: | flock($fp, LOCK_SH); |
387: | $mtime = filemtime($this->domain_fs_path('/etc/passwd')); |
388: | if (!$fp) { |
389: | return error($this->domain . ': unable to open /etc/shadow'); |
390: | } |
391: | $users = array(); |
392: | while (($line = fgets($fp)) !== false) { |
393: | if (!preg_match(Regex::SHADOW_PHY_ENTRY, $line)) { |
394: | continue; |
395: | } |
396: | $line = explode(':', $line); |
397: | if ($line[1] !== '!!' && $line[1] !== '') { |
398: | $users[$line[0]] = $this->getpwnam($line[0]); |
399: | } |
400: | } |
401: | flock($fp, LOCK_UN); |
402: | fclose($fp); |
403: | ksort($users); |
404: | $cache = Cache_Account::spawn($this->getAuthContext()); |
405: | $cache->hMSet('users', [ |
406: | 'gen' => $mtime, |
407: | 'list' => $users |
408: | ]); |
409: | $cache->expire('users', 7200); |
410: | |
411: | return $users; |
412: | } |
413: | |
414: | |
415: | |
416: | |
417: | |
418: | |
419: | |
420: | |
421: | public function get_shells(): array |
422: | { |
423: | return array_values(array_unique(file($this->domain_fs_path('/etc/shells'), |
424: | FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) + [999 => '/bin/false', '/sbin/nologin'])); |
425: | } |
426: | |
427: | |
428: | |
429: | |
430: | |
431: | |
432: | public function flush() |
433: | { |
434: | $cache = Cache_Account::spawn($this->getAuthContext()); |
435: | $cache->del('users'); |
436: | $this->uid_mappings[$this->site_id] = []; |
437: | |
438: | return true; |
439: | } |
440: | |
441: | public function get_user_home($user = null) |
442: | { |
443: | return $this->get_home($user); |
444: | } |
445: | |
446: | public function get_home($user = null) |
447: | { |
448: | if (!$user) { |
449: | $user = $this->username; |
450: | } |
451: | |
452: | $pwnam = $this->getpwnam($user); |
453: | |
454: | return !$pwnam ? false : $pwnam['home']; |
455: | } |
456: | |
457: | public function get_user_count(): array |
458: | { |
459: | $users = $this->get_users(); |
460: | |
461: | return array( |
462: | 'users' => \count($users), |
463: | |
464: | 'max' => $this->getServiceValue('users', 'max', $this->getServiceValue('users', 'maxusers')) |
465: | ); |
466: | } |
467: | |
468: | |
469: | |
470: | |
471: | |
472: | |
473: | |
474: | |
475: | public function rename_user($user, $newuser) |
476: | { |
477: | if (!IS_CLI) { |
478: | return $this->query('user_rename_user', $user, $newuser); |
479: | } |
480: | |
481: | $user = strtolower($user); |
482: | $newuser = strtolower($newuser); |
483: | |
484: | $this->flush(); |
485: | $admin = $this->getServiceValue('siteinfo', 'admin_user'); |
486: | if (!$this->exists($user)) { |
487: | return error("invalid user specified `%s'", $user); |
488: | } else if ($this->exists($newuser)) { |
489: | return error("target user `%s' already exists", $newuser); |
490: | } else if (!preg_match(Regex::USERNAME, $newuser)) { |
491: | return error('invalid target user `%s', $newuser); |
492: | } else if ($user === $admin) { |
493: | return error('use auth_change_username to change primary user'); |
494: | } else if (strlen($newuser) > static::USER_MAXLEN) { |
495: | return error('user max length %d', static::USER_MAXLEN); |
496: | } |
497: | |
498: | $pwd = $this->getpwnam($user); |
499: | |
