From 9edea9976bd605071e0694a90d704266c0b7e0f9 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 11:30:03 -0400
Subject: [PATCH] - Added warning in the interface when a path for a shelluser is set that is outside of the website docroot. - Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons.
---
interface/lib/lang/fr.lng | 2
interface/lib/lang/ja.lng | 4
interface/web/admin/remote_action_osupdate.php | 1
interface/lib/lang/pt.lng | 4
interface/lib/lang/id.lng | 4
interface/web/admin/software_update_list.php | 1
interface/lib/lang/ar.lng | 2
interface/lib/classes/validate_systemuser.inc.php | 56 +++++++++
interface/web/admin/language_complete.php | 1
interface/web/admin/iptables_list.php | 2
interface/web/sites/lib/lang/en_shell_user.lng | 1
interface/web/admin/software_package_edit.php | 1
interface/web/admin/server_php_del.php | 1
interface/web/admin/server_ip_del.php | 1
interface/web/admin/firewall_del.php | 1
interface/lib/lang/bg.lng | 2
interface/web/admin/tpl_default.php | 1
security/security_settings.ini | 25 ++++
interface/web/admin/language_import.php | 1
interface/web/admin/groups_edit.php | 1
interface/lib/lang/se.lng | 4
interface/lib/classes/auth.inc.php | 18 ++
interface/lib/lang/pl.lng | 4
interface/lib/lang/en.lng | 6
interface/web/admin/groups_del.php | 1
interface/lib/lang/cz.lng | 2
interface/web/admin/server_php_edit.php | 1
interface/web/admin/server_edit.php | 1
interface/lib/lang/fi.lng | 2
interface/web/tools/user_settings.php | 4
interface/lib/lang/sk.lng | 4
interface/web/admin/remote_user_edit.php | 3
interface/web/admin/server_config_del.php | 1
interface/web/admin/users_del.php | 1
interface/web/admin/remote_user_del.php | 1
interface/web/admin/language_add.php | 1
interface/web/admin/software_repo_edit.php | 1
interface/web/admin/software_package_del.php | 1
interface/web/admin/software_package_install.php | 1
interface/web/admin/server_ip_edit.php | 1
interface/web/admin/language_edit.php | 1
interface/lib/lang/ru.lng | 4
interface/web/admin/server_config_edit.php | 2
interface/lib/lang/de.lng | 2
interface/lib/classes/getconf.inc.php | 9 +
interface/web/sites/form/shell_user.tform.php | 4
interface/lib/lang/hu.lng | 4
interface/lib/lang/it.lng | 4
interface/web/admin/software_repo_del.php | 1
interface/lib/lang/tr.lng | 4
interface/lib/lang/nl.lng | 4
interface/web/admin/language_export.php | 1
interface/lib/lang/ro.lng | 4
server/plugins-available/shelluser_jailkit_plugin.inc.php | 31 ++++
interface/web/admin/server_del.php | 1
interface/lib/lang/el.lng | 2
interface/web/admin/users_edit.php | 13 ++
interface/web/admin/iptables_edit.php | 1
interface/lib/lang/hr.lng | 4
server/lib/classes/getconf.inc.php | 9 +
server/plugins-available/shelluser_base_plugin.inc.php | 30 ++++-
interface/web/admin/iptables_del.php | 1
interface/lib/lang/br.lng | 2
interface/web/remote/index.php | 6
interface/lib/lang/es.lng | 2
interface/web/admin/system_config_edit.php | 1
interface/web/admin/firewall_edit.php | 1
67 files changed, 289 insertions(+), 29 deletions(-)
diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php
index 5be11cb..70c1722 100644
--- a/interface/lib/classes/auth.inc.php
+++ b/interface/lib/classes/auth.inc.php
@@ -46,7 +46,7 @@
}
public function is_superadmin() {
- if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) {
+ if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) {
return true;
} else {
return false;
@@ -136,6 +136,22 @@
exit;
}
}
+
+ public function check_security_permissions($permission) {
+
+ global $app;
+
+ $app->uses('getconf');
+ $security_config = $app->getconf->get_security_config('permissions');
+
+ $security_check = false;
+ if($security_config[$permission] == 'yes') $security_check = true;
+ if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true;
+ if($security_check !== true) {
+ $app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt'));
+ }
+
+ }
public function get_random_password($length = 8) {
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
diff --git a/interface/lib/classes/getconf.inc.php b/interface/lib/classes/getconf.inc.php
index 45fefa6..7a29dbf 100644
--- a/interface/lib/classes/getconf.inc.php
