mirror of
https://github.com/myvesta/vesta
synced 2025-08-21 05:44:08 -07:00
Disabling login with 'root'
tnx @jaapmarcus and HestiaCP
This commit is contained in:
myvesta
GitHub
parent
bdb1c1f028
commit
d6eb5f0ba7
1 changed files with 73 additions and 67 deletions
|
|
@ -35,82 +35,88 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
|
|||
$v_user = escapeshellarg($_POST['user']);
|
||||
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
|
||||
|
||||
// Get user's salt
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
|
||||
$pam = json_decode(implode('', $output), true);
|
||||
if ( $return_var > 0 ) {
|
||||
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
|
||||
if($_POST['user'] == 'root'){
|
||||
unset($_POST['password']);
|
||||
unset($_POST['user']);
|
||||
$ERROR = "<a class=\"error\">".__('Login with <strong>root</strong> has been disabled')."</a>";
|
||||
} else {
|
||||
$user = $_POST['user'];
|
||||
$password = $_POST['password'];
|
||||
$salt = $pam[$user]['SALT'];
|
||||
$method = $pam[$user]['METHOD'];
|
||||
|
||||
if ($method == 'md5' ) {
|
||||
$hash = crypt($password, '$1$'.$salt.'$');
|
||||
}
|
||||
if ($method == 'sha-512' ) {
|
||||
$hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
|
||||
$hash = str_replace('$rounds=5000','',$hash);
|
||||
}
|
||||
if ($method == 'des' ) {
|
||||
$hash = crypt($password, $salt);
|
||||
}
|
||||
|
||||
// Send hash via tmp file
|
||||
$v_hash = exec('mktemp -p /tmp');
|
||||
$fp = fopen($v_hash, "w");
|
||||
fwrite($fp, $hash."\n");
|
||||
fclose($fp);
|
||||
|
||||
// Check user hash
|
||||
exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Remove tmp file
|
||||
unlink($v_hash);
|
||||
|
||||
// Check API answer
|
||||
// Get user's salt
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
|
||||
$pam = json_decode(implode('', $output), true);
|
||||
if ( $return_var > 0 ) {
|
||||
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
|
||||
} else {
|
||||
$user = $_POST['user'];
|
||||
$password = $_POST['password'];
|
||||
$salt = $pam[$user]['SALT'];
|
||||
$method = $pam[$user]['METHOD'];
|
||||
|
||||
// Make root admin user
|
||||
if ($_POST['user'] == 'root') $v_user = 'admin';
|
||||
|
||||
// Get user speciefic parameters
|
||||
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
|
||||
// Define session user
|
||||
$_SESSION['user'] = key($data);
|
||||
$v_user = $_SESSION['user'];
|
||||
|
||||
// Get user favorites
|
||||
get_favourites();
|
||||
|
||||
// Define language
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
|
||||
$languages = json_decode(implode('', $output), true);
|
||||
if (in_array($data[$v_user]['LANGUAGE'], $languages)){
|
||||
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
|
||||
} else {
|
||||
$_SESSION['language'] = 'en';
|
||||
if ($method == 'md5' ) {
|
||||
$hash = crypt($password, '$1$'.$salt.'$');
|
||||
}
|
||||
if ($method == 'sha-512' ) {
|
||||
$hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
|
||||
$hash = str_replace('$rounds=5000','',$hash);
|
||||
}
|
||||
if ($method == 'des' ) {
|
||||
$hash = crypt($password, $salt);
|
||||
}
|
||||
|
||||
// Regenerate session id to prevent session fixation
|
||||
session_regenerate_id();
|
||||
// Send hash via tmp file
|
||||
$v_hash = exec('mktemp -p /tmp');
|
||||
$fp = fopen($v_hash, "w");
|
||||
fwrite($fp, $hash."\n");
|
||||
fclose($fp);
|
||||
|
||||
// Redirect request to control panel interface
|
||||
if (!empty($_SESSION['request_uri'])) {
|
||||
header("Location: ".$_SESSION['request_uri']);
|
||||
unset($_SESSION['request_uri']);
|
||||
exit;
|
||||
// Check user hash
|
||||
exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Remove tmp file
|
||||
unlink($v_hash);
|
||||
|
||||
// Check API answer
|
||||
if ( $return_var > 0 ) {
|
||||
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
|
||||
} else {
|
||||
header("Location: /list/user/");
|
||||
exit;
|
||||
|
||||
// Make root admin user
|
||||
// if ($_POST['user'] == 'root') $v_user = 'admin';
|
||||
|
||||
// Get user speciefic parameters
|
||||
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
|
||||
// Define session user
|
||||
$_SESSION['user'] = key($data);
|
||||
$v_user = $_SESSION['user'];
|
||||
|
||||
// Get user favorites
|
||||
get_favourites();
|
||||
|
||||
// Define language
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
|
||||
$languages = json_decode(implode('', $output), true);
|
||||
if (in_array($data[$v_user]['LANGUAGE'], $languages)){
|
||||
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
|
||||
} else {
|
||||
$_SESSION['language'] = 'en';
|
||||
}
|
||||
|
||||
// Regenerate session id to prevent session fixation
|
||||
session_regenerate_id();
|
||||
|
||||
// Redirect request to control panel interface
|
||||
if (!empty($_SESSION['request_uri'])) {
|
||||
header("Location: ".$_SESSION['request_uri']);
|
||||
unset($_SESSION['request_uri']);
|
||||
exit;
|
||||
} else {
|
||||
header("Location: /list/user/");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue