password transmission via tmp files

bin/v-add-database

@@ -19,7 +19,7 @@
 user=$1
 database="$user"_"$2"
 dbuser="$user"_"$3"
-dbpass=$4
+password=$4
 type=${5-mysql}
 host=$6
 charset=${7-UTF8}
@@ -40,7 +40,7 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DATABASE DBUSER DBPASS [TYPE] [HOST] [CHARSET]'
-validate_format 'user' 'database' 'dbuser' 'dbpass' 'charset'
+validate_format 'user' 'database' 'dbuser' 'charset'
 is_system_enabled "$DB_SYSTEM" 'DB_SYSTEM'
 is_type_valid "$DB_SYSTEM" "$type"
 is_object_valid 'user' 'USER' "$user"
@@ -51,6 +51,8 @@ is_object_valid "../../../conf/$type" 'DBHOST' "$host"
 is_object_unsuspended "../../../conf/$type" 'DBHOST' "$host"
 #is_charset_valid
 is_package_full 'DATABASES'
+is_password_valid
+dbpass="$password"
 
 
 #----------------------------------------------------------#

bin/v-add-database-host

@@ -17,7 +17,7 @@
 type=$1
 host=$2
 dbuser=$3
-dbpass=$4
+password=$4
 max_db=${6-500}
 charsets=${7-UTF8,LATIN1,WIN1250,WIN1251,WIN1252,WIN1256,WIN1258,KOI8}
 template=${8-template1}
@@ -29,6 +29,7 @@ source $VESTA/conf/vesta.conf
 
 # Hiding password
 A4='******'
+EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 
 
 #----------------------------------------------------------#
@@ -37,10 +38,12 @@ A4='******'
 
 args_usage='TYPE HOST DBUSER DBPASS [MAX_DB] [CHARSETS] [TPL]'
 check_args '4' "$#" "$args_usage"
-validate_format 'host' 'dbuser' 'dbpass' 'max_db' 'charsets' 'template'
+validate_format 'host' 'dbuser' 'max_db' 'charsets' 'template'
 is_system_enabled "$DB_SYSTEM" 'DB_SYSTEM'
 is_type_valid "$DB_SYSTEM" "$type"
 is_dbhost_new
+is_password_valid
+dbpass="$password"
 case $type in
     mysql) is_mysql_host_alive ;;
     pgsql) is_pgsql_host_alive ;;

bin/v-add-mail-account

@@ -33,7 +33,7 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN ACCOUNT PASSWORD [QUOTA]'
-validate_format 'user' 'domain' 'account' 'password' 'quota'
+validate_format 'user' 'domain' 'account' 'quota'
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -41,6 +41,7 @@ is_object_valid 'mail' 'DOMAIN' "$domain"
 is_object_unsuspended 'mail' 'DOMAIN' "$domain"
 is_package_full 'MAIL_ACCOUNTS'
 is_mail_new "$account"
+is_password_valid
 
 
 #----------------------------------------------------------#

bin/v-add-remote-dns-host

@@ -25,6 +25,7 @@ source $VESTA/conf/vesta.conf
 
 # Hiding passwords
 A4='******'
+EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 
 
 #----------------------------------------------------------#
@@ -33,8 +34,9 @@ A4='******'
 
 args_usage='HOST PORT USER PASSWORD [TYPE] [DNS_USER]'
 check_args '4' "$#" "$args_usage"
-validate_format 'host' 'port' 'user' 'password' 'type' 'dns_user'
+validate_format 'host' 'port' 'user' 'type' 'dns_user'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
+is_password_valid
 is_dnshost_new
 is_dnshost_alive
 

bin/v-add-user

@@ -40,12 +40,12 @@ is_user_free() {
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'USER PASSWORD EMAIL [PACKAGE] [FNAME] [LNAME]'
-validate_format 'user' 'password' 'email' 'package'
+validate_format 'user' 'email' 'package'
 if [ ! -z "$fname" ]; then
     validate_format 'fname' 'lname'
 fi
-
 is_user_free "$user"
+is_password_valid
 is_package_valid
 
 

bin/v-add-web-domain-ftp

@@ -14,7 +14,7 @@ user=$1
 domain=$(idn -t --quiet -u "$2" )
 domain_idn=$(idn -t --quiet -a "$domain")
 ftp_user=${1}_${3}
-ftp_password=$4
+password=$4
 ftp_path=$5
 