+++ b/interface/lib/classes/getconf.inc.php
@@ -54,6 +54,15 @@
}
return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
}
+
+ public function get_security_config($section = '') {
+ global $app;
+
+ $app->uses('ini_parser');
+ $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+
+ return ($section == '') ? $security_config : $security_config[$section];
+ }
}
diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php
index f1bbd2b..6df3a45 100644
--- a/interface/lib/classes/validate_systemuser.inc.php
+++ b/interface/lib/classes/validate_systemuser.inc.php
@@ -58,7 +58,63 @@
}
}
+ /*
+ Validator function to check if a given dir is ok.
+ */
+ function shelluser_dir($field_name, $field_value, $validator) {
+ global $app;
+ if($app->tform->primary_id == 0) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."<br>\r\n";
+ } else {
+ return $errmsg."<br>\r\n";
+ }
+ }
+
+
+ $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'");
+ if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."<br>\r\n";
+ } else {
+ return $errmsg."<br>\r\n";
+ }
+ }
+
+ $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'");
+ if(!is_array($domain_data) || $domain_data["domain_id"] < 1) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."<br>\r\n";
+ } else {
+ return $errmsg."<br>\r\n";
+ }
+ }
+
+ $doc_root = $domain_data["document_root"];
+ $is_ok = false;
+ if($doc_root == $field_value) $is_ok = true;
+
+ $doc_root .= "/";
+ if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true;
+
+ if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false;
+
+ //* Final check if docroot path of website is >= 5 chars
+ if(strlen($doc_root) < 5) $is_ok = false;
+
+ if($is_ok == false) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."<br>\r\n";
+ } else {
+ return $errmsg."<br>\r\n";
+ }
+ }
+ }
}
diff --git a/interface/lib/lang/ar.lng b/interface/lib/lang/ar.lng
index 2bef4b0..ed4bb29 100644
--- a/interface/lib/lang/ar.lng
+++ b/interface/lib/lang/ar.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/bg.lng b/interface/lib/lang/bg.lng
index 09b399a..0438017 100644
--- a/interface/lib/lang/bg.lng
+++ b/interface/lib/lang/bg.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/br.lng b/interface/lib/lang/br.lng
index 7007f7d..275be4d 100644
--- a/interface/lib/lang/br.lng
+++ b/interface/lib/lang/br.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/cz.lng b/interface/lib/lang/cz.lng
index a48a835..27fa494 100644
--- a/interface/lib/lang/cz.lng
+++ b/interface/lib/lang/cz.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Velmi silná';
$wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/de.lng b/interface/lib/lang/de.lng
index dfd1c9b..735b1da 100644
--- a/interface/lib/lang/de.lng
+++ b/interface/lib/lang/de.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Sehr stark';
$wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.';
$wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.';
+$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:';
+$wb['security_check2_txt'] = 'fehlgeschlagen.';
?>
diff --git a/interface/lib/lang/el.lng b/interface/lib/lang/el.lng
index 20f26a4..d8a2715 100644
--- a/interface/lib/lang/el.lng
+++ b/interface/lib/lang/el.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/en.lng b/interface/lib/lang/en.lng
index ec309d9..c89c97a 100644
--- a/interface/lib/lang/en.lng
+++ b/interface/lib/lang/en.lng
@@ -131,7 +131,6 @@
$wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
$wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
$wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
-
$wb['login_as_txt'] = 'Log in as';
$wb["no_domain_perm"] = 'You have no permission for this domain.';
$wb["no_destination_perm"] = 'You have no permission for this destination.';
@@ -149,5 +148,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/es.lng b/interface/lib/lang/es.lng
index 63b6245..ae21baf 100644
--- a/interface/lib/lang/es.lng
+++ b/interface/lib/lang/es.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/fi.lng b/interface/lib/lang/fi.lng
index 3cdfa12..059c9b2 100755
--- a/interface/lib/lang/fi.lng
+++ b/interface/lib/lang/fi.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/fr.lng b/interface/lib/lang/fr.lng
