如何修复NextCloud的空密码链接?
- By : Will
- Category : Cloud storage
Cloud storage
1 前言
一个问题,一篇文章,一出故事。
笔者之前使用NextCloud并没有特意要求用户分享链接时设置密码,因此留下一些安全破绽,因此本章总结应对方案。
2 最佳实践
2.1 创建分享链接密码生成代码
2.2 创建修复脚本
vim ~/scripts/linkTool.sh
加入如下配置,
#!/bin/bash
source /etc/profile
mysqlHost="localhost"
mysqlPort="3306"
mysqlDataBase="nextcloud"
mysqlUser="root"
mysqlPasswd="nextcloudpwd"
linkFixLog="/var/log/nextcloud/linkFix.log"
senMailLog="/var/log/nextcloud/linkFixSendMail.log"
mailFrom="no_reply_nextcloud@cmdschool.org"
occ() {
sudo -u apache /usr/bin/php -d apc.enable_cli=1 -d memory_limit=1024M /var/www/nextcloud/occ "$@"
}
getUser() {
mysql -u"$mysqlUser" -p"$mysqlPasswd" -h "$mysqlHost" -P "$mysqlPort" \
-e "SELECT uid_initiator FROM $mysqlDataBase.oc_share \
WHERE password IS NULL and token IS NOT NULL and \
uid_initiator like '%@%' and uid_owner like '%@%'\G" | \
grep 'uid_initiator:' | awk -F' ' '{print $2}' | sort -u
}
getUserLink() {
nextcloudUser="$1"
mysql -u"$mysqlUser" -p"$mysqlPasswd" -h "$mysqlHost" -P "$mysqlPort" \
-e "SELECT CONCAT('https://nextcloud.cmdschool.org/index.php/s/', token) as link FROM nextcloud.oc_share \
WHERE password IS NULL and token IS NOT NULL and uid_initiator like '%@%' \
and uid_owner like '%@%' and uid_initiator like '%$nextcloudUser%'\G" | \
grep 'link:' | awk -F' ' '{print $2}'
}
getHashPassword() {
local password="$1"
local hashed=$(/usr/bin/php hasher.php "$password")
echo "$hashed"
}
setUserPassword() {
nextcloudUser="$1"
nextcloudPassword="$2"
mysql -u"$mysqlUser" -p"$mysqlPasswd" -h "$mysqlHost" -P "$mysqlPort" \
-e "UPDATE $mysqlDataBase.oc_share SET password='$nextcloudPassword' \
WHERE password IS NULL and token IS NOT NULL and uid_initiator like '%@%' \
and uid_owner like '%@%' and uid_initiator like '%$nextcloudUser%'"
}
writeLog() {
nextcloudUser="$1"
nextcloudPassword="$2"
for link in $(getUserLink "$nextcloudUser"); do
echo $(date +"%Y-%m-%d %H:%M:%S") $nextcloudUser $nextcloudPassword $link | tee -a "$linkFixLog"
done
}
fixUser() {
for user in $(getUser); do
userPassword="$(mkpasswd -l 12)"
hasherPassword=$(getHashPassword "$userPassword")
writeLog "$user" "$userPassword"
setUserPassword "$user" "$hasherPassword"
done
}
getSendUser() {
cat "$linkFixLog" | awk -F' ' '{print $3}' | sort -u
}
getSendMail() {
user="$1"
occ user:info "$user" | grep "email:" | awk -F' ' '{print $3}'
}
getSendPassword() {
user="$1"
grep "$user" "$linkFixLog" | awk '{print $4}' | sort -u
}
getSendLink() {
user="$1"
readarray -t link < <(grep "$user" "$linkFixLog" | awk '{print $5}' | sort -u)
i=0
maxLength=${#link[@]}
for item in "${link[@]}"; do
let i++
printf "%-3d %s\n" $i "[$item]"
done
}
sendUserMail() {
nextCloudUser="$1"
sendPassword=$(getSendPassword "$nextCloudUser")
sendLink=$(getSendLink "$nextCloudUser")
mailTo=$(getSendMail "$nextCloudUser")
if [[ -z "$sendPassword" || -z "$sendLink" || -z "$mailTo" ]]; then
[[ -z "$sendPassword" ]] && echo "$(date +"%Y-%m-%d %H:%M:%S") $nextCloudUser sendPassword is empty." >> "$senMailLog"
[[ -z "$sendLink" ]] && echo "$(date +"%Y-%m-%d %H:%M:%S") $nextCloudUser sendLink is empty." >> "$senMailLog"
[[ -z "$mailTo" ]] && echo "$(date +"%Y-%m-%d %H:%M:%S") $nextCloudUser mailTo is empty." >> "$senMailLog"
return
fi
mailSubject='Notification of Password Change for Unencrypted Links on NextCloud'
cat <<-EOF | mail -s "$mailSubject" -r "$mailFrom" "$mailTo"
Dear User,
We found that some of your NextCloud links did not have access passwords set. For security reasons, the unencrypted links have been updated. The new access password is: $sendPassword
Please notify any other users who need access to these links in a timely manner.
The detailed links for which the passwords have been changed are as follows:
$sendLink
You may contact IT HelpDesk, if you need further assistance or queries.
HK IT Helpdesk: (31) 8222; D2 IT Helpdesk: (32)2998; CA IT Helpdesk: (33)7998
Note: This email is an automatically generated email from [NextCloud], please do not respond to this email!
EOF
echo "$(date +"%Y-%m-%d %H:%M:%S") $nextCloudUser email was sent successfully." >> "$senMailLog"
}
sendMail() {
for user in $(getSendUser); do
sendUserMail "$user"
done
}
case "$1" in
fix)
fixUser
;;
mail)
sendMail
;;
*)
echo "Usage: $0 {fix|mail}"
;;
esac
exit 0
2.3 修复密码
bash ~/scripts/linkTool.sh fix
2.4 通知用户
bash ~/scripts/linkTool.sh mail
没有评论