https://t.me/RX1948
Server : Apache
System : Linux server.lienzindia.com 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64
User : plutus ( 1007)
PHP Version : 7.4.33
Disable Function : NONE
Directory :  /usr/libexec/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/libexec/cockpit-certificate-helper
#!/bin/bash

set -eu

# prefix= is set because the default /etc contains "${prefix}"
prefix="/usr"
COCKPIT_GROUP="cockpit-ws"
COCKPIT_CONFIG="/etc/cockpit"
COCKPIT_WS_CERTS_D="${COCKPIT_CONFIG}/ws-certs.d"
COCKPIT_RUNTIME_DIR="/run/cockpit"

install_cert() {
    local destination="${COCKPIT_WS_CERTS_D}/$1"
    mv -Z "$1" "${destination}"

    # The certificate should be world-readable
    chmod a+r "${destination}"
}

install_key() {
    local destination="${COCKPIT_WS_CERTS_D}/$1"
    mv -Z "$1" "${destination}"

    # If COCKPIT_GROUP is set, then make sure the key is readable by that group too
    if [ -n "${COCKPIT_GROUP}" ]; then
        chown root:"${COCKPIT_GROUP}" "${destination}"
        chmod g+r "${destination}"
    fi
}

selfsign_sscg() {
    sscg --quiet \
        --lifetime "${DAYS}" \
        --key-strength 2048 \
        --cert-key-file "${KEYFILE}" \
        --cert-file "${CERTFILE}" \
        --ca-file "${CA_FILE}" \
        --hostname "${HOSTNAME}" \
        --organization "${MACHINE_ID}" \
        --subject-alt-name localhost \
        --subject-alt-name IP:127.0.0.1/255.255.255.255
}

selfsign_openssl() {
    openssl req -x509 \
        -days "${DAYS}" \
        -newkey rsa:2048 \
        -keyout "${KEYFILE}" \
        -keyform PEM \
        -nodes \
        -out "${CERTFILE}" \
        -outform PEM \
        -subj "${MACHINE_ID:+/O=${MACHINE_ID}}/CN=${HOSTNAME}" \
        -config - \
        -extensions v3_req << EOF
    [ req ]
    req_extensions = v3_req
    extensions = v3_req
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    [ v3_req ]
    subjectAltName=IP:127.0.0.1,DNS:localhost
    basicConstraints = critical, CA:TRUE
    keyUsage = critical, digitalSignature,cRLSign,keyCertSign,keyEncipherment,keyAgreement
    extendedKeyUsage = serverAuth
EOF
}

cmd_selfsign() {
    # Common variables used by both methods
    local MACHINE_ID
    MACHINE_ID="$(tr -d -c '[:xdigit:]' < /etc/machine-id)"
    local HOSTNAME="${HOSTNAME:-$(hostname)}"
    local CERTFILE="0-self-signed.cert"
    local KEYFILE="0-self-signed.key"
    local CA_FILE="0-self-signed-ca.pem"

    # We renew certificates up to 30 days before expiry, so give ourselves a
    # year, plus 30 days.  The maximum is variously mentioned to be 397 or 398.
    local DAYS=395

    # If sscg fails, try openssl
    selfsign_sscg || selfsign_openssl

    # Install the files and set permissions ($CA_FILE is only created by sscg)
    test ! -e "${CA_FILE}" || install_cert "${CA_FILE}"
    install_cert "${CERTFILE}"
    install_key "${KEYFILE}"
}

cmd_ipa_request() {
    local USER="$1"

    # IPA operations require auth; read password from stdin to avoid quoting issues
    # if kinit fails, we can't handle this setup, exit cleanly
    kinit "${USER}@${REALM}" || exit 0

    # ensure this gets run with a non-C locale; ipa fails otherwise
    if [ "$(sh -c 'eval `locale`; echo $LC_CTYPE')" = 'C' ]; then
        export LC_CTYPE=C.UTF-8
    fi

    # create a kerberos Service Principal Name for cockpit-ws, unless already present
    ipa service-show "${SERVICE}" || \
        ipa service-add --ok-as-delegate=true --ok-to-auth-as-delegate=true --force "${SERVICE}"

    # add cockpit-ws key, unless already present
    klist -k "${KEYTAB}" | grep -qF "${SERVICE}" || \
        ipa-getkeytab -p "HTTP/${HOST}" -k "${KEYTAB}"

    # request the certificate (into the working directory)
    ipa-getcert request -f 10-ipa.cert -k 10-ipa.key -K "HTTP/${HOST}" -w -v

    # install it into /etc
    install_cert 10-ipa.cert
    install_key 10-ipa.key
}

cmd_ipa_cleanup() {
        # clean up keytab
        if [ -e "${KEYTAB}" ]; then
            ipa-rmkeytab -k "${KEYTAB}" -p "${SERVICE}"
        fi

        # clean up certificate
        ipa-getcert stop-tracking -f 10-ipa.cert -k 10-ipa.key
        rm "${COCKPIT_WS_CERTS_D}/10-ipa.cert" "${COCKPIT_WS_CERTS_D}/10-ipa.key"
}

cmd_ipa() {
    local REALM="$2"

    local HOST
    HOST="$(hostname -f)"
    local SERVICE="HTTP/${HOST}@${REALM}"
    local KEYTAB="${COCKPIT_CONFIG}/krb5.keytab"

    # use a temporary keytab to avoid interfering with the system one
    export KRB5CCNAME=/run/cockpit/keytab-setup

    # not an IPA setup? cannot handle this
    if [ -z "$(which ipa)" ]; then
        echo 'ipa must be installed for this command'
        exit 1
    fi

    case "$1" in
        request)
            cmd_ipa_request "$3"
            ;;
        cleanup)
            cmd_ipa_cleanup
            ;;
        *)
            echo 'unknown subcommand'
            exit 1
            ;;
    esac
}

main() {
    # ipa-getkeytab needs root to create the file, same for cert installation
    if [ "$(id -u)" != "0" ]; then
        echo 'must be run as root'
        exit 1
    fi

    # Create a private working directory
    mkdir -p "${COCKPIT_RUNTIME_DIR}"
    WORKDIR="${COCKPIT_RUNTIME_DIR}/certificate-helper"
    mkdir -m 700 "${WORKDIR}" # we expect that not to have existed
    trap 'exit' INT QUIT PIPE TERM
    trap 'rm -rf "${WORKDIR}"' EXIT
    cd "${WORKDIR}"

    # Dispatch subcommand
    case "$1" in
        selfsign)
            cmd_selfsign
            ;;
        ipa)
            shift
            cmd_ipa "$@"
            ;;
        *)
            echo 'unknown subcommand'
            exit 1
            ;;
    esac
}

main "$@"

https://t.me/RX1948 - 2025