index 613f2a3..c59aac4 100644
--- a/interface/lib/lang/fr.lng
+++ b/interface/lib/lang/fr.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/hr.lng b/interface/lib/lang/hr.lng
index 26a98bf..634a396 100644
--- a/interface/lib/lang/hr.lng
+++ b/interface/lib/lang/hr.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/hu.lng b/interface/lib/lang/hu.lng
index ce9a102..9aa46b4 100644
--- a/interface/lib/lang/hu.lng
+++ b/interface/lib/lang/hu.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/id.lng b/interface/lib/lang/id.lng
index a781fb5..bc0a5f9 100644
--- a/interface/lib/lang/id.lng
+++ b/interface/lib/lang/id.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/it.lng b/interface/lib/lang/it.lng
index 8b2b810..1f46893 100644
--- a/interface/lib/lang/it.lng
+++ b/interface/lib/lang/it.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ja.lng b/interface/lib/lang/ja.lng
index 04fef3d..41cd638 100644
--- a/interface/lib/lang/ja.lng
+++ b/interface/lib/lang/ja.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/nl.lng b/interface/lib/lang/nl.lng
index 458b53f..b359dee 100644
--- a/interface/lib/lang/nl.lng
+++ b/interface/lib/lang/nl.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/pl.lng b/interface/lib/lang/pl.lng
index 87973f6..058680c 100644
--- a/interface/lib/lang/pl.lng
+++ b/interface/lib/lang/pl.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/pt.lng b/interface/lib/lang/pt.lng
index 84cd748..48beea8 100644
--- a/interface/lib/lang/pt.lng
+++ b/interface/lib/lang/pt.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ro.lng b/interface/lib/lang/ro.lng
index 6431e11..c5234fb 100644
--- a/interface/lib/lang/ro.lng
+++ b/interface/lib/lang/ro.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ru.lng b/interface/lib/lang/ru.lng
index 566f8d8..7fb0ac8 100644
--- a/interface/lib/lang/ru.lng
+++ b/interface/lib/lang/ru.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/se.lng b/interface/lib/lang/se.lng
index 41a972f..a7813bc 100644
--- a/interface/lib/lang/se.lng
+++ b/interface/lib/lang/se.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Väldigt starkt';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \"{strength}\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/sk.lng b/interface/lib/lang/sk.lng
index 4abcf0c..63a16ce 100644
--- a/interface/lib/lang/sk.lng
+++ b/interface/lib/lang/sk.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/tr.lng b/interface/lib/lang/tr.lng
index 0257a68..e7d9e03 100644
--- a/interface/lib/lang/tr.lng
+++ b/interface/lib/lang/tr.lng
@@ -147,4 +147,6 @@
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/web/admin/firewall_del.php b/interface/web/admin/firewall_del.php
index c4ea560..3fc23fe 100644
--- a/interface/web/admin/firewall_del.php
+++ b/interface/web/admin/firewall_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_firewall_config');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php
index d0c35db..6c29f76 100644
--- a/interface/web/admin/firewall_edit.php
+++ b/interface/web/admin/firewall_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_firewall_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/groups_del.php b/interface/web/admin/groups_del.php
index 57b47d9..42eed95 100644
--- a/interface/web/admin/groups_del.php
+++ b/interface/web/admin/groups_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_cpuser_group');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/groups_edit.php b/interface/web/admin/groups_edit.php
index 5ecf75f..0000003 100644
--- a/interface/web/admin/groups_edit.php
+++ b/interface/web/admin/groups_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_cpuser_group');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/iptables_del.php b/interface/web/admin/iptables_del.php
index 2497768..55371d6 100644
--- a/interface/web/admin/iptables_del.php
+++ b/interface/web/admin/iptables_del.php
@@ -1,4 +1,5 @@
<?php
+die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
diff --git a/interface/web/admin/iptables_edit.php b/interface/web/admin/iptables_edit.php
index 61d1ee3..77c2ae7 100644
--- a/interface/web/admin/iptables_edit.php
