Menu
▾
▴
phpshell INSTALL,1.7,1.8 README,1.8,1.9 config.php,1.2,1.3 phpshell.php,1.8,1.9
|
From: Martin G. <mge...@us...> - 2006-02-04 15:10:28
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14102 Modified Files: INSTALL README config.php phpshell.php Log Message: Reformatted text again. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- phpshell.php 13 Jan 2006 17:59:28 -0000 1.8 +++ phpshell.php 4 Feb 2006 15:10:14 -0000 1.9 @@ -12,10 +12,10 @@ Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License - as published by the Free Software Foundation; either version 2 - of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -29,16 +29,17 @@ */ -/* There are no user-configurable settings in this file anymore, please see - * config.php instead. */ +/* There are no user-configurable settings in this file anymore, + * please see config.php instead. */ -/* This error handler will turn all notices, warnings, and errors into fatal - * errors, unless they have been suppressed with the @-operator. */ +/* This error handler will turn all notices, warnings, and errors into + * fatal errors, unless they have been suppressed with the + * @-operator. */ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { /* The @-opertor (used with chdir() below) temporarely makes - * error_reporting() return zero, and we don't want to die in that case. - * We do note the error in the output, though. */ + * error_reporting() return zero, and we don't want to die in that + * case. We do note the error in the output, though. */ if (error_reporting() == 0) { $_SESSION['output'] .= $errstr . "\n"; } else { @@ -63,7 +64,7 @@ <hr> <address> - Copyright © 2000–2005, <a + Copyright © 2000–2006, <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. @@ -74,23 +75,25 @@ } } -/* Installing our error handler makes PHP die on even the slightest problem. - * This is what we want in a security critical application like this. */ +/* Installing our error handler makes PHP die on even the slightest + * problem. This is what we want in a security critical application + * like this. */ set_error_handler('error_handler'); function logout() { - /* Empty the session data, except for the 'authenticated' entry which the - * rest of the code needs to be able to check. */ + /* Empty the session data, except for the 'authenticated' entry + * which the rest of the code needs to be able to check. */ $_SESSION = array('authenticated' => false); /* Unset the client's cookie, if it has one. */ // if (isset($_COOKIE[session_name()])) // setcookie(session_name(), '', time()-42000, '/'); - /* Destroy the session data on the server. This prevents the simple - * replay attach where one uses the back button to re-authenticate using - * the old POST data since the server wont know the session then.*/ + /* Destroy the session data on the server. This prevents the + * simple replay attach where one uses the back button to + * re-authenticate using the old POST data since the server wont + * know the session then.*/ // session_destroy(); } @@ -121,7 +124,8 @@ if (empty($ini['settings'])) $ini['settings'] = array(); -/* Default settings --- these settings should always be set to something. */ +/* Default settings --- these settings should always be set to + * something. */ $default_settings = array('home-directory' => '.'); /* Merge settings. */ @@ -130,9 +134,9 @@ session_start(); -/* Delete the session data if the user requested a logout. This leaves the - * session cookie at the user, but this is not important since we - * authenticates on $_SESSION['authenticated']. */ +/* Delete the session data if the user requested a logout. This + * leaves the session cookie at the user, but this is not important + * since we authenticates on $_SESSION['authenticated']. */ if (isset($_POST['logout'])) logout(); @@ -149,8 +153,8 @@ } -/* Enforce default non-authenticated state if the above code didn't set it - * already. */ +/* Enforce default non-authenticated state if the above code didn't + * set it already. */ if (!isset($_SESSION['authenticated'])) $_SESSION['authenticated'] = false; @@ -164,9 +168,10 @@ } if (!empty($command)) { - /* Save the command for late use in the JavaScript. If the command is - * already in the history, then the old entry is removed before the - * new entry is put into the list at the front. */ + /* Save the command for late use in the JavaScript. If the + * command is already in the history, then the old entry is + * removed before the new entry is put into the list at the + * front. */ if (($i = array_search($command, $_SESSION['history'])) !== false) unset($_SESSION['history'][$i]); @@ -179,8 +184,8 @@ if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { - /* The current command is a 'cd' command which we have to handle - * as an internal shell command. */ + /* The current command is a 'cd' command which we have to + * handle as an internal shell command. */ if ($regs[1]{0} == '/') { /* Absolute path, we use it unchanged. */ @@ -216,8 +221,8 @@ logout(); } else { - /* The command is not an internal command, so we execute it after - * changing the directory and save the output. */ + /* The command is not an internal command, so we execute + * it after changing the directory and save the output. */ chdir($_SESSION['cwd']); // We canot use putenv() in safe mode. @@ -321,10 +326,10 @@ <?php if (!$_SESSION['authenticated']) { - /* Genereate a new nounce every time we preent the login page. This binds - * each login to a unique hit on the server and prevents the simple replay - * attack where one uses the back button in the browser to replay the POST - * data from a login. */ + /* Genereate a new nounce every time we preent the login page. + * This binds each login to a unique hit on the server and + * prevents the simple replay attack where one uses the back + * button in the browser to replay the POST data from a login. */ $_SESSION['nounce'] = mt_rand(); ?> @@ -398,7 +403,7 @@ <hr> <address> -Copyright © 2000–2005, <a +Copyright © 2000–2006, <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- README 13 Jan 2006 17:59:28 -0000 1.8 +++ README 4 Feb 2006 15:10:13 -0000 1.9 @@ -1,42 +1,47 @@ README file for PHP Shell @VERSION@ -Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> +Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. What is PHP Shell? ================== -PHP Shell is a shell wrapped in a PHP script. It's a tool you can use to -execute arbitrary shell-commands or browse the filesystem on your remote -webserver. This replaces, to a degree, a normal telnet-connection. +PHP Shell is a shell wrapped in a PHP script. It's a tool you can use +to execute arbitrary shell-commands or browse the filesystem on your +remote webserver. This replaces, to a degree, a normal telnet +connection, and to a lesser degree a SSH connection. -You use it for administration and maintenance of your website, which is often -much easier to do if you can work directly on the server. For example, you -could use PHP Shell to unpack and move big files around. All the normal -command line programs like ps, free, du, df, etc... can be used. +You use it for administration and maintenance of your website, which +is often much easier to do if you can work directly on the server. +For example, you could use PHP Shell to unpack and move big files +around. All the normal command line programs like ps, free, du, df, +etc... can be used. Limitations =========== -There are some limitations on what kind of programs you can run. It won't do -no good if you start a graphical program like Firefox or even a console based -one like vi. All programs have to be strictly command line programs, and they -will have no chance of getting user input after they have been lunched. +There are some limitations on what kind of programs you can run. It +won't do no good if you start a graphical program like Firefox or even +a console based one like vi. All programs have to be strictly command +line programs, and they will have no chance of getting user input +after they have been lunched. -They probably also have to terminate within 30 seconds, as this is the default -time-limit imposed unto all PHP scripts, to prevent them from running in an -infinite loop. Your ISP may have set this time-limit to something else. +They probably also have to terminate within 30 seconds, as this is the +default time-limit imposed unto all PHP scripts, to prevent them from +running in an infinite loop. Your ISP may have set this time-limit to +something else. -But you can rely on all the normal shell-functionality, like pipes, output and -input redirection, etc... (There is no <tab>-completion, though :-) +But you can rely on all the normal shell-functionality, like pipes, +output and input redirection, etc... (There is no <tab>-completion, +though :-) Safe Mode ========= -Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode then -PHP Shell will normally not work --- sorry. Please read the detailed -explaination in the SECURITY file. +Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode +then PHP Shell will normally not work --- sorry. Please read the +detailed explaination in the SECURITY file. Who am I? @@ -44,48 +49,51 @@ (Well, my name is Martin, but that's not the point :-) -You may not be the same user when using PHP Shell, as you are when you upload -your files with FTP. On some systems you will be ``nobody``, on other systems -you will become ``httpd`` or ``www-data``. This is a rather dangerous -"feature" of the way PHP is run by the webserver. A possible effect of this -is that you might end up creating files using PHP Shell which you cannot -delete afterwards using FTP and maybe not even using PHP Shell. Strange, but -true :-) +You may not be the same user when using PHP Shell, as you are when you +upload your files with FTP. On some systems you will be ``nobody``, +on other systems you will become ``httpd`` or ``www-data``. This is a +rather dangerous "feature" of the way PHP is run by the webserver. A +possible effect of this is that you might end up creating files using +PHP Shell which you cannot delete afterwards using FTP and maybe not +even using PHP Shell. Strange, but true :-) -If you want to execute code as different user, then it's possible to do so by -using the Sudo program available from this address: +If you want to execute code as different user, then it's possible to +do so by using the Sudo program available from this address: http://www.courtesan.com/sudo/ -The trick is to configure Sudo to allow the user running the webserver to -execute certain commands as a more privileged user. This will have to be done -by the administrator of the server. Please refer to the documentation for -Sudo for further information about doing this. +The trick is to configure Sudo to allow the user running the webserver +to execute certain commands as a more privileged user. This will have +to be done by the administrator of the server. Please refer to the +documentation for Sudo for further information about doing this. How to Use It ============= -When you point your browser at PHP Shell you will be asked to authenticate -yourself. By default no username/password will work, so please go read -INSTALL for information about adding a user. +When you point your browser at PHP Shell you will be asked to +authenticate yourself. By default no username/password will work, so +please go read INSTALL for information about adding a user. -You're back? Good. Enter