500: | $newhome = preg_replace('!' . DIRECTORY_SEPARATOR . $user . '!', |
501: | DIRECTORY_SEPARATOR . $newuser, |
502: | $pwd['home'], |
503: | 1 |
504: | ); |
505: | $prefix = $this->domain_fs_path(); |
506: | if (file_exists($prefix . $newhome)) { |
507: | return error("proposed home directory `%s' already exists", $newhome); |
508: | } |
509: | \Opcenter\Process::killUser($pwd['uid']); |
510: | if (!$this->usermod_driver($user, |
511: | array( |
512: | 'username' => $newuser, |
513: | 'home' => $newhome, |
514: | 'move_home' => true |
515: | ) |
516: | )) { |
517: | return false; |
518: | } |
519: | |
520: | |
521: | (new \Opcenter\Database\PostgreSQL\Opcenter(\PostgreSQL::pdo()))->renameUser( |
522: | $pwd['uid'], |
523: | $newuser, |
524: | $this->site_id |
525: | ); |
526: | return true; |
527: | } |
528: | |
529: | |
530: | |
531: | |
532: | |
533: | |
534: | |
535: | |
536: | |
537: | |
538: | |
539: | |
540: | |
541: | |
542: | |
543: | |
544: | |
545: | |
546: | |
547: | |
548: | |
549: | public function usermod_driver(string $user, array $attributes): bool |
550: | { |
551: | if (!IS_CLI) { |
552: | return $this->query('user_usermod_driver', $user, $attributes); |
553: | } |
554: | |
555: | if (!$this->exists($user)) { |
556: | return error($user . ': user does not exist'); |
557: | } |
558: | if (isset($attributes['shell']) && !in_array($attributes['shell'], $this->get_shells(), true)) { |
559: | return error("Unknown/invalid shell `%s'", $attributes['shell']); |
560: | } |
561: | |
562: | $newuser = array_get($attributes, 'username'); |
563: | $oldpwd = $this->getpwnam($user); |
564: | if (!User::bindTo($this->domain_fs_path())->change($user, $attributes)) { |
565: | return false; |
566: | } |
567: | |
568: | |
569: | if ($newuser && $newuser !== $user) { |
570: | |
571: | |
572: | |
573: | |
574: | $this->flush(); |
575: | |
576: | if (!Util_Account_Hooks::instantiateContexted($this->getAuthContext())->run('edit_user', [$user, $newuser, $oldpwd])) { |
577: | return error('unable to fully rename user, hook failed'); |
578: | } |
579: | |
580: | $userpath = $this->domain_info_path() . '/users/'; |
581: | if (file_exists($userpath . '/' . $user)) { |
582: | rename($userpath . '/' . $user, $userpath . '/' . $newuser); |
583: | } |
584: | |
585: | |
586: | |
587: | } |
588: | |
589: | return true; |
590: | } |
591: | |
592: | |
593: | |
594: | |
595: | |
596: | |
597: | |
598: | |
599: | |
600: | public function get_quota_history(string $mUser, int $mBegin = 0, int $mEnd = null) |
601: | { |
602: | $key = 'q.' . base64_encode(pack('LLa*', $mBegin, $mEnd, $mUser)); |
603: | $cache = Cache_Account::spawn($this->getAuthContext()); |
604: | $data = $cache->get($key); |
605: | if ($data) { |
606: | return \Util_PHP::unserialize(gzinflate($data)); |
607: | } |
608: | $quotas = array(); |
609: | if (is_null($mEnd)) { |
610: | $mEnd = time(); |
611: | } |
612: | if (!is_int($mBegin) || !is_int($mEnd)) { |
613: | return error('Invalid start, end range'); |
614: | } |
615: | if ($mBegin < 1) { |
616: | $mBegin = 0; |
617: | } |
618: | $uids = $this->user_get_users(); |
619: | |
620: | if (!isset($uids[$mUser])) { |
621: | return error('Invalid user'); |
622: | } |
623: | $uid = $this->get_uid_from_username($mUser); |
