From 9edea9976bd605071e0694a90d704266c0b7e0f9 Mon Sep 17 00:00:00 2001 From: Till Brehm <tbrehm@ispconfig.org> Date: Thu, 14 Aug 2014 11:30:03 -0400 Subject: [PATCH] - Added warning in the interface when a path for a shelluser is set that is outside of the website docroot. - Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons. --- interface/lib/lang/fr.lng | 2 interface/lib/lang/ja.lng | 4 interface/web/admin/remote_action_osupdate.php | 1 interface/lib/lang/pt.lng | 4 interface/lib/lang/id.lng | 4 interface/web/admin/software_update_list.php | 1 interface/lib/lang/ar.lng | 2 interface/lib/classes/validate_systemuser.inc.php | 56 +++++++++ interface/web/admin/language_complete.php | 1 interface/web/admin/iptables_list.php | 2 interface/web/sites/lib/lang/en_shell_user.lng | 1 interface/web/admin/software_package_edit.php | 1 interface/web/admin/server_php_del.php | 1 interface/web/admin/server_ip_del.php | 1 interface/web/admin/firewall_del.php | 1 interface/lib/lang/bg.lng | 2 interface/web/admin/tpl_default.php | 1 security/security_settings.ini | 25 ++++ interface/web/admin/language_import.php | 1 interface/web/admin/groups_edit.php | 1 interface/lib/lang/se.lng | 4 interface/lib/classes/auth.inc.php | 18 ++ interface/lib/lang/pl.lng | 4 interface/lib/lang/en.lng | 6 interface/web/admin/groups_del.php | 1 interface/lib/lang/cz.lng | 2 interface/web/admin/server_php_edit.php | 1 interface/web/admin/server_edit.php | 1 interface/lib/lang/fi.lng | 2 interface/web/tools/user_settings.php | 4 interface/lib/lang/sk.lng | 4 interface/web/admin/remote_user_edit.php | 3 interface/web/admin/server_config_del.php | 1 interface/web/admin/users_del.php | 1 interface/web/admin/remote_user_del.php | 1 interface/web/admin/language_add.php | 1 interface/web/admin/software_repo_edit.php | 1 interface/web/admin/software_package_del.php | 1 interface/web/admin/software_package_install.php | 1 interface/web/admin/server_ip_edit.php | 1 interface/web/admin/language_edit.php | 1 interface/lib/lang/ru.lng | 4 interface/web/admin/server_config_edit.php | 2 interface/lib/lang/de.lng | 2 interface/lib/classes/getconf.inc.php | 9 + interface/web/sites/form/shell_user.tform.php | 4 interface/lib/lang/hu.lng | 4 interface/lib/lang/it.lng | 4 interface/web/admin/software_repo_del.php | 1 interface/lib/lang/tr.lng | 4 interface/lib/lang/nl.lng | 4 interface/web/admin/language_export.php | 1 interface/lib/lang/ro.lng | 4 server/plugins-available/shelluser_jailkit_plugin.inc.php | 31 ++++ interface/web/admin/server_del.php | 1 interface/lib/lang/el.lng | 2 interface/web/admin/users_edit.php | 13 ++ interface/web/admin/iptables_edit.php | 1 interface/lib/lang/hr.lng | 4 server/lib/classes/getconf.inc.php | 9 + server/plugins-available/shelluser_base_plugin.inc.php | 30 ++++- interface/web/admin/iptables_del.php | 1 interface/lib/lang/br.lng | 2 interface/web/remote/index.php | 6 interface/lib/lang/es.lng | 2 interface/web/admin/system_config_edit.php | 1 interface/web/admin/firewall_edit.php | 1 67 files changed, 289 insertions(+), 29 deletions(-) diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php index 5be11cb..70c1722 100644 --- a/interface/lib/classes/auth.inc.php +++ b/interface/lib/classes/auth.inc.php @@ -46,7 +46,7 @@ } public function is_superadmin() { - if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) { + if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) { return true; } else { return false; @@ -136,6 +136,22 @@ exit; } } + + public function check_security_permissions($permission) { + + global $app; + + $app->uses('getconf'); + $security_config = $app->getconf->get_security_config('permissions'); + + $security_check = false; + if($security_config[$permission] == 'yes') $security_check = true; + if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true; + if($security_check !== true) { + $app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt')); + } + + } public function get_random_password($length = 8) { $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; diff --git a/interface/lib/classes/getconf.inc.php b/interface/lib/classes/getconf.inc.php index 45fefa6..7a29dbf 100644 --- a/interface/lib/classes/getconf.inc.php +++ b/interface/lib/classes/getconf.inc.php @@ -54,6 +54,15 @@ } return ($section == '') ? $this->config['global'] : $this->config['global'][$section]; } + + public function get_security_config($section = '') { + global $app; + + $app->uses('ini_parser'); + $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini')); + + return ($section == '') ? $security_config : $security_config[$section]; + } } diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php index f1bbd2b..6df3a45 100644 --- a/interface/lib/classes/validate_systemuser.inc.php +++ b/interface/lib/classes/validate_systemuser.inc.php @@ -58,7 +58,63 @@ } } + /* + Validator function to check if a given dir is ok. + */ + function shelluser_dir($field_name, $field_value, $validator) { + global $app; + if($app->tform->primary_id == 0) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."