 # Includes
@@ -32,7 +32,7 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN FTP_USER FTP_PASSWORD [FTP_PATH]'
-validate_format 'user' 'domain' 'ftp_user' 'ftp_password'
+validate_format 'user' 'domain' 'ftp_user'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -44,6 +44,7 @@ if [ ! -z "$check_ftp_user" ] && [ "$FTP_USER" != "$ftp_user" ]; then
     log_event "$E_EXISTS" "$EVENT"
     exit $E_EXISTS
 fi
+is_password_valid
 
 
 #----------------------------------------------------------#
@@ -90,7 +91,7 @@ fi
     -M -d "$ftp_path_a"  > /dev/null 2>&1
 
 # Set ftp user password
-echo "$ftp_user:$ftp_password" | /usr/sbin/chpasswd
+echo "$ftp_user:$password" | /usr/sbin/chpasswd
 ftp_md5=$(awk -v user=$ftp_user -F : 'user == $1 {print $2}' /etc/shadow)
 
 

bin/v-add-web-domain-stats-user

@@ -13,7 +13,7 @@
 user=$1
 domain=$(idn -t --quiet -u "$2" )
 stats_user=$3
-stats_pass=$4
+password=$4
 
 # Includes
 source $VESTA/func/main.sh
@@ -30,12 +30,13 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN STATS_USER STATS_PASS'
-validate_format 'user' 'domain' 'stats_user' 'stats_pass'
+validate_format 'user' 'domain' 'stats_user'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
+is_password_valid
 
 
 #----------------------------------------------------------#
@@ -53,7 +54,7 @@ Require valid-user" > $stats_dir/.htaccess
 
 # Generating htaccess user and password
 rm -f $stats_dir/.htpasswd
-htpasswd -bc $stats_dir/.htpasswd "$stats_user" "$stats_pass" &>/dev/null
+htpasswd -bc $stats_dir/.htpasswd "$stats_user" "$password" &>/dev/null
 stats_crypt=$(grep $stats_user: $stats_dir/.htpasswd |cut -f 2 -d :)
 
 #----------------------------------------------------------#

bin/v-change-database-owner

@@ -1,5 +1,5 @@
 #!/bin/bash
-# info: change database password
+# info: change database owner
 # options: DATABASE USER
 #
 # The function for changing database owner.

bin/v-change-database-password

@@ -13,7 +13,7 @@
 # Argument defenition
 user=$1
 database=$2
-dbpass=$3
+password=$3
 
 # Includes
 source $VESTA/func/main.sh
@@ -30,13 +30,14 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'USER DATABASE DBPASS'
-validate_format 'user' 'database' 'dbpass'
+validate_format 'user' 'database'
 is_system_enabled "$DB_SYSTEM" 'DB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'db' 'DB' "$database"
 is_object_unsuspended 'db' 'DB' "$database"
-
+is_password_valid
+dbpass="$password"
 
 #----------------------------------------------------------#
 #                       Action                             #

bin/v-change-database-user

@@ -13,7 +13,7 @@
 user=$1
 database=$2
 dbuser="$user"_"$3"
-dbpass=$4
+password=$4
 
 # Includes
 source $VESTA/func/main.sh
@@ -32,14 +32,18 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 
 check_args '3' "$#" 'USER DATABASE DBUSER [DBPASS]'
 validate_format 'user' 'database' 'dbuser'
-if [ ! -z "$dbpass" ]; then
-    validate_format 'dbpass'
-fi
 is_system_enabled "$DB_SYSTEM" 'DB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'db' 'DB' "$database"
 is_object_unsuspended 'db' 'DB' "$database"
+is_password_valid
+dbpass="$password"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
 
 # Compare old and new user
 old_dbuser=$(get_object_value 'db' 'DB' "$database" '$DBUSER')
@@ -47,11 +51,6 @@ if [ "$old_dbuser" = "$dbuser" ]; then
     exit
 fi
 
-
-#----------------------------------------------------------#
-#                       Action                             #
-#----------------------------------------------------------#
-
 # Set new dbuser
 update_object_value 'db' 'DB' "$database" '$DBUSER' "$dbuser"
 

bin/v-change-mail-account-password

@@ -32,7 +32,7 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN ACCOUNT PASSWORD'
-validate_format 'user' 'domain' 'account' 'password'
+validate_format 'user' 'domain' 'account'
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -40,6 +40,7 @@ is_object_valid 'mail' 'DOMAIN' "$domain"
 is_object_unsuspended 'mail' 'DOMAIN' "$domain"
 is_object_valid "mail/$domain" 'ACCOUNT' "$account"
 is_object_unsuspended "mail/$domain" 'ACCOUNT' "$account"
+is_password_valid
 