624: | $db = PostgreSQL::initialize(); |
625: | $db->query('SELECT |
626: | EXTRACT(epoch FROM ts::TIMESTAMPTZ(0)) as ts, |
627: | quota |
628: | FROM |
629: | storage_log |
630: | WHERE |
631: | uid = ' . $uid . ' |
632: | AND |
633: | ts >= TO_TIMESTAMP(' . $mBegin . ') |
634: | AND |
635: | ts < TO_TIMESTAMP(' . $mEnd . ') ORDER BY ts'); |
636: | while ($row = $db->fetch_object()) { |
637: | $quotas[] = array('ts' => (int)$row->ts, 'quota' => (int)$row->quota); |
638: | } |
639: | $cache->set($key, gzdeflate(serialize($quotas)), 43200); |
640: | |
641: | return $quotas; |
642: | } |
643: | |
644: | |
645: | |
646: | |
647: | |
648: | |
649: | |
650: | |
651: | |
652: | |
653: | |
654: | |
655: | |
656: | |
657: | |
658: | |
659: | |
660: | |
661: | |
662: | public function get_quota($users = null) |
663: | { |
664: | if (!IS_CLI) { |
665: | return $this->query('user_get_quota', $users); |
666: | } |
667: | $formatArray = \is_array($users); |
668: | if (!$users || ($this->permission_level & PRIVILEGE_USER)) { |
669: | $users = array($this->username); |
670: | } else if (!is_array($users)) { |
671: | $users = array($users); |
672: | } |
673: | $webuser = $this->web_get_sys_user(); |
674: | $do_apache = $this->permission_level & PRIVILEGE_SITE && |
675: | in_array($webuser, $users, true); |
676: | |
677: | $quota_sum = array('qused' => 0, 'fused' => 0); |
678: | $uids = array(); |
679: | foreach ($users as $key => $user) { |
680: | if ($do_apache && $user === $webuser) { |
681: | continue; |
682: | } |
683: | if (!($uid = $this->get_uid_from_username($user))) { |
684: | warn($user . ': user does not exist'); |
685: | unset($users[$key]); |
686: | } |
687: | $uids[$uid] = $user; |
688: | } |
689: | |
690: | $quotas = Quota::getUser(array_keys($uids)); |
691: | |
692: | $quota_stat = []; |
693: | $max = $this->getServiceValue('diskquota', 'enabled') ? |
694: | Quota::getGroup($this->group_id)['qhard'] : 0; |
695: | |
696: | $hasFileLimit = null; |
697: | if (platform_is('7.5')) { |
698: | $hasFileLimit = $this->getServiceValue('diskquota', 'fquota', null); |
699: | } |
700: | foreach ($quotas as $uid => $quota) { |
701: | if (!isset($uids[$uid])) { |
702: | warn("Unrecognized UID detected `%d' - continuing", $uid); |
703: | continue; |
704: | } |
705: | if ($quota['qhard'] === 0) { |
706: | $quota['qhard'] = $max; |
707: | } |
708: | if ($hasFileLimit && $quota['fhard'] === 0) { |
709: | $quota['fhard'] = $hasFileLimit; |
710: | } |
711: | |
712: | $user = $uids[$uid]; |
713: | $quota_stat[$user] = $quota; |
714: | |
715: | if ($do_apache) { |
716: | $quota_sum['qused'] += $quota['qused']; |
717: | $quota_sum['fused'] += $quota['fused']; |
718: | } |
719: | } |
720: | if ($do_apache) { |
721: | $grp = $this->site_get_account_quota(); |
722: | $mysql_qquota = 0; |
723: | $tmpq = Util_Process::exec('du -s %s%s', |
724: | $this->domain_fs_path(), |
725: | \Mysql_Module::MYSQL_DATADIR |
726: | ); |
727: | |
728: | if ($tmpq['success']) { |
729: | $tmp = explode(' ', $tmpq['output']); |
730: | $mysql_qquota = (int)array_shift($tmp); |
731: | } |
732: | |
733: | $ap_qquota = max(-1, $grp['qused'] - $quota_sum['qused'] - $mysql_qquota); |
734: | $ap_fquota = max(-1, $grp['qused'] - $quota_sum['qused']); |
735: | $quota_stat[$webuser] = array( |
