github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-19 21:04:06 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Disabling login with 'root'

Browse source
This commit is contained in:
Anton Reutov 2021-07-28 14:19:12 +03:00 committed by GitHub
commit d97adaeb6a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 74 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

143
web/login/index.php
View file

@ -22,7 +22,6 @@ if (isset($_SESSION['user'])) {
header('Location: /login/'); header('Location: /login/');
exit(); exit();
} }
if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) { if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var); exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
if ( $return_var == 0 ) { if ( $return_var == 0 ) {
@ -32,7 +31,7 @@ if (isset($_SESSION['user'])) {
$_SESSION['look_alert'] = 'yes'; $_SESSION['look_alert'] = 'yes';
} }
} }
header("Location: /"); header("Location: /list/user/");
exit; exit;
} }
@ -42,82 +41,88 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
$v_user = escapeshellarg($_POST['user']); $v_user = escapeshellarg($_POST['user']);
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']); $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
// Get user's salt if($_POST['user'] == 'root'){
$output = ''; unset($_POST['password']);
exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var); unset($_POST['user']);
$pam = json_decode(implode('', $output), true); $ERROR = "<a class=\"error\">".__('Login with root has been disabled')."</a>";
if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
} else { } else {
$user = $_POST['user']; // Get user's salt
$password = $_POST['password']; $output = '';
$salt = $pam[$user]['SALT']; exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
$method = $pam[$user]['METHOD']; $pam = json_decode(implode('', $output), true);
if ($method == 'md5' ) {
$hash = crypt($password, '$1$'.$salt.'$');
}
if ($method == 'sha-512' ) {
$hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
$hash = str_replace('$rounds=5000','',$hash);
}
if ($method == 'des' ) {
$hash = crypt($password, $salt);
}
// Send hash via tmp file
$v_hash = exec('mktemp -p /tmp');
$fp = fopen($v_hash, "w");
fwrite($fp, $hash."\n");
fclose($fp);
// Check user hash
exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
unset($output);
// Remove tmp file
unlink($v_hash);
// Check API answer
if ( $return_var > 0 ) { if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>"; $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
} else { } else {
$user = $_POST['user'];
$password = $_POST['password'];
$salt = $pam[$user]['SALT'];
$method = $pam[$user]['METHOD'];
// Make root admin user if ($method == 'md5' ) {
if ($_POST['user'] == 'root') $v_user = 'admin'; $hash = crypt($password, '$1$'.$salt.'$');
}
// Get user speciefic parameters if ($method == 'sha-512' ) {
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var); $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
$data = json_decode(implode('', $output), true); $hash = str_replace('$rounds=5000','',$hash);
}
// Define session user if ($method == 'des' ) {
$_SESSION['user'] = key($data); $hash = crypt($password, $salt);
$v_user = $_SESSION['user'];
// Get user favorites
get_favourites();
// Define language
$output = '';
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
$languages = json_decode(implode('', $output), true);
if (in_array($data[$v_user]['LANGUAGE'], $languages)){
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
} else {
$_SESSION['language'] = 'en';
} }
// Regenerate session id to prevent session fixation // Send hash via tmp file
session_regenerate_id(); $v_hash = exec('mktemp -p /tmp');
$fp = fopen($v_hash, "w");
fwrite($fp, $hash."\n");
fclose($fp);
// Redirect request to control panel interface // Check user hash
if (!empty($_SESSION['request_uri'])) { exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
header("Location: ".$_SESSION['request_uri']); unset($output);
unset($_SESSION['request_uri']);
exit; // Remove tmp file
unlink($v_hash);
// Check API answer
if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
} else { } else {
header("Location: /");
exit; // Make root admin user
// if ($_POST['user'] == 'root') $v_user = 'admin';
// Get user speciefic parameters
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
// Define session user
$_SESSION['user'] = key($data);
$v_user = $_SESSION['user'];
// Get user favorites
get_favourites();
// Define language
$output = '';
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
$languages = json_decode(implode('', $output), true);
if (in_array($data[$v_user]['LANGUAGE'], $languages)){
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
} else {
$_SESSION['language'] = 'en';
}
// Regenerate session id to prevent session fixation
session_regenerate_id();
// Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) {
header("Location: ".$_SESSION['request_uri']);
unset($_SESSION['request_uri']);
exit;
} else {
header("Location: /list/user/");
exit;
}
} }
} }
} }