Pdmenu or how not to give a novice a mistake

Hi, Habr!

Many system administrators probably had cases when access to the server had to be provided to an inexperienced or unverified person. Observing the precautions it is possible to protect themselves from problems, but what to do if a person is not familiar with the console at all?

“Categorically refuse!” - you will say and you will be right. But what to do if this person is your boss?

How it all began

Access to the control panel of the company for which I work is limited not only by password, but also by IP. Since the boss began to actively travel, it has also been necessary to actively update the IP addresses in the access list. So active that calls and requests on this topic are fed up both to him and to me.
')
Since the person is absolutely not familiar with unix-systems and console management, it was necessary to find the simplest and most secure solution. And it was found: pdmenu !

To business

In order not to bore the reader with the specifics of the work of a particular system, in order to demonstrate the potential of pdmenu we will take some more or less common task. Let's say that access to the FTP server “outside” is closed by a firewall for everyone except for the IPs that suit us.

Objective : to give a completely inexperienced person the opportunity to open FTP access for new addresses.

In our case, CentOS is installed on the server, but there should be no problems with pdmenu on other unix systems. Search and installation takes a few minutes, so we proceed immediately to the setting.

System preparation

In the operating system, we create a separate user, through sudo we allow him to run only iptables and add the following to ~ / .bash_profile:

# :
ip=`set | /bin/grep SSH_CLIENT | /bin/cut -d\' -f2 | /bin/awk '{print $1}' | /bin/awk '/[0-9]/ {print}'`
date=`/bin/date +'%d.%m.%G %H:%M:%S'`
echo "${date} | ${ip} | ---Logged into the shell menu---" >> /var/log/pdmenu.log
# pdmenu
/usr/local/pdmenu/bin/pdmenu
exit
# , pdmenu
logout

Thus, the user needs to learn in putty (or any other SSH client) to open a connection and enter a password. Next starts a convenient and intuitive menu.

Now pdmenu

The entire configuration is stored in the pdmenurc file. I have it located here: / usr / local / pdmenu / etc / pdmenurc

We create the main menu, for this we write the following in pdmenurc:

menu:main:Main menu:
show:--------------------------::
nop
show:System tools::system
nop
show:::
exit:Exit
show:--------------------------::

We get:


Now we describe the System tools submenu. To do this, add to pdmenurc:

menu:system:System tools
show:-------------------------------::
nop
exec:Open FTP access:pause:ip=`set | /bin/grep SSH_CLIENT | /bin/cut -d\' -f2 | /bin/awk '{print $1}' | /bin/awk '/[0-9]/ {print}'`; date=`/bin/date +'%d.%m.%G %H:%M:%S'`; echo "${date} | ${ip} | Open FTP access" >> /var/log/pdmenu.log && /bin/sh /home/shellmenu/bin/openftp.sh
nop
exit:Main menu
show:-------------------------------::

In the fourth line, everything that starts with " ip = " up to " && " is a log entry. If the recording was successful, then a shell script is launched, which will open access.

It will look like this:


And here is the shell script openftp.sh which does all the dirty work:

#!/bin/sh
printf '\n---------------------\n\033[1;32m Open FTP connection\033[0m\n---------------------\n\n'
printf 'Enter the IP address you wish to provide FTP access: \033[1;32m'
read ip
if [ $ip ]
then
printf '\n\033[0mOk, you are going to allow FTP connections to the following IP: \033[1;31m%s\033[0m' ${ip}
printf '\n\nAre you sure? [y/n] \033[1;32m'
read wish
if [ $wish -a $wish == y ]
then
/usr/bin/sudo /sbin/iptables -I INPUT -s ${ip} -p tcp -m tcp --dport 20 -j ACCEPT
/usr/bin/sudo /sbin/iptables -I INPUT -s ${ip} -p tcp -m tcp --dport 21 -j ACCEPT
/etc/init.d/iptables save
printf '\n\033[0m--------------------------------------------'
printf '\n The FTP access to \033[1;32m'
/bin/echo -n ${ip}
printf '\033[0m has been \033[1;31mgranted\033[0m';
printf '\033[0m\n--------------------------------------------\n\n'
else
printf '\033[0m\nExiting...\n\n'
fi
else
printf '\033[0m\nExiting...\n\n'
fi

Result

Here is what we just did:



Thus, any person who is able to enter a password, use the cursor keys and the Enter button, can quite safely perform some actions on the server.
Whether: restarting services, running scripts that generate content, viewing logs, editing files, etc. etc.

The main thing: do not forget to protect yourself with logs and necessary restrictions in sudo.

PS nuances of setting up sudo, creating users, etc. did not describe, so as not to inflate the article.
There is enough documentation and descriptions on this topic on the Internet, unlike the description of Pdmenu .

Upd: as suggested by the respected shadowalone , you can download and install Pdmenu here
Upd2: as suggested by the distinguished lorc , when writing shell scripts for pdmenu (and not only), be sure to check what the user enters