Pdmenu or how to prevent a beginner from making a mistake
Hello, Habr!
Many system administrators probably had cases when access to the server had to be provided to an inexperienced or unverified person. Observing safety precautions it is possible to protect yourself from problems, but what if a person is not familiar with the console at all?
"Strongly refuse!" - you will say and you will be right. But what if this person is your boss?
How it all started
Access to the site’s control panel of the company I work for is limited not only by password, but also by IP. Since the boss began to travel actively, it was also necessary to actively update IP addresses in the access list. So active that calls and requests on this topic bothered him and me.
Since the person is absolutely not familiar with unix-systems and console management, it was necessary to find the simplest and safest solution. And it was found: pdmenu !
To business
In order not to bore the reader with the specifics of a particular system, we will take some more or less common task to demonstrate the capabilities of pdmenu. Let's say that access to the FTP server “outside” is closed by a firewall for everyone except IP that is acceptable to us.
Objective : to give a completely inexperienced person the opportunity to open FTP access for new addresses.
In our case, CentOS is installed on the server, but there should not be any problems with pdmenu on other unix systems. Search and installation takes a matter of minutes, so let's move on to the setup right away.
System preparation
In the operating system, we create a separate user, through sudo we allow him to run iptables only and in ~ / .bash_profile we add the following: Thus, the user needs to learn how to use the putty (or any other SSH client) to open a connection and enter a password. Next, a convenient and intuitive menu is launched.
# запишем в лог кто и когда заходил:
ip=`set | /bin/grep SSH_CLIENT | /bin/cut -d\' -f2 | /bin/awk '{print $1}' | /bin/awk '/[0-9]/ {print}'`
date=`/bin/date +'%d.%m.%G %H:%M:%S'`
echo "${date} | ${ip} | ---Logged into the shell menu---" >> /var/log/pdmenu.log
#запускаем pdmenu
/usr/local/pdmenu/bin/pdmenu
exit
#выходим из сервера, если вышли из pdmenu
logoutNow pdmenu
All configuration is stored in the pdmenurc file. I have it located here: / usr / local / pdmenu / etc / pdmenurc
Create the main menu, for this in pdmenurc we write the following: Receive : Now we describe the submenu System tools. To do this, add in pdmenurc: In the fourth line, everything that starts with " ip = " up to " && " is a log entry. If the recording was successful, then the shell script is launched, which will open access. It will look like this: And here is the openftp.sh shell script itself, which does all the dirty work:
menu:main:Main menu:
show:--------------------------::
nop
show:System tools::system
nop
show:::
exit:Exit
show:--------------------------::
menu:system:System tools
show:-------------------------------::
nop
exec:Open FTP access:pause:ip=`set | /bin/grep SSH_CLIENT | /bin/cut -d\' -f2 | /bin/awk '{print $1}' | /bin/awk '/[0-9]/ {print}'`; date=`/bin/date +'%d.%m.%G %H:%M:%S'`; echo "${date} | ${ip} | Open FTP access" >> /var/log/pdmenu.log && /bin/sh /home/shellmenu/bin/openftp.sh
nop
exit:Main menu
show:-------------------------------::
#!/bin/sh
printf '\n---------------------\n\033[1;32m Open FTP connection\033[0m\n---------------------\n\n'
printf 'Enter the IP address you wish to provide FTP access: \033[1;32m'
read ip
if [ $ip ]
then
printf '\n\033[0mOk, you are going to allow FTP connections to the following IP: \033[1;31m%s\033[0m' ${ip}
printf '\n\nAre you sure? [y/n] \033[1;32m'
read wish
if [ $wish -a $wish == y ]
then
/usr/bin/sudo /sbin/iptables -I INPUT -s ${ip} -p tcp -m tcp --dport 20 -j ACCEPT
/usr/bin/sudo /sbin/iptables -I INPUT -s ${ip} -p tcp -m tcp --dport 21 -j ACCEPT
/etc/init.d/iptables save
printf '\n\033[0m--------------------------------------------'
printf '\n The FTP access to \033[1;32m'
/bin/echo -n ${ip}
printf '\033[0m has been \033[1;31mgranted\033[0m';
printf '\033[0m\n--------------------------------------------\n\n'
else
printf '\033[0m\nExiting...\n\n'
fi
else
printf '\033[0m\nExiting...\n\n'
fiResult
Here's what what we just did looks like:
Thus, any person who knows how to enter a password, use the cursor keys and the Enter button can perform some actions on the server quite painlessly.
Be it: restarting services, running scripts that generate content, viewing logs, editing files, etc. etc.
The main thing: do not forget to protect yourself with logs and the necessary restrictions in sudo.
PS nuances of setting up sudo, creating users, etc. not described, so as not to inflate the article.
There is enough documentation and description on this topic on the Internet, unlike the description of Pdmenu .
Upd: as suggested by respected shadowalone , download and install Pdmenuhere
Upd2: as the respected lorc suggested , when you write shell scripts for pdmenu (and not only), be sure to check what the user enters