736: | 'qused' => $ap_qquota, |
737: | 'qsoft' => $grp['qsoft'], |
738: | 'qhard' => $grp['qhard'], |
739: | 'fused' => $ap_fquota, |
740: | 'fsoft' => $grp['fsoft'], |
741: | 'fhard' => $grp['fsoft'] |
742: | ); |
743: | } |
744: | |
745: | return $formatArray ? $quota_stat : array_pop($quota_stat); |
746: | } |
747: | |
748: | |
749: | |
750: | |
751: | |
752: | |
753: | |
754: | |
755: | |
756: | |
757: | |
758: | |
759: | |
760: | |
761: | |
762: | public function change_gecos($user, $gecos = null) |
763: | { |
764: | if (!IS_CLI) { |
765: | return $this->query('user_change_gecos', $user, $gecos); |
766: | } |
767: | if ($this->permission_level & PRIVILEGE_USER || !$gecos) { |
768: | $gecos = $user; |
769: | $user = $this->username; |
770: | } |
771: | |
772: | return $this->usermod_driver($user, array('gecos' => $gecos)); |
773: | } |
774: | |
775: | |
776: | |
777: | |
778: | |
779: | public function get_username_from_uid($uid) |
780: | { |
781: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
782: | return posix_getpwuid($uid)['name'] ?? $uid; |
783: | } |
784: | $site = $this->site_id; |
785: | if (!isset($this->uid_mappings[$site])) { |
786: | $this->uid_mappings[$site] = array(); |
787: | } else { |
788: | if (isset($this->uid_mappings[$site][$uid])) { |
789: | return $this->uid_mappings[$site][$uid]; |
790: | } |
791: | } |
792: | if (!($fp = fopen($this->domain_fs_path() . '/etc/passwd', 'r'))) { |
793: | return error('/etc/passwd: cannot access file'); |
794: | } |
795: | while (false !== ($line = fgets($fp))) { |
796: | $line = explode(':', $line); |
797: | if (!isset($line[2]) || !is_numeric($line[2]) || isset($this->uid_mappings[$site][$line[2]])) { |
798: | continue; |
799: | } |
800: | $this->uid_mappings[$site][$line[2]] = $line[0]; |
801: | } |
802: | fclose($fp); |
803: | if (!isset($this->uid_mappings[$site][$uid])) { |
804: | return false; |
805: | } |
806: | |
807: | return $this->uid_mappings[$site][$uid]; |
808: | } |
809: | |
810: | |
811: | |
812: | |
813: | |
814: | |
815: | |
816: | public function resolve_uid(int $uid): array |
817: | { |
818: | $db = PostgreSQL::pdo(); |
819: | $query = Opcenter\Database\PostgreSQL::vendor()->userTupleFromUid($uid); |
820: | $rs = $db->query($query); |
821: | if (!$rs || !$rs->rowCount()) { |
822: | return []; |
823: | } |
824: | |
825: | return $rs->fetch(\PDO::FETCH_NUM); |
826: | } |
827: | |
828: | |
829: | |
830: | |
831: | |
832: | |
833: | |
834: | |
835: | |
836: | |
837: | |
838: | |
839: | |
840: | public function generate_quota_list( |
841: | string $user = '', |
842: | string $base = '/{home,usr/local,var/www,var/lib,var/log,tmp}', |
843: | bool $sort = true |
844: | ) { |
845: | if (!IS_CLI) { |
846: | return $this->query('user_generate_quota_list', $user, $base, $sort); |
847: | } |
848: | $file = 'filelist-' . PANEL_BRAND . '.txt'; |
849: | if (!$user) { |
850: | $user_args = ''; |
851: | } else if (!$this->exists($user)) { |
852: | return error('%s: does not exist', $user); |
853: | } else { |
854: | $user_args = '-user ' . $user; |
855: | } |
856: | |
857: | if (false !== ($pos = strpos($base, '{')) && false !== ($end = strpos($base, '}'))) { |
858: | $tmp = substr($base, 0, ++$pos); |
