From 6b029af653ce96709aedea68b72c96b4765e9db8 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Sun, 05 Jul 2009 07:39:20 -0400
Subject: [PATCH] Added security levels for apache.
---
server/conf/vhost.conf.master | 8 ++
install/lib/installer_base.lib.php | 8 ++
interface/web/admin/templates/server_config_web_edit.htm | 16 +++++
interface/web/dns/lib/module.conf.php | 40 ++++++------
install/dist/lib/fedora.lib.php | 4 +
server/plugins-available/apache2_plugin.inc.php | 40 ++++++++++++-
install/dist/lib/opensuse.lib.php | 4 +
interface/web/admin/lib/lang/en_server_config.lng | 1
install/tpl/server.ini.master | 3 +
interface/web/admin/form/server_config.tform.php | 28 +++++++++
10 files changed, 126 insertions(+), 26 deletions(-)
diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index bc6f25e..6dcf988 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -444,6 +444,10 @@
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
}
public function configure_firewall()
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index b175e07..bb3cfab 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -464,6 +464,10 @@
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
}
public function configure_firewall()
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 82b5b17..28bf4ae 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -211,6 +211,9 @@
$tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
$tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
$tpl_ini_array['cron']['crontab_dir'] = $conf['cron']['crontab_dir'];
+ $tpl_ini_array['web']['security_level'] = 20;
+ $tpl_ini_array['web']['user'] = $conf['web']['user'];
+ $tpl_ini_array['web']['group'] = $conf['web']['group'];
$server_ini_content = array_to_ini($tpl_ini_array);
$server_ini_content = mysql_real_escape_string($server_ini_content);
@@ -815,6 +818,11 @@
exec('ln -s /etc/webalizer.conf /etc/webalizer/webalizer.conf');
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+
}
diff --git a/install/tpl/server.ini.master b/install/tpl/server.ini.master
index d33afc7..6ded54e 100644
--- a/install/tpl/server.ini.master
+++ b/install/tpl/server.ini.master
@@ -34,6 +34,9 @@
website_symlinks=/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/
vhost_conf_dir=/etc/apache2/sites-available
vhost_conf_enabled_dir=/etc/apache2/sites-enabled
+securiry_level=10
+apache_user=www-data
+apache_group=www-data
[fastcgi]
fastcgi_starter_path=/var/www/php-fcgi-scripts/[system_user]/
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 3e081b4..999a1f9 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -339,6 +339,34 @@
'width' => '40',
'maxlength' => '255'
),
+ 'security_level' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'SELECT',
+ 'default' => '20',
+ 'value' => array('10' => 'Medium', '20' => 'High')
+ ),
+ 'user' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => '',
+ 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
+ 'errmsg'=> 'apache_user_error_empty'),
+ ),
+ 'value' => '',
+ 'width' => '40',
+ 'maxlength' => '255'
+ ),
+ 'group' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => '',
+ 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
+ 'errmsg'=> 'apache_group_error_empty'),
+ ),
+ 'value' => '',
+ 'width' => '40',
+ 'maxlength' => '255'
+ ),
##################################
# ENDE Datatable fields
##################################
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index ef736cc..6e817f4 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -43,4 +43,5 @@
$wb["init_script_txt"] = 'Cron init script name';
$wb["crontab_dir_txt"] = 'Path for individual crontabs';
$wb["wget_txt"] = 'Path to wget program';
+$wb["security_level_txt"] = 'Security level';
?>
\ No newline at end of file
diff --git a/interface/web/admin/templates/server_config_web_edit.htm b/interface/web/admin/templates/server_config_web_edit.htm
index 92d5262..e5a317f 100644
--- a/interface/web/admin/templates/server_config_web_edit.htm
+++ b/interface/web/admin/templates/server_config_web_edit.htm
@@ -25,6 +25,22 @@
<label for="vhost_conf_enabled_dir">{tmpl_var name='vhost_conf_enabled_dir_txt'}</label>
<input name="vhost_conf_enabled_dir" id="vhost_conf_enabled_dir" value="{tmpl_var name='vhost_conf_enabled_dir'}" size="40" maxlength="255" type="text" class="textInput" />
</div>
+ <div class="ctrlHolder">
+ <p class="label">{tmpl_var name='security_level_txt'}</p>
+ <div class="multiField">
+ <select name="security_level" id="security_level" class="selectInput">
+ {tmpl_var name='security_level'}
+ </select>
+ </div>
+ </div>
+ <div class="ctrlHolder">
+ <label for="user">{tmpl_var name='user_txt'}</label>