<br>\r\n"; + } else { + return $errmsg."<br>\r\n"; + } + } + + + $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'"); + if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."<br>\r\n"; + } else { + return $errmsg."<br>\r\n"; + } + } + + $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'"); + if(!is_array($domain_data) || $domain_data["domain_id"] < 1) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."<br>\r\n"; + } else { + return $errmsg."<br>\r\n"; + } + } + + $doc_root = $domain_data["document_root"]; + $is_ok = false; + if($doc_root == $field_value) $is_ok = true; + + $doc_root .= "/"; + if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true; + + if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false; + + //* Final check if docroot path of website is >= 5 chars + if(strlen($doc_root) < 5) $is_ok = false; + + if($is_ok == false) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."<br>\r\n"; + } else { + return $errmsg."<br>\r\n"; + } + } + } } diff --git a/interface/lib/lang/ar.lng b/interface/lib/lang/ar.lng index 2bef4b0..ed4bb29 100644 --- a/interface/lib/lang/ar.lng +++ b/interface/lib/lang/ar.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/bg.lng b/interface/lib/lang/bg.lng index 09b399a..0438017 100644 --- a/interface/lib/lang/bg.lng +++ b/interface/lib/lang/bg.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/br.lng b/interface/lib/lang/br.lng index 7007f7d..275be4d 100644 --- a/interface/lib/lang/br.lng +++ b/interface/lib/lang/br.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/cz.lng b/interface/lib/lang/cz.lng index a48a835..27fa494 100644 --- a/interface/lib/lang/cz.lng +++ b/interface/lib/lang/cz.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Velmi silná'; $wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/de.lng b/interface/lib/lang/de.lng index dfd1c9b..735b1da 100644 --- a/interface/lib/lang/de.lng +++ b/interface/lib/lang/de.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Sehr stark'; $wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.'; $wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.'; +$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:'; +$wb['security_check2_txt'] = 'fehlgeschlagen.'; ?> diff --git a/interface/lib/lang/el.lng b/interface/lib/lang/el.lng index 20f26a4..d8a2715 100644 --- a/interface/lib/lang/el.lng +++ b/interface/lib/lang/el.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/en.lng b/interface/lib/lang/en.lng index ec309d9..c89c97a 100644 --- a/interface/lib/lang/en.lng +++ b/interface/lib/lang/en.lng @@ -131,7 +131,6 @@ $wb['datalog_status_i_web_folder_user'] = 'Create folder protection user'; $wb['datalog_status_u_web_folder_user'] = 'Update folder protection user'; $wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user'; - $wb['login_as_txt'] = 'Log in as'; $wb["no_domain_perm"] = 'You have no permission for this domain.'; $wb["no_destination_perm"] = 'You have no permission for this destination.'; @@ -149,5 +148,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; - -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/es.lng b/interface/lib/lang/es.lng index 63b6245..ae21baf 100644 --- a/interface/lib/lang/es.lng +++ b/interface/lib/lang/es.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/fi.lng b/interface/lib/lang/fi.lng index 3cdfa12..059c9b2 100755 --- a/interface/lib/lang/fi.lng +++ b/interface/lib/lang/fi.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/fr.lng b/interface/lib/lang/fr.lng index 613f2a3..c59aac4 100644 --- a/interface/lib/lang/fr.lng +++ b/interface/lib/lang/fr.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/hr.lng b/interface/lib/lang/hr.lng index 26a98bf..634a396 100644 --- a/interface/lib/lang/hr.lng +++ b/interface/lib/lang/hr.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/hu.lng b/interface/lib/lang/hu.lng index ce9a102..9aa46b4 100644 --- a/interface/lib/lang/hu.lng +++ b/interface/lib/lang/hu.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/id.lng b/interface/lib/lang/id.lng index a781fb5..bc0a5f9 100644 --- a/interface/lib/lang/id.lng +++ b/interface/lib/lang/id.