 
 #----------------------------------------------------------#

bin/v-change-user-password

@@ -27,9 +27,10 @@ EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'USER PASSWORD'
-validate_format 'user' 'password'
+validate_format 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
+is_password_valid
 
 
 #----------------------------------------------------------#

bin/v-change-web-domain-ftp-password

@@ -14,25 +14,30 @@ user=$1
 domain=$(idn -t --quiet -u "$2" )
 domain_idn=$(idn -t --quiet -a "$domain")
 ftp_user=$3
-ftp_password=$4
+password=$4
 
 # Includes
 source $VESTA/func/main.sh
 source $VESTA/func/domain.sh
 source $VESTA/conf/vesta.conf
 
+# Hiding password
+A4="******"
+EVENT="$DATE $TIME $SCRIPT $A1 $A2 $A3 $A4 $A5 $A6 $A7 $A8 $A9"
+
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
 check_args '4' "$#" 'USER DOMAIN FTP_USER FTP_PASSWORD'
-validate_format 'user' 'domain' 'ftp_user' 'ftp_password'
+validate_format 'user' 'domain' 'ftp_user'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
+is_password_valid
 get_domain_values 'web'
 if [ -z "$(echo $FTP_USER | tr ':' '\n' | grep ^$ftp_user$)" ]; then
     echo "Error: account $ftp_user doesn't exist"
@@ -46,7 +51,7 @@ fi
 #----------------------------------------------------------#
 
 # Changing ftp user password
-echo "$ftp_user:$ftp_password" | /usr/sbin/chpasswd
+echo "$ftp_user:$password" | /usr/sbin/chpasswd
 ftp_md5=$(awk -v user=$ftp_user -F : 'user == $1 {print $2}' /etc/shadow)
 
 

bin/v-check-user-password

@@ -0,0 +1,94 @@
+#!/bin/bash
+# info: check user password
+# options: USER PASSWORD [IP]
+#
+# The function verifies user password from file
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+user=$1
+password=$2
+ip=${3-127.0.0.1}
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER PASSWORD'
+validate_format 'user'
+
+# Checking user
+if [ ! -d "$VESTA/data/users/$user" ] && [ "$user" != 'root' ]; then
+    echo "Error: password missmatch"
+    echo "$DATE $user $ip failed to login" >> $VESTA/log/auth.log
+    exit 9
+fi
+
+# Checking user password
+is_password_valid
+
+# Checking empty password
+if [[ -z "$password" ]]; then
+    echo "Error: password missmatch"
+    echo "$DATE $user $ip failed to login" >> $VESTA/log/auth.log
+    exit 9
+fi
+
+# Checking mkpasswd command
+which mkpasswd >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    # Activating fallback procedure
+    if [ -e "/usr/bin/yum" ]; then
+        yum install -y expect >/dev/null 2>&1
+    else
+        apt-get install -y expect >/dev/null 2>&1
+    fi
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Parsing user's salt
+salt=$(grep "^$user:" /etc/shadow |cut -f 3 -d \$)
+if [[ -z "$salt" ]] || [[ "${#salt}" -gt 8 ]]; then
+    echo "Error: password missmatch"
+    echo "$DATE $user $ip failed to login" >> $VESTA/log/auth.log
+    exit 9
+fi
+
+# Generating SHA-512
+hash=$(mkpasswd -m sha-512 -S $salt -s <<< $password)
+if [[ -z "$hash" ]]; then
+    echo "Error: password missmatch"
+    echo "$DATE $user $ip failed to login" >> $VESTA/log/auth.log
+    exit 9
+fi
+
+# Checking hash
+result=$(grep "^$user:$hash:" /etc/shadow 2>/dev/null)
+if [[ -z "$result" ]]; then
+    echo "Error: password missmatch"
+    echo "$DATE $user $ip failed to login" >> $VESTA/log/auth.log
+    exit 9
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+echo "$DATE $user $ip successfully logged in" >> $VESTA/log/auth.log
+
+exit

func/main.sh

@@ -273,6 +273,15 @@ is_object_value_exist() {
     fi
 }
 
+# Check if password is transmitted via file
+is_password_valid() {
+    if [[ "$password" =~ ^/tmp/ ]]; then
+        if [ -f "$password" ]; then
+            password=$(head -n1 $password)
+        fi
+    fi
+}
+
 # Get object value
 get_object_value() {
     object=$(grep "$2='$3'" $USER_DATA/$1.conf)