Added security levels for apache.

tbrehm

2009-07-05 6b029af653ce96709aedea68b72c96b4765e9db8

Added security levels for apache.

 install/dist/lib/fedora.lib.php

@@ -444,6 +444,10 @@
            exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
        }
        
        //* add a sshusers group
        $command = 'groupadd sshusers';
        if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
		
    }
    
    public function configure_firewall()

 install/dist/lib/opensuse.lib.php

@@ -464,6 +464,10 @@
            exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
        }
        
        //* add a sshusers group
        $command = 'groupadd sshusers';
        if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
		
    }
    
    public function configure_firewall()

 install/lib/installer_base.lib.php

@@ -211,6 +211,9 @@
        $tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
        $tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
        $tpl_ini_array['cron']['crontab_dir'] = $conf['cron']['crontab_dir'];
        $tpl_ini_array['web']['security_level'] = 20;
        $tpl_ini_array['web']['user'] = $conf['web']['user'];
        $tpl_ini_array['web']['group'] = $conf['web']['group'];
        
        $server_ini_content = array_to_ini($tpl_ini_array);
        $server_ini_content = mysql_real_escape_string($server_ini_content);
@@ -815,6 +818,11 @@
            exec('ln -s /etc/webalizer.conf /etc/webalizer/webalizer.conf');
        }
        
        //* add a sshusers group
        $command = 'groupadd sshusers';
        if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");

		
        
    }
    

 install/tpl/server.ini.master

@@ -34,6 +34,9 @@
website_symlinks=/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/
vhost_conf_dir=/etc/apache2/sites-available
vhost_conf_enabled_dir=/etc/apache2/sites-enabled
securiry_level=10
apache_user=www-data
apache_group=www-data

[fastcgi]
fastcgi_starter_path=/var/www/php-fcgi-scripts/[system_user]/

 interface/web/admin/form/server_config.tform.php

@@ -339,6 +339,34 @@
            'width'        => '40',
            'maxlength'    => '255'
        ),
        'security_level' => array (
            'datatype'    => 'VARCHAR',
            'formtype'    => 'SELECT',
            'default'    => '20',
            'value'        => array('10' => 'Medium', '20' => 'High')
        ),
        'user' => array (
            'datatype'    => 'VARCHAR',
            'formtype'    => 'TEXT',
            'default'    => '',
            'validators'    => array (     0 => array (    'type'    => 'NOTEMPTY',
                                                        'errmsg'=> 'apache_user_error_empty'),
                                    ),
            'value'        => '',
            'width'        => '40',
            'maxlength'    => '255'
        ),
        'group' => array (
            'datatype'    => 'VARCHAR',
            'formtype'    => 'TEXT',
            'default'    => '',
            'validators'    => array (     0 => array (    'type'    => 'NOTEMPTY',
                                                        'errmsg'=> 'apache_group_error_empty'),
                                    ),
            'value'        => '',
            'width'        => '40',
            'maxlength'    => '255'
        ),
    ##################################
    # ENDE Datatable fields
    ##################################

 interface/web/admin/lib/lang/en_server_config.lng

@@ -43,4 +43,5 @@
$wb["init_script_txt"] = 'Cron init script name';
$wb["crontab_dir_txt"] = 'Path for individual crontabs';
$wb["wget_txt"] = 'Path to wget program';
$wb["security_level_txt"] = 'Security level';
?>

 interface/web/admin/templates/server_config_web_edit.htm

@@ -25,6 +25,22 @@
          <label for="vhost_conf_enabled_dir">{tmpl_var name='vhost_conf_enabled_dir_txt'}</label>
        <input name="vhost_conf_enabled_dir" id="vhost_conf_enabled_dir" value="{tmpl_var name='vhost_conf_enabled_dir'}" size="40" maxlength="255" type="text" class="textInput" />
            </div>
      <div class="ctrlHolder">
                <p class="label">{tmpl_var name='security_level_txt'}</p>
                    <div class="multiField">
                        <select name="security_level" id="security_level" class="selectInput">
                    {tmpl_var name='security_level'}
                </select>
                    </div>
            </div>
      <div class="ctrlHolder">
          <label for="user">{tmpl_var name='user_txt'}</label>
        <input name="user" id="user" value="{tmpl_var name='user'}" size="40" maxlength="255" type="text" class="textInput" />
            </div>
      <div class="ctrlHolder">
          <label for="group">{tmpl_var name='group_txt'}</label>
        <input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
            </div>
    </fieldset>