+++ b/interface/web/admin/iptables_edit.php
@@ -1,4 +1,5 @@
<?php
+die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
diff --git a/interface/web/admin/iptables_list.php b/interface/web/admin/iptables_list.php
index 8110460..06141b6 100644
--- a/interface/web/admin/iptables_list.php
+++ b/interface/web/admin/iptables_list.php
@@ -1,4 +1,6 @@
<?php
+
+die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
index 3444179..8c488c3 100644
--- a/interface/web/admin/language_add.php
+++ b/interface/web/admin/language_add.php
@@ -32,6 +32,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php
index 67cfb86..d8f4bbd 100644
--- a/interface/web/admin/language_complete.php
+++ b/interface/web/admin/language_complete.php
@@ -32,6 +32,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
//* This is only allowed for administrators
diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
index 8199244..7d83b9b 100644
--- a/interface/web/admin/language_edit.php
+++ b/interface/web/admin/language_edit.php
@@ -32,6 +32,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_export.php b/interface/web/admin/language_export.php
index a4c75f3..44bc787 100644
--- a/interface/web/admin/language_export.php
+++ b/interface/web/admin/language_export.php
@@ -32,6 +32,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php
index 1dfaa18..d53575b 100644
--- a/interface/web/admin/language_import.php
+++ b/interface/web/admin/language_import.php
@@ -112,6 +112,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php
index 4000d7f..61c6c23 100644
--- a/interface/web/admin/remote_action_osupdate.php
+++ b/interface/web/admin/remote_action_osupdate.php
@@ -32,6 +32,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_osupdate');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/remote_user_del.php b/interface/web/admin/remote_user_del.php
index e3a3832..b23336c 100644
--- a/interface/web/admin/remote_user_del.php
+++ b/interface/web/admin/remote_user_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_remote_users');
$app->uses('tpl,tform');
$app->load('tform_actions');
diff --git a/interface/web/admin/remote_user_edit.php b/interface/web/admin/remote_user_edit.php
index 962aa57..efc4f72 100644
--- a/interface/web/admin/remote_user_edit.php
+++ b/interface/web/admin/remote_user_edit.php
@@ -13,6 +13,9 @@
die;
}
+$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_remote_users');
+
// Disable this function in demo mode
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
diff --git a/interface/web/admin/server_config_del.php b/interface/web/admin/server_config_del.php
index c50ca14..3a332ed 100644
--- a/interface/web/admin/server_config_del.php
+++ b/interface/web/admin/server_config_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_config');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php
index a471181..e561b00 100644
--- a/interface/web/admin/server_config_edit.php
+++ b/interface/web/admin/server_config_edit.php
@@ -43,6 +43,8 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_config');
+
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_del.php b/interface/web/admin/server_del.php
index c39b732..f90bfa7 100644
--- a/interface/web/admin/server_del.php
+++ b/interface/web/admin/server_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_services');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
index caf79ef..0adf313 100644
--- a/interface/web/admin/server_edit.php
+++ b/interface/web/admin/server_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_services');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_ip_del.php b/interface/web/admin/server_ip_del.php
index e1df934..61252c3 100644
--- a/interface/web/admin/server_ip_del.php
+++ b/interface/web/admin/server_ip_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_ip');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php
index c3bf380..c20f752 100644
--- a/interface/web/admin/server_ip_edit.php
+++ b/interface/web/admin/server_ip_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_ip');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_php_del.php b/interface/web/admin/server_php_del.php
index d9c7baf..6848eea 100644