+ <input name="user" id="user" value="{tmpl_var name='user'}" size="40" maxlength="255" type="text" class="textInput" />
+ </div>
+ <div class="ctrlHolder">
+ <label for="group">{tmpl_var name='group_txt'}</label>
+ <input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
+ </div>
</fieldset>
<input type="hidden" name="id" value="{tmpl_var name='id'}">
diff --git a/interface/web/dns/lib/module.conf.php b/interface/web/dns/lib/module.conf.php
index ccb560d..0d33ad8 100644
--- a/interface/web/dns/lib/module.conf.php
+++ b/interface/web/dns/lib/module.conf.php
@@ -6,6 +6,26 @@
$module["startpage"] = "dns/dns_soa_list.php";
$module["tab_width"] = '';
+
+$items[] = array( 'title' => "Add DNS Zone",
+ 'target' => 'content',
+ 'link' => 'dns/dns_wizard.php');
+
+if($_SESSION["s"]["user"]["typ"] == 'admin') {
+
+ $items[] = array( 'title' => "Templates",
+ 'target' => 'content',
+ 'link' => 'dns/dns_template_list.php');
+}
+
+
+$module["nav"][] = array( 'title' => 'DNS Wizard',
+ 'open' => 1,
+ 'items' => $items);
+
+
+unset($items);
+
/*
Email accounts menu
*/
@@ -26,26 +46,6 @@
'items' => $items);
unset($items);
-
-
-$items[] = array( 'title' => "Add DNS Zone",
- 'target' => 'content',
- 'link' => 'dns/dns_wizard.php');
-
-if($_SESSION["s"]["user"]["typ"] == 'admin') {
-
- $items[] = array( 'title' => "Templates",
- 'target' => 'content',
- 'link' => 'dns/dns_template_list.php');
-}
-
-
-$module["nav"][] = array( 'title' => 'DNS Wizard',
- 'open' => 1,
- 'items' => $items);
-
-
-
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index d828fdf..e839ccc 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -95,7 +95,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
- #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+ <tmpl_if name='security_level' op='==' value='20'>
+ php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+ </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
# suphp enabled
@@ -249,7 +251,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
- #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+ <tmpl_if name='security_level' op='==' value='20'>
+ php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+ </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
suPHP_Engine on
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 665a8dd..bfdc6bf 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -443,7 +443,7 @@
$username = escapeshellcmd($data["new"]["system_user"]);
if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
- exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
+ exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
$app->log("Adding the user: $username",LOGLEVEL_DEBUG);
}
@@ -459,7 +459,6 @@
exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
}
-
if($this->action == 'insert') {
// Chown and chmod the directories below the document root
exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
@@ -468,8 +467,40 @@
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
}
- // make temp direcory writable for the apache user and the website user
- exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+
+
+ // If the security level is set to high
+ if($web_config['security_level'] == 20) {
+
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+ exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
+
+ //* Change the home directory and group of the website user
+ $command = 'usermod';
+ $command .= ' --groups sshusers,'.escapeshellcmd($web_config['group']);
+ $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+ exec($command);
+ $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+
+ // make temp direcory writable for the apache user and the website user
+ // exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ // If the security Level is set to medium
+ } else {
+
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+
+ //* Change the home directory and group of the website user
+ $command = 'usermod';
+ $command .= ' --groups sshusers ';
+ $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+ exec($command);
+ $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+
+ // make temp direcory writable for the apache user and the website user
+ exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ }
// Create the vhost config file
@@ -482,6 +513,7 @@
$vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
$vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
$vhost_data["web_basedir"] = $web_config["website_basedir"];
+ $vhost_data["security_level"] = $web_config["security_level"];
// Check if a SSL cert exists
$ssl_dir = $data["new"]["document_root"]."/ssl";
--
Gitblit v1.9.1