Implemented: FS#2112 - Set u / i attributes on system web folders
This option can be enabled under System > Server config and is named "Web folder protection".
| | |
| | | add_web_users_to_sshusers_group=y |
| | | connect_userid_to_webid=n |
| | | connect_userid_to_webid_start=10000 |
| | | web_folder_protection=n |
| | | |
| | | [dns] |
| | | bind_user=root |
| | |
| | | 'default' => 'y', |
| | | 'value' => array(0 => 'n', 1 => 'y') |
| | | ), |
| | | 'web_folder_protection' => array( |
| | | 'datatype' => 'VARCHAR', |
| | | 'formtype' => 'CHECKBOX', |
| | | 'default' => 'y', |
| | | 'value' => array(0 => 'n', 1 => 'y') |
| | | ), |
| | | 'add_web_users_to_sshusers_group' => array( |
| | | 'datatype' => 'VARCHAR', |
| | | 'formtype' => 'CHECKBOX', |
| | |
| | | $wb["firewall_txt"] = 'Firewall'; |
| | | $wb["mailbox_quota_stats_txt"] = 'Mailbox quota statistics'; |
| | | $wb["enable_ip_wildcard_txt"] = 'Enable IP wildcard (*)'; |
| | | $wb["web_folder_protection_txt"] = 'Web folder protection'; |
| | | ?> |
| | |
| | | </div> |
| | | </div> |
| | | <div class="ctrlHolder"> |
| | | <p class="label">{tmpl_var name='web_folder_protection_txt'}</p> |
| | | <div class="multiField"> |
| | | {tmpl_var name='web_folder_protection'} |
| | | </div> |
| | | </div> |
| | | <div class="ctrlHolder"> |
| | | <p class="label">{tmpl_var name='add_web_users_to_sshusers_group_txt'}</p> |
| | | <div class="multiField"> |
| | | {tmpl_var name='add_web_users_to_sshusers_group'} |
| | |
| | | return false; |
| | | } |
| | | } |
| | | |
| | | function web_folder_protection($document_root,$protect) { |
| | | global $app,$conf; |
| | | |
| | | //* load the server configuration options |
| | | $app->uses('getconf'); |
| | | $web_config = $app->getconf->get_server_config($conf['server_id'], 'web'); |
| | | |
| | | if($protect == true && $web_config['web_folder_protection'] == 'y') { |
| | | //* Add protection |
| | | if($document_root != '' && $document_root != '/' && strlen($document_root) > 6 && !stristr($document_root,'..')) exec('chattr +i '.escapeshellcmd($document_root)); |
| | | } else { |
| | | //* Remove protection |
| | | if($document_root != '' && $document_root != '/' && strlen($document_root) > 6 && !stristr($document_root,'..')) exec('chattr -i '.escapeshellcmd($document_root)); |
| | | } |
| | | } |
| | | |
| | | } |
| | | ?> |
| | |
| | | } |
| | | } |
| | | } |
| | | |
| | | //* Remove protection of old folders |
| | | $app->system->web_folder_protection($data['old']['document_root'],false); |
| | | |
| | | //* Move the site data |
| | | $tmp_docroot = explode('/',$data['new']['document_root']); |
| | |
| | | if(!is_dir($data['new']['document_root'].'/ssl')) exec('mkdir -p '.$data['new']['document_root'].'/ssl'); |
| | | if(!is_dir($data['new']['document_root'].'/cgi-bin')) exec('mkdir -p '.$data['new']['document_root'].'/cgi-bin'); |
| | | if(!is_dir($data['new']['document_root'].'/tmp')) exec('mkdir -p '.$data['new']['document_root'].'/tmp'); |
| | | |
| | | |
| | | // Remove the symlink for the site, if site is renamed |
| | | if($this->action == 'update' && $data['old']['domain'] != '' && $data['new']['domain'] != $data['old']['domain']) { |
| | | if(is_dir('/var/log/ispconfig/httpd/'.$data['old']['domain'])) exec('rm -rf /var/log/ispconfig/httpd/'.$data['old']['domain']); |
| | |
| | | } |
| | | } |
| | | |
| | | |
| | | |
| | | //* If the security level is set to high |
| | | if(($this->action == 'insert' && $data['new']['type'] == 'vhost') or ($web_config['set_folder_permissions_on_update'] == 'y' && $data['new']['type'] == 'vhost')) { |
| | | |
| | | $app->system->web_folder_protection($data['new']['document_root'],false); |
| | | |
| | | if($web_config['security_level'] == 20) { |
| | | |
| | | $this->_exec('chmod 751 '.escapeshellcmd($data['new']['document_root'])); |
| | |
| | | $this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root'].'/web')); |
| | | } |
| | | } |
| | | |
| | | //* Protect web folders |
| | | $app->system->web_folder_protection($data['new']['document_root'],true); |
| | | |
| | | // Change the ownership of the error log to the owner of the website |
| | | if(!@is_file($data['new']['document_root'].'/log/error.log')) exec('touch '.escapeshellcmd($data['new']['document_root']).'/log/error.log'); |
| | |
| | | if(!is_file($data['new']['document_root'].'/.htpasswd_stats') || $data['new']['stats_password'] != $data['old']['stats_password']) { |
| | | if(trim($data['new']['stats_password']) != '') { |
| | | $htp_file = 'admin:'.trim($data['new']['stats_password']); |
| | | $app->system->web_folder_protection($data['new']['document_root'],false); |
| | | file_put_contents($data['new']['document_root'].'/.htpasswd_stats',$htp_file); |
| | | $app->system->web_folder_protection($data['new']['document_root'],true); |