--- a/interface/web/admin/server_php_del.php
+++ b/interface/web/admin/server_php_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_php');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php
index ff65c70..f60ae99 100644
--- a/interface/web/admin/server_php_edit.php
+++ b/interface/web/admin/server_php_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_php');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/software_package_del.php b/interface/web/admin/software_package_del.php
index ff9ab6e..31aeb1c 100644
--- a/interface/web/admin/software_package_del.php
+++ b/interface/web/admin/software_package_del.php
@@ -33,6 +33,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']);
diff --git a/interface/web/admin/software_package_edit.php b/interface/web/admin/software_package_edit.php
index 038f377..65555d3 100644
--- a/interface/web/admin/software_package_edit.php
+++ b/interface/web/admin/software_package_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php
index e45f47a..0fd5881 100644
--- a/interface/web/admin/software_package_install.php
+++ b/interface/web/admin/software_package_install.php
@@ -33,6 +33,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/software_repo_del.php b/interface/web/admin/software_repo_del.php
index b8effc1..6309937 100644
--- a/interface/web/admin/software_repo_del.php
+++ b/interface/web/admin/software_repo_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/software_repo_edit.php b/interface/web/admin/software_repo_edit.php
index 2a6a4f4..6d52da2 100644
--- a/interface/web/admin/software_repo_edit.php
+++ b/interface/web/admin/software_repo_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php
index a709e0c..8bc8b79 100644
--- a/interface/web/admin/software_update_list.php
+++ b/interface/web/admin/software_update_list.php
@@ -33,6 +33,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php
index 3c54fc2..7d872fa 100644
--- a/interface/web/admin/system_config_edit.php
+++ b/interface/web/admin/system_config_edit.php
@@ -43,6 +43,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_system_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/tpl_default.php b/interface/web/admin/tpl_default.php
index b9477f1..57395cf 100644
--- a/interface/web/admin/tpl_default.php
+++ b/interface/web/admin/tpl_default.php
@@ -1,4 +1,5 @@
<?php
+die('unused');
/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.
diff --git a/interface/web/admin/users_del.php b/interface/web/admin/users_del.php
index 299eed2..ce413b6 100644
--- a/interface/web/admin/users_del.php
+++ b/interface/web/admin/users_del.php
@@ -44,6 +44,7 @@
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_del_cpuser');
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
index 2b1be7f..a405db4 100644
--- a/interface/web/admin/users_edit.php
+++ b/interface/web/admin/users_edit.php
@@ -52,16 +52,29 @@
function onBeforeInsert() {
global $app, $conf;
+
+ //* Security settings check
+ if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+ }
if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
}
+
+
+
}
function onBeforeUpdate() {
global $app, $conf;
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
+
+ //* Security settings check
+ if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+ }
if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
diff --git a/interface/web/remote/index.php b/interface/web/remote/index.php
index d60a1c9..c7ad8a9 100644
--- a/interface/web/remote/index.php
+++ b/interface/web/remote/index.php
@@ -6,7 +6,11 @@
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
-$app->load('remoting');
+$app->load('remoting,getconf');
+
+$security_config = $app->getconf->get_security_config('permissions');
+if($security_config['remote_api_allowed'] != 'yes') die('Remote API is disabled in security settings.');
+
$server = new SoapServer(null, array('uri' => $_SERVER['REQUEST_URI']));
$server->setClass('remoting');
diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php
index db4efe3..4268fc0 100644
--- a/interface/web/sites/form/shell_user.tform.php
+++ b/interface/web/sites/form/shell_user.tform.php
@@ -237,6 +237,10 @@
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/',