859: | $tmp .= escapeshellarg(substr($base, $pos, $end - $pos)); |
860: | $tmp .= substr($base, $end); |
861: | $base = $tmp; |
862: | } else { |
863: | $base = escapeshellarg($base); |
864: | } |
865: | $chroot_cmd = sprintf('find %s -type f -group %s %s -printf "%s"', |
866: | $base, |
867: | $this->group_id, |
868: | $user_args, |
869: | '%10k\t%16s\t%-16u\t%p\r\n' |
870: | ); |
871: | if ($sort) { |
872: | $chroot_cmd .= ' | sort -nr'; |
873: | } |
874: | |
875: | $proc = new Util_Process_Chroot($this->domain_fs_path()); |
876: | $file = tempnam($this->domain_fs_path() . sys_get_temp_dir(), 'flapns'); |
877: | $fp = fopen($file, 'wb'); |
878: | |
879: | $proc->addCallback(function () use ($file, $fp) { |
880: | fclose($fp); |
881: | Opcenter\Filesystem::chogp($file, APNSCP_USER, APNSCP_USER, 0660); |
882: | }, 'close'); |
883: | $proc->addCallback(static function ($output) use ($fp, $file) { |
884: | fwrite($fp, $output); |
885: | }, 'read'); |
886: | |
887: | $ret = $proc->run( |
888: | '/bin/sh -c \'printf %s ; %s\'', |
889: | '"%10s\t%16s\t%-16s\t%s\r\n" "szquota (KB)" "szdisk (B)" username path', |
890: | $chroot_cmd |
891: | ); |
892: | if (!$ret['success']) { |
893: | return false; |
894: | } |
895: | |
896: | return basename($file); |
897: | } |
898: | |
899: | |
900: | |
901: | |
902: | |
903: | |
904: | |
905: | public function sgroupdel($group) |
906: | { |
907: | if (!preg_match(Regex::GROUPNAME, $group)) { |
908: | return error("invalid group `%s'", $group); |
909: | } |
910: | |
911: | if ($group === $this->username) { |
912: | return error("cannot remove base group name `%s'", $this->username); |
913: | } |
914: | $groups = $this->sgroups(); |
915: | if (!in_array($group, $groups)) { |
916: | return error("cannot remove non-existent group `%s'", $group); |
917: | } |
918: | |
919: | $file = $this->domain_fs_path() . '/etc/group'; |
920: | $fp = fopen($file, 'r+'); |
921: | flock($fp, LOCK_EX); |
922: | $lines = array(); |
923: | while (false !== ($line = fgets($fp))) { |
924: | list($group_name, $password, $gid, $user_list) = |
925: | explode(':', $line); |
926: | if ($group_name === $group) { |
927: | continue; |
928: | } |
929: | $lines[] = $line; |
930: | } |
931: | ftruncate($fp, 0); |
932: | rewind($fp); |
933: | $lines = implode('', $lines); |
934: | fwrite($fp, $lines); |
935: | flock($fp, LOCK_UN); |
936: | fclose($fp); |
937: | |
938: | return true; |
939: | } |
940: | |
941: | |
942: | |
943: | |
944: | |
945: | |
946: | public function sgroups() |
947: | { |
948: | $groups = array(); |
949: | $file = $this->domain_fs_path() . '/etc/group'; |
950: | $fp = fopen($file, 'r'); |
951: | while (false !== ($line = fgets($fp))) { |
952: | list($group_name, $password, $gid, $user_list) = |
953: | explode(':', $line); |
954: | if ($gid != $this->group_id) { |
955: | continue; |
956: | } |
957: | $groups[] = $group_name; |
958: | } |
959: | |
960: | return $groups; |
961: | } |
962: | |
963: | |
964: | |
965: | |
966: | |
967: | |
968: | |
969: | public function sgroupadd(string $group): bool |
970: | { |
971: | if (!preg_match(Regex::GROUPNAME, $group)) { |
972: | return error("invalid group `%s'", $group); |
973: | } |
974: | |
975: | $groups = $this->sgroups(); |
976: | if (in_array($group, $groups)) { |