| | | chmod($data['new']['document_root'].'/.htpasswd_stats',0755); |
| | | unset($htp_file); |
| | | } |
| | |
| | | // load the server configuration options |
| | | $app->uses('getconf'); |
| | | $web_config = $app->getconf->get_server_config($conf['server_id'], 'web'); |
| | | |
| | | $app->system->web_folder_protection($data['new']['document_root'],false); |
| | | |
| | | //* Check if this is a chrooted setup |
| | | if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) { |
| | |
| | | $this->app = $app; |
| | | $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit'); |
| | | |
| | | $app->system->web_folder_protection($parent_domain['document_root'],false); |
| | | |
| | | $this->_update_website_security_level(); |
| | | |
| | | $this->_setup_jailkit_chroot(); |
| | |
| | | exec($command); |
| | | |
| | | $this->_update_website_security_level(); |
| | | |
| | | $app->system->web_folder_protection($parent_domain['document_root'],true); |
| | | } |
| | | |
| | | $app->log("Jailkit Plugin (Cron) -> insert username:".$parent_domain['system_user'],LOGLEVEL_DEBUG); |
| | |
| | | $this->app = $app; |
| | | $this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit'); |
| | | |
| | | $app->system->web_folder_protection($parent_domain['document_root'],false); |
| | | $this->_update_website_security_level(); |
| | | |
| | | $this->_setup_jailkit_chroot(); |
| | | $this->_add_jailkit_user(); |
| | | |
| | | $this->_update_website_security_level(); |
| | | $app->system->web_folder_protection($parent_domain['document_root'],true); |
| | | } |
| | | |
| | | $app->log("Jailkit Plugin (Cron) -> update username:".$parent_domain['system_user'],LOGLEVEL_DEBUG); |
| | |
| | | } |
| | | |
| | | if($app->system->is_user($data['new']['puser'])) { |
| | | |
| | | //* Remove webfolder protection |
| | | $app->system->web_folder_protection($web['document_root'],false); |
| | | |
| | | // Get the UID of the parent user |
| | | $uid = intval($app->system->getuid($data['new']['puser'])); |
| | | if($uid > $this->min_uid) { |
| | |
| | | exec($command); |
| | | $app->log("Disabling shelluser temporarily: ".$command,LOGLEVEL_DEBUG); |
| | | } |
| | | |
| | | //* Add webfolder protection again |
| | | $app->system->web_folder_protection($web['document_root'],true); |
| | | |
| | | } else { |
| | | $app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.",LOGLEVEL_ERROR); |
| | |
| | | global $app, $conf; |
| | | |
| | | $app->uses('system'); |
| | | $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']); |
| | | |
| | | if($app->system->is_user($data['new']['username'])) { |
| | | |
| | |
| | | */ |
| | | if ($data['new']['chroot'] == "jailkit") |
| | | { |
| | | $app->system->web_folder_protection($web['document_root'],false); |
| | | |
| | | // load the server configuration options |
| | | $app->uses("getconf"); |
| | | $this->data = $data; |
| | |
| | | exec($command); |
| | | |
| | | $this->_update_website_security_level(); |
| | | $app->system->web_folder_protection($web['document_root'],true); |
| | | } |
| | | |
| | | $app->log("Jailkit Plugin -> insert username:".$data['new']['username'],LOGLEVEL_DEBUG); |
| | |
| | | global $app, $conf; |
| | | |
| | | $app->uses('system'); |
| | | $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']); |
| | | |
| | | if($app->system->is_user($data['new']['username'])) { |
| | | |
| | |
| | | */ |
| | | if ($data['new']['chroot'] == "jailkit") |
| | | { |
| | | $app->system->web_folder_protection($web['document_root'],false); |
| | | |
| | | // load the server configuration options |
| | | $app->uses("getconf"); |
| | | $this->data = $data; |
| | |
| | | $this->_setup_ssh_rsa(); |
| | | |
| | | $this->_update_website_security_level(); |
| | | |
| | | $app->system->web_folder_protection($web['document_root'],true); |
| | | } |
| | | |
| | | $app->log("Jailkit Plugin -> update username:".$data['new']['username'],LOGLEVEL_DEBUG); |
| | |
| | | |
| | | $app->uses('system'); |
| | | |
| | | $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['old']['parent_domain_id']); |
| | | |
| | | if ($data['old']['chroot'] == "jailkit") |
| | | { |
| | | $app->uses("getconf"); |
| | |
| | | //commented out proved to be dangerous on config errors |
| | | //exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome); |
| | | |
| | | $app->system->web_folder_protection($web['document_root'],false); |
| | | |
| | | if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) { |
| | | $command = 'userdel -f'; |
| | | $command .= ' '.escapeshellcmd($data['old']['username']); |
| | |
| | | $app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG); |
| | | } |
| | | |
| | | $app->system->web_folder_protection($web['document_root'],true); |
| | | |
| | | } |
| | | |
| | | $app->log("Jailkit Plugin -> delete username:".$data['old']['username'],LOGLEVEL_DEBUG); |