'errmsg'=> 'directory_error_regex'),
+ 2 => array ( 'type' => 'CUSTOM',
+ 'class' => 'validate_systemuser',
+ 'function' => 'shelluser_dir',
+ 'errmsg' => 'directory_error_notinweb'),
),
'default' => '',
'value' => '',
diff --git a/interface/web/sites/lib/lang/en_shell_user.lng b/interface/web/sites/lib/lang/en_shell_user.lng
index c3f21d5..66d3367 100644
--- a/interface/web/sites/lib/lang/en_shell_user.lng
+++ b/interface/web/sites/lib/lang/en_shell_user.lng
@@ -32,4 +32,5 @@
$wb['directory_error_regex'] = 'Invalid directory';
$wb['shell_error_regex'] = 'Invalid shell';
$wb['invalid_username_txt'] = 'Invalid Username';
+$wb['directory_error_notinweb'] = 'The directory has to be inside the web root.';
?>
diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php
index 95018ac..7065888 100644
--- a/interface/web/tools/user_settings.php
+++ b/interface/web/tools/user_settings.php
@@ -44,6 +44,10 @@
//* Check permissions for module
$app->auth->check_module_permissions('tools');
+if($_SESSION['s']['user']['typ'] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+}
+
// Loading classes
$app->uses('tpl,tform,tform_actions');
$app->load('tform_actions');
diff --git a/security/security_settings.ini b/security/security_settings.ini
new file mode 100644
index 0000000..0ea46f2
--- /dev/null
+++ b/security/security_settings.ini
@@ -0,0 +1,25 @@
+[permissions]
+allow_shell_user=yes
+admin_allow_server_config=superadmin
+admin_allow_server_services=superadmin
+admin_allow_server_ip=superadmin
+admin_allow_remote_users=superadmin
+admin_allow_system_config=superadmin
+admin_allow_server_php=superadmin
+admin_allow_langedit=superadmin
+admin_allow_new_admin=superadmin
+admin_allow_del_cpuser=superadmin
+admin_allow_cpuser_group=superadmin
+admin_allow_firewall_config=superadmin
+admin_allow_osupdate=superadmin
+admin_allow_software_packages=superadmin
+admin_allow_software_repo=superadmin
+remote_api_allowed=yes
+
+[systemcheck]
+security_admin_email=root@localhost
+warn_new_admin=yes
+warn_passwd_change=no
+warn_shadow_change=no
+check_groups_in_passwd=yes
+check_ispconfig_md5=yes
\ No newline at end of file
diff --git a/server/lib/classes/getconf.inc.php b/server/lib/classes/getconf.inc.php
index c5ca6c6..768ea2c 100644
--- a/server/lib/classes/getconf.inc.php
+++ b/server/lib/classes/getconf.inc.php
@@ -59,6 +59,15 @@
}
return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
}
+
+ public function get_security_config($section = '') {
+ global $app;
+
+ $app->uses('ini_parser');
+ $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+
+ return ($section == '') ? $security_config : $security_config[$section];
+ }
}
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 67cbee0..3cb9d36 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -58,19 +58,25 @@
/*
Register for the events
*/
-
+
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');
-
+
}
function insert($event_name, $data) {
global $app, $conf;
-
- $app->uses('system');
+
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -144,7 +150,13 @@
function update($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -223,7 +235,13 @@
function delete($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
if($app->system->is_user($data['old']['username'])) {
// Get the UID of the user
diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php
index f0fb279..cb222fd 100755
--- a/server/plugins-available/shelluser_jailkit_plugin.inc.php
+++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -59,11 +59,11 @@
/*
Register for the events
*/
-
+
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');
-
+
}
@@ -71,7 +71,15 @@
function insert($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
+
+
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
if(!$app->system->is_allowed_user($data['new']['username'], false, false)
@@ -143,7 +151,14 @@
function update($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
+
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
if(!$app->system->is_allowed_user($data['new']['username'], false, false)
@@ -209,7 +224,13 @@
function delete($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']);
--
Gitblit v1.9.1