your username and password and press "Login". +You're back? Good. Enter your username and password and press the +"Login" button. -You will then be presented with a rather simple page containing nothing much -except a big window with the cursor blinking at the bottom, signaling that -it's ready to obey your commands. +You will then be presented with a rather simple page containing +nothing much except a big window with the cursor blinking at the +bottom, signaling that it's ready to obey your commands. Write a command and press RET --- or alternatively, press the 'Execute -Command' button if you really want. The command will be executed and the -result will be shows in the terminal. You can now enter another command. +Command' button if you really want. The command will be executed and +the result will be shows in the terminal. You can now enter another +command. -To be more precise: the terminal is updated with the command line you have -just executed, the output of the command to standard out (stdout), and -following that any error output sent to stderr. +To be more precise: the terminal is updated with the command line you +have just executed, the output of the command to standard out +(stdout), and following that any error output sent to stderr. -The commands are executed relative to a current working directory, which is -written at the top. You change this by the normal 'cd' command. +The commands are executed relative to a current working directory, +which is written at the top. You change this by the normal 'cd' +command. Download @@ -101,26 +109,27 @@ This is the script you run when you use PHP Shell. ChangeLog - This file describe the changes I've made to PHP Shell. By reading it you'll - always know when I've added a new feature or made a bugfix, and the nature - of the feature/bugfix. + This file describe the changes I've made to PHP Shell. By reading + it you'll always know when I've added a new feature or made a + bugfix, and the nature of the feature/bugfix. README This file! :-) INSTALL - Tells you how to install PHP Shell. Amoung other things, it explains how to - change the password protection so that you can use PHP Shell. - - Remember that it's very important to have PHP Shell password protected, or - else everybody will be able so snoop into your files and perhaps also be - able to delete them! Please take the time to protect your installation of + Tells you how to install PHP Shell. Amoung other things, it + explains how to change the password protection so that you can use PHP Shell. + Remember that it's very important to have PHP Shell password + protected, or else everybody will be able so snoop into your files + and perhaps also be able to delete them! Please take the time to + protect your installation of PHP Shell. + SECURITY A separate guide about security with PHP in general and PHP Shell in - particular. Be sure to read this too, especially if you are getting strange - errors back from PHP Shell. + particular. Be sure to read this too, especially if you are getting + strange errors back from PHP Shell. COPYING Standard GNU GPL. Index: config.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/config.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- config.php 13 Jan 2006 17:59:28 -0000 1.2 +++ config.php 4 Feb 2006 15:10:14 -0000 1.3 @@ -1,4 +1,4 @@ -; <?php die('Forbidden'); ?> +; <?php die('Forbidden'); ?> -*- conf -*- ; Do not remove the above line, it prevents this file from being downloaded. ; ; config.php file for PHP Shell @VERSION@ @@ -7,8 +7,8 @@ ; This ini-file has three parts: ; -; * [users] where you add usernames and passwords to give users access to PHP -; Shell. +; * [users] where you add usernames and passwords to give users access +; to PHP Shell. ; ; * [aliases] where you can configure shell aliases. ; @@ -17,26 +17,32 @@ [users] -; The default configuration has no users defined, you have to add your own -; (choose good passwords!). Add uses as simple 'username = "password"' lines. -; Please quote your password using double-quotes as shown. The semi-colon ':' -; is a reserved character, so do *not* use that in your passwords. +; The default configuration has no users defined, you have to add your +; own (choose good passwords!). Add uses as simple ; -; For improved security it is *strongly suggested* that you the pwhash.php -; script to generate a hashed password and store that instead of the normal -; clear text password. Keeping your passwords in hashed form ensures that -; they cannot be found, even if this file is disclosed. The passwords are -; still visible in clear text during the login, though. Please follow the -; instructions given in pwhash.php. +; username = "password" +; +; lines. Please quote your password using double-quotes as shown. +; The semi-colon ':' is a reserved character, so do *not* use that in +; your passwords. +; +; For improved security it is *strongly suggested* that you the +; pwhash.php script to generate a hashed password and store that +; instead of the normal clear text password. Keeping your passwords +; in hashed form ensures that they cannot be found, even if this file +; is disclosed. The passwords are still visible in clear text during +; the login, though. Please follow the instructions given in +; pwhash.php. [aliases] ; Alias expansion. Change the two examples as needed and add your own -; favorites --- feel free to suggest more defaults! The command line you -; enter will only be expanded on the very first token and only once, so having -; 'ls' expand into 'ls -CvhF' does not cause an infinite recursion. +; favorites --- feel free to suggest more defaults! The command line +; you enter will only be expanded on the very first token and only +; once, so having 'ls' expand into 'ls -CvhF' does not cause an +; infinite recursion. ls = "ls -CvhF" ll = "ls -lvhF" @@ -47,8 +53,9 @@ ; General settings for PHP Shell. -; Home directory. PHP Shell will change to this directory upon startup and -; whenever a bare 'cd' command is given. This can be an absolute path or a -; path relative to the PHP Shell installation directory. +; Home directory. PHP Shell will change to this directory upon +; startup and whenever a bare 'cd' command is given. This can be an +; absolute path or a path relative to the PHP Shell installation +; directory. home-directory = "." Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- INSTALL 13 Jan 2006 17:59:28 -0000 1.7 +++ INSTALL 4 Feb 2006 15:10:12 -0000 1.8 @@ -1,5 +1,5 @@ INSTALL file for PHP Shell @VERSION@ -Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> +Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. @@ -15,63 +15,65 @@ Installation ============ -Installation is easy: first unpack the tarball or zipfile downloaded from the -above website into your webserver. This will create a subdirectory called -phpweather-@VERSION@ for PHP Shell version @VERSION@. +Installation is easy: first unpack the tarball or zipfile downloaded +from the above website into your webserver. This will create a +subdirectory called phpweather-@VERSION@ for PHP Shell version @VERSION@. -Try loading the file ``phpshell.php`` in your browser and check that you are -served a page that asks you to authenticate yourself with a username and a -password. If you do not see such a page, then please check that you have -entered the URL correctly and that PHP is working on your server. +Try loading the file ``phpshell.php`` in your browser and check that +you are served a page that asks you to authenticate yourself with a +username and a password. If you do not see such a page, then please +check that you have entered the URL correctly and that PHP is working +on your server. Configuration ============= -All configuration happens in the ``config.php`` file. This is an ini-file -dispite its name. Ini-files consist of a number of sections, each containing -a number of 'key = "value"' pairs. PHP Shell has tree sections: '[users]' for -configuring usernames and passwords, '[aliases]' for configuring shell -aliases, and '[settings]' for general settings. +All configuration happens in the ``config.php`` file. This is an +ini-file dispite its name. Ini-files consist of a number of sections, +each containing a number of 'key = "value"' pairs. PHP Shell has tree +sections: '[users]' for configuring usernames and passwords, +'[aliases]' for configuring shell aliases, and '[settings]' for +general settings. Setting Usernames and Passwords ------------------------------- -As a security precaution PHP Shell has no default username and password -(people often forget to change them...). To add the user "alice" with -password "secret" you simply add +As a security precaution PHP Shell has no default username and +password (people often forget to change them...). To add the user +"alice" with password "secret" you simply add [users] alice = "secret" -to the file. Note that you can add as many users as you want by simply adding -more lines like this. +to the file. Note that you can add as many users as you want by +simply adding more lines like this. -This system works, but there is a better way --- a way so that the password -does not appear in clear text in the file. For that you use the supplied -script ``pwhash.php`` to generate a hashed password. Please see the -instructions given in ``pwhash.php``. +This system works, but there is a better way --- a way so that the +password does not appear in clear text in the file. For that you use +the supplied script ``pwhash.php`` to generate a hashed password. +Please see the instructions given in ``pwhash.php``. With the above example the result could look like [users] alice = "md5:7ea3b59e:eb271c4459253eaa163fcac2a119f225" -You will not get exactly the same line if you try it out, this is a feature of -the system which means that both "alice" and "bob" could have "secret" as -their password, and you would not be able to tell from just looking at -``config.php``. +You will not get exactly the same line if you try it out, this is a +feature of the system which means that both "alice" and "bob" could +have "secret" as their password, and you would not be able to tell +from just looking at ``config.php``. Shell Aliases ------------- -As in a normal shell, PHP Shell supports alias expansion, albeit in a simple -form. Aliases are defined by 'key = "value"' pairs in the '[aliases]' -section. The "key" will be matched against the first token of the command -line and substituted with the "value" given. +As in a normal shell, PHP Shell supports alias expansion, albeit in a +simple form. Aliases are defined by 'key = "value"' pairs in the +'[aliases]' section. The "key" will be matched against the first +token of the command line and substituted with the "value" given. Two convenient aliases are already defined: @@ -83,14 +85,14 @@ General Settings ---------------- -PHP has just one other setting right now --- the home directory. Change this -in the '[settings]' section. +PHP has just one other setting right now --- the home directory. +Change this in the '[settings]' section. Bugs? Comments? ================ -If you find a bug or miss something in PHP Shell, please don't hesitate to -mail me at <mge...@mg...>! Or you could drop by and leave a comment -at http://mgeisler.net/php-shell/. +If you find a bug or miss something in PHP Shell, please don't +hesitate to mail me at <mge...@mg...>! Or you could drop by +and leave a comment at http://mgeisler.net/php-shell/. |