977: | return error("duplicate group `%s'", $group); |
978: | } |
979: | |
980: | |
981: | return (new \Opcenter\Role\Group($this->domain_fs_path()))->create($group, [ |
982: | 'force' => true, |
983: | 'duplicate' => true, |
984: | 'gid' => $this->group_id |
985: | ]); |
986: | } |
987: | |
988: | public function _verify_conf(\Opcenter\Service\ConfigurationContext $ctx): bool |
989: | { |
990: | return true; |
991: | } |
992: | |
993: | public function _create() |
994: | { |
995: | } |
996: | |
997: | public function _delete() |
998: | { |
999: | $this->deleteUserPreferences($this->getAuthContext()); |
1000: | } |
1001: | |
1002: | public function _delete_user(string $user) |
1003: | { |
1004: | $pam = new Util_Pam($this->getAuthContext()); |
1005: | foreach ($this->enrollment($user) as $svc) { |
1006: | $pam->remove($user, $svc); |
1007: | } |
1008: | $this->erase_quota_history($user); |
1009: | } |
1010: | |
1011: | |
1012: | |
1013: | |
1014: | |
1015: | |
1016: | |
1017: | public function enrollment(string $user) |
1018: | { |
1019: | if (!$this->exists($user) || $this->get_uid_from_username($user) < self::MIN_UID) { |
1020: | return error("unknown or system user `%s'", $user); |
1021: | } |
1022: | $pam = new Util_Pam($this->getAuthContext()); |
1023: | |
1024: | return $pam->enrolled($user); |
1025: | } |
1026: | |
1027: | |
1028: | |
1029: | |
1030: | |
1031: | |
1032: | |
1033: | |
1034: | public function erase_quota_history($user, $until = -1) |
1035: | { |
1036: | if (!$this->exists($user)) { |
1037: | return error("user `$user' does not exist"); |
1038: | } |
1039: | $uid = $this->get_uid_from_username($user); |
1040: | $until = intval($until); |
1041: | if ($until < 0) { |
1042: | $until = time() + 86400 * 30; |
1043: | } |
1044: | $db = MySQL::initialize(); |
1045: | $q = $db->query('DELETE FROM quota_tracker WHERE uid = ' . $uid . ' AND ts < FROM_UNIXTIME(' . $until . ');'); |
1046: | |
1047: | return (bool)$q; |
1048: | |
1049: | } |
1050: | |
1051: | |
1052: | |
1053: | |
1054: | |
1055: | |
1056: | public function delete_user($user, bool $force = false) |
1057: | { |
1058: | deprecated_func('use user_delete'); |
1059: | return $this->delete($user, $force); |
1060: | } |
1061: | |
1062: | |
1063: | |
1064: | |
1065: | |
1066: | |
1067: | |
1068: | public function delete($user, bool $force = false): bool |
1069: | { |
1070: | if (!IS_CLI) { |
1071: | return $this->query('user_delete', $user, $force); |
1072: | } |
1073: | |
1074: | $users = $this->get_users(); |
1075: | if (!isset($users[$user])) { |
1076: | return error("user `%s' not found", $user); |
1077: | } else if ($user == $this->getServiceValue('siteinfo', 'admin_user')) { |
1078: | return error('cannot delete primary user'); |
1079: | } |
1080: | |
1081: | $uid = $users[$user]['uid']; |
1082: | |
1083: | $domains = $this->aliases_list_shared_domains(); |
1084: | $home = $this->get_home($user); |
1085: | $subdomains = array_keys( |
1086: | $this->web_list_subdomains('path', '!^' . $home . '/!') |
1087: | ); |
1088: | |
1089: | $blocking = array(); |
1090: | foreach ($domains as $domain => $path) { |
1091: | if (!$this->file_exists($path)) { |
1092: | continue; |
1093: | } |
1094: | $stat = $this->file_stat($path); |