    <input type="hidden" name="id" value="{tmpl_var name='id'}">

 interface/web/dns/lib/module.conf.php

@@ -6,6 +6,26 @@
$module["startpage"]     = "dns/dns_soa_list.php";
$module["tab_width"]    = '';


$items[] = array( 'title'     => "Add DNS Zone",
                  'target'     => 'content',
                  'link'    => 'dns/dns_wizard.php');

if($_SESSION["s"]["user"]["typ"] == 'admin') {
				  
    $items[] = array(     'title'     => "Templates",
                          'target'     => 'content',
                          'link'        => 'dns/dns_template_list.php');
}


$module["nav"][] = array(    'title'    => 'DNS Wizard',
                            'open'     => 1,
                            'items'    => $items);

							
unset($items);

/*
    Email accounts menu
*/
@@ -26,26 +46,6 @@
                            'items'    => $items);

unset($items);


$items[] = array( 'title'     => "Add DNS Zone",
                  'target'     => 'content',
                  'link'    => 'dns/dns_wizard.php');

if($_SESSION["s"]["user"]["typ"] == 'admin') {
				  
    $items[] = array(     'title'     => "Templates",
                          'target'     => 'content',
                          'link'        => 'dns/dns_template_list.php');
}


$module["nav"][] = array(    'title'    => 'DNS Wizard',
                            'open'     => 1,
                            'items'    => $items);







 server/conf/vhost.conf.master

@@ -95,7 +95,9 @@
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"    
    php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
    php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
    #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
    <tmpl_if name='security_level' op='==' value='20'>
    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
    </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
    # suphp enabled
@@ -249,7 +251,9 @@
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"    
    php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
    php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
    #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
    <tmpl_if name='security_level' op='==' value='20'>
    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
    </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
    suPHP_Engine on

 server/plugins-available/apache2_plugin.inc.php

@@ -443,7 +443,7 @@
        
        $username = escapeshellcmd($data["new"]["system_user"]);
        if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
            exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
            exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
            $app->log("Adding the user: $username",LOGLEVEL_DEBUG);
        }
        
@@ -459,7 +459,6 @@
            exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
        }
        
		
        if($this->action == 'insert') {
            // Chown and chmod the directories below the document root
            exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
@@ -468,8 +467,40 @@
            exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
        }
        
        // make temp direcory writable for the apache user and the website user
        exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
		
		
        // If the security level is set to high
        if($web_config['security_level'] == 20) {
			
            exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
            exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/*"));
            exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
			
            //* Change the home directory and group of the website user
            $command = 'usermod';
            $command .= ' --groups sshusers,'.escapeshellcmd($web_config['group']);
            $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
            exec($command);
            $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
		
            // make temp direcory writable for the apache user and the website user
            // exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
        // If the security Level is set to medium
        } else {
		
            exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
            exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
			
            //* Change the home directory and group of the website user
            $command = 'usermod';
            $command .= ' --groups sshusers ';
            $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
            exec($command);
            $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
		
            // make temp direcory writable for the apache user and the website user
            exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
        }
        
        
        // Create the vhost config file
@@ -482,6 +513,7 @@
        $vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
        $vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
        $vhost_data["web_basedir"] = $web_config["website_basedir"];
        $vhost_data["security_level"] = $web_config["security_level"];
        
        // Check if a SSL cert exists
        $ssl_dir = $data["new"]["document_root"]."/ssl";