1095: | if (!$stat) { |
1096: | continue; |
1097: | } |
1098: | if (0 === strpos($home, $path) || $stat['uid'] == $uid) { |
1099: | $blocking[] = $domain; |
1100: | } |
1101: | } |
1102: | $subcount = count($subdomains); |
1103: | $domaincount = count($blocking); |
1104: | if (!$force && ($domaincount > 0 || $subcount > 0)) |
1105: | { |
1106: | Util_Conf::sort_domains($blocking); |
1107: | if ($domaincount > 0) { |
1108: | error("one or more domains rely on user `%s', remove or relocate these domains first (DNS > Addon Domains): `%s'", |
1109: | $user, implode(', ', $blocking)); |
1110: | } |
1111: | |
1112: | if (count($subdomains) === 1 && ($subdomains[0] === $user || 0 === strpos($subdomains[0] . '.', |
1113: | $user . '.'))) { |
1114: | $subcount--; |
1115: | info("removed user-specific subdomain, `%s'", $subdomains[0]); |
1116: | $this->web_remove_subdomain($subdomains[0]); |
1117: | } else { |
1118: | if (count($subdomains) > 0) { |
1119: | error("one or more subdomains rely on user `%s', remove or relocate these subdomains first (Web > Subdomains): `%s'", |
1120: | $user, implode(', ', $subdomains)); |
1121: | } |
1122: | } |
1123: | |
1124: | if ($domaincount || $subcount) { |
1125: | return false; |
1126: | } |
1127: | |
1128: | } |
1129: | $userCtx = \Auth::context($user, $this->site); |
1130: | Util_Account_Hooks::instantiateContexted($this->getAuthContext())->run('delete_user', [$user]); |
1131: | $instance = User::bindTo($this->domain_fs_path()); |
1132: | $ret = $instance->delete($user, true); |
1133: | if (!$ret) { |
1134: | return false; |
1135: | } |
1136: | |
1137: | (new \Opcenter\Database\PostgreSQL\Opcenter(\PostgreSQL::pdo()))->deleteUser( |
1138: | $this->site_id, |
1139: | $uid |
1140: | ); |
1141: | |
1142: | $instance->releaseUid($uid, $this->site_id); |
1143: | \apnscpSession::invalidate_by_user($this->site_id, $user); |
1144: | $this->deleteUserPreferences($userCtx); |
1145: | $this->flush(); |
1146: | |
1147: | $key = $this->site . '.' . $user; |
1148: | |
1149: | if (array_has($this->uid_mappings, $key)) { |
1150: | array_forget($this->uid_mappings, $key); |
1151: | } |
1152: | |
1153: | if ($uid >= self::VIRT_MIN_UID && false !== ($pwd = posix_getpwuid($uid))) { |
1154: | User::bindTo('/')->delete($pwd['name'], false); |
1155: | } |
1156: | return $ret; |
1157: | |
1158: | } |
1159: | |
1160: | public function _edit() |
1161: | { |
1162: | $new = $this->getAuthContext()->conf('siteinfo', 'new'); |
1163: | $old = $this->getAuthContext()->conf('siteinfo', 'old'); |
1164: | if ($new['admin_user'] === $old['admin_user']) { |
1165: | return true; |
1166: | } |
1167: | |
1168: | return $this->_edit_user($old['admin_user'], $new['admin_user'], []); |
1169: | } |
1170: | |
1171: | public function _edit_user(string $user, string $usernew, array $oldpwd) |
1172: | { |
1173: | $pam = new Util_Pam($this->getAuthContext()); |
1174: | $pam->renameUser($user, $usernew); |
1175: | $this->flush(); |
1176: | } |
1177: | |
1178: | public function _create_user(string $user) |
1179: | { |
1180: | |
1181: | } |
1182: | |
1183: | private function deleteUserPreferences(\Auth_Info_User $ctx): void |
1184: | { |
1185: | User::bindTo($ctx->domain_fs_path())->flushCache($ctx); |
1186: | } |
1187: | } |
1188: | |