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/it.lng b/interface/lib/lang/it.lng index 8b2b810..1f46893 100644 --- a/interface/lib/lang/it.lng +++ b/interface/lib/lang/it.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ja.lng b/interface/lib/lang/ja.lng index 04fef3d..41cd638 100644 --- a/interface/lib/lang/ja.lng +++ b/interface/lib/lang/ja.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/nl.lng b/interface/lib/lang/nl.lng index 458b53f..b359dee 100644 --- a/interface/lib/lang/nl.lng +++ b/interface/lib/lang/nl.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/pl.lng b/interface/lib/lang/pl.lng index 87973f6..058680c 100644 --- a/interface/lib/lang/pl.lng +++ b/interface/lib/lang/pl.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/pt.lng b/interface/lib/lang/pt.lng index 84cd748..48beea8 100644 --- a/interface/lib/lang/pt.lng +++ b/interface/lib/lang/pt.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ro.lng b/interface/lib/lang/ro.lng index 6431e11..c5234fb 100644 --- a/interface/lib/lang/ro.lng +++ b/interface/lib/lang/ro.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ru.lng b/interface/lib/lang/ru.lng index 566f8d8..7fb0ac8 100644 --- a/interface/lib/lang/ru.lng +++ b/interface/lib/lang/ru.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/se.lng b/interface/lib/lang/se.lng index 41a972f..a7813bc 100644 --- a/interface/lib/lang/se.lng +++ b/interface/lib/lang/se.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Väldigt starkt'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \"{strength}\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/sk.lng b/interface/lib/lang/sk.lng index 4abcf0c..63a16ce 100644 --- a/interface/lib/lang/sk.lng +++ b/interface/lib/lang/sk.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/tr.lng b/interface/lib/lang/tr.lng index 0257a68..e7d9e03 100644 --- a/interface/lib/lang/tr.lng +++ b/interface/lib/lang/tr.lng @@ -147,4 +147,6 @@ $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/web/admin/firewall_del.php b/interface/web/admin/firewall_del.php index c4ea560..3fc23fe 100644 --- a/interface/web/admin/firewall_del.php +++ b/interface/web/admin/firewall_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_firewall_config'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index d0c35db..6c29f76 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_firewall_config'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/groups_del.php b/interface/web/admin/groups_del.php index 57b47d9..42eed95 100644 --- a/interface/web/admin/groups_del.php +++ b/interface/web/admin/groups_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_cpuser_group'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/groups_edit.php b/interface/web/admin/groups_edit.php index 5ecf75f..0000003 100644 --- a/interface/web/admin/groups_edit.php +++ b/interface/web/admin/groups_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_cpuser_group'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/iptables_del.php b/interface/web/admin/iptables_del.php index 2497768..55371d6 100644 --- a/interface/web/admin/iptables_del.php +++ b/interface/web/admin/iptables_del.php @@ -1,4 +1,5 @@ <?php +die('unused'); /* Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh All rights reserved. diff --git a/interface/web/admin/iptables_edit.php b/interface/web/admin/iptables_edit.php index 61d1ee3..77c2ae7 100644 --- a/interface/web/admin/iptables_edit.php +++ b/interface/web/admin/iptables_edit.php @@ -1,4 +1,5 @@ <?php +die('unused'); /* Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh All rights reserved. diff --git a/interface/web/admin/iptables_list.php b/interface/web/admin/iptables_list.php index 8110460..06141b6 100644 --- a/interface/web/admin/iptables_list.php +++ b/interface/web/admin/iptables_list.php @@ -1,4 +1,6 @@ <?php + +die('unused'); /* Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh All rights reserved. diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php index 3444179..8c488c3 100644 --- a/interface/web/admin/language_add.php +++ b/interface/web/admin/language_add.php @@ -32,6 +32,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php index 67cfb86..d8f4bbd 100644 --- a/interface/web/admin/language_complete.php +++ b/interface/web/admin/language_complete.php @@ -32,6 +32,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); //* This is only allowed for administrators diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php index 8199244..7d83b9b 100644 --- a/interface/web/admin/language_edit.php +++ b/interface/web/admin/language_edit.php @@ -32,6 +32,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_export.php b/interface/web/admin/language_export.php index a4c75f3..44bc787 100644 --- a/interface/web/admin/language_export.php +++ b/interface/web/admin/language_export.php @@ -32,6 +32,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php index 1dfaa18..d53575b 100644 --- a/interface/web/admin/language_import.php +++ b/interface/web/admin/language_import.php @@ -112,6 +112,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php index 4000d7f..61c6c23 100644 --- a/interface/web/admin/remote_action_osupdate.php +++ b/interface/web/admin/remote_action_osupdate.php @@ -32,6 +32,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_osupdate'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/remote_user_del.php b/interface/web/admin/remote_user_del.php index e3a3832..b23336c 100644 --- a/interface/web/admin/remote_user_del.php +++ b/interface/web/admin/remote_user_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_remote_users'); $app->uses('tpl,tform'); $app->load('tform_actions'); diff --git a/interface/web/admin/remote_user_edit.php b/interface/web/admin/remote_user_edit.php index 962aa57..efc4f72 100644 --- a/interface/web/admin/remote_user_edit.php +++ b/interface/web/admin/remote_user_edit.php @@ -13,6 +13,9 @@ die; } +$app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_remote_users'); + // Disable this function in demo mode if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); diff --git a/interface/web/admin/server_config_del.php b/interface/web/admin/server_config_del.php index c50ca14..3a332ed 100644 --- a/interface/web/admin/server_config_del.php +++ b/interface/web/admin/server_config_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_config'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php index a471181..e561b00 100644 --- a/interface/web/admin/server_config_edit.php +++ b/interface/web/admin/server_config_edit.php @@ -43,6 +43,8 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_config'); + // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_del.php b/interface/web/admin/server_del.php index c39b732..f90bfa7 100644 --- a/interface/web/admin/server_del.php +++ b/interface/web/admin/server_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_services'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php index caf79ef..0adf313 100644 --- a/interface/web/admin/server_edit.php +++ b/interface/web/admin/server_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_services'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_ip_del.php b/interface/web/admin/server_ip_del.php index e1df934..61252c3 100644 --- a/interface/web/admin/server_ip_del.php +++ b/interface/web/admin/server_ip_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_ip'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php index c3bf380..c20f752 100644 --- a/interface/web/admin/server_ip_edit.php +++ b/interface/web/admin/server_ip_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_ip'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_php_del.php b/interface/web/admin/server_php_del.php index d9c7baf..6848eea 100644 --- a/interface/web/admin/server_php_del.php +++ b/interface/web/admin/server_php_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_php'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php index ff65c70..f60ae99 100644 --- a/interface/web/admin/server_php_edit.php +++ b/interface/web/admin/server_php_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_php'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/software_package_del.php b/interface/web/admin/software_package_del.php index ff9ab6e..31aeb1c 100644 --- a/interface/web/admin/software_package_del.php +++ b/interface/web/admin/software_package_del.php @@ -33,6 +33,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']); diff --git a/interface/web/admin/software_package_edit.php b/interface/web/admin/software_package_edit.php index 038f377..65555d3 100644 --- a/interface/web/admin/software_package_edit.php +++ b/interface/web/admin/software_package_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); // Loading classes diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php index e45f47a..0fd5881 100644 --- a/interface/web/admin/software_package_install.php +++ b/interface/web/admin/software_package_install.php @@ -33,6 +33,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/software_repo_del.php b/interface/web/admin/software_repo_del.php index b8effc1..6309937 100644 --- a/interface/web/admin/software_repo_del.php +++ b/interface/web/admin/software_repo_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_repo'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/software_repo_edit.php b/interface/web/admin/software_repo_edit.php index 2a6a4f4..6d52da2 100644 --- a/interface/web/admin/software_repo_edit.php +++ b/interface/web/admin/software_repo_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_repo'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); // Loading classes diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php index a709e0c..8bc8b79 100644 --- a/interface/web/admin/software_update_list.php +++ b/interface/web/admin/software_update_list.php @@ -33,6 +33,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php index 3c54fc2..7d872fa 100644 --- a/interface/web/admin/system_config_edit.php +++ b/interface/web/admin/system_config_edit.php @@ -43,6 +43,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_system_config'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/tpl_default.php b/interface/web/admin/tpl_default.php index b9477f1..57395cf 100644 --- a/interface/web/admin/tpl_default.php +++ b/interface/web/admin/tpl_default.php @@ -1,4 +1,5 @@ <?php +die('unused'); /* Copyright (c) 2007, Till Brehm, projektfarm Gmbh All rights reserved. diff --git a/interface/web/admin/users_del.php b/interface/web/admin/users_del.php index 299eed2..ce413b6 100644 --- a/interface/web/admin/users_del.php +++ b/interface/web/admin/users_del.php @@ -44,6 +44,7 @@ //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_del_cpuser'); if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php index 2b1be7f..a405db4 100644 --- a/interface/web/admin/users_edit.php +++ b/interface/web/admin/users_edit.php @@ -52,16 +52,29 @@ function onBeforeInsert() { global $app, $conf; + + //* Security settings check + if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); + } if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) { $app->tform->errorMessage .= $app->tform->wordbook['startmodule_err']; } + + + } function onBeforeUpdate() { global $app, $conf; if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.'); + + //* Security settings check + if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); + } if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) { $app->tform->errorMessage .= $app->tform->wordbook['startmodule_err']; diff --git a/interface/web/remote/index.php b/interface/web/remote/index.php index d60a1c9..c7ad8a9 100644 --- a/interface/web/remote/index.php +++ b/interface/web/remote/index.php @@ -6,7 +6,11 @@ if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); -$app->load('remoting'); +$app->load('remoting,getconf'); + +$security_config = $app->getconf->get_security_config('permissions'); +if($security_config['remote_api_allowed'] != 'yes') die('Remote API is disabled in security settings.'); + $server = new SoapServer(null, array('uri' => $_SERVER['REQUEST_URI'])); $server->setClass('remoting'); diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php index db4efe3..4268fc0 100644 --- a/interface/web/sites/form/shell_user.tform.php +++ b/interface/web/sites/form/shell_user.tform.php @@ -237,6 +237,10 @@ 1 => array ( 'type' => 'REGEX', 'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/', 'errmsg'=> 'directory_error_regex'), + 2 => array ( 'type' => 'CUSTOM', + 'class' => 'validate_systemuser', + 'function' => 'shelluser_dir', + 'errmsg' => 'directory_error_notinweb'), ), 'default' => '', 'value' => '', diff --git a/interface/web/sites/lib/lang/en_shell_user.lng b/interface/web/sites/lib/lang/en_shell_user.lng index c3f21d5..66d3367 100644 --- a/interface/web/sites/lib/lang/en_shell_user.lng +++ b/interface/web/sites/lib/lang/en_shell_user.lng @@ -32,4 +32,5 @@ $wb['directory_error_regex'] = 'Invalid directory'; $wb['shell_error_regex'] = 'Invalid shell'; $wb['invalid_username_txt'] = 'Invalid Username'; +$wb['directory_error_notinweb'] = 'The directory has to be inside the web root.'; ?> diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php index 95018ac..7065888 100644 --- a/interface/web/tools/user_settings.php +++ b/interface/web/tools/user_settings.php @@ -44,6 +44,10 @@ //* Check permissions for module $app->auth->check_module_permissions('tools'); +if($_SESSION['s']['user']['typ'] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); +} + // Loading classes $app->uses('tpl,tform,tform_actions'); $app->load('tform_actions'); diff --git a/security/security_settings.ini b/security/security_settings.ini new file mode 100644 index 0000000..0ea46f2 --- /dev/null +++ b/security/security_settings.ini @@ -0,0 +1,25 @@ +[permissions] +allow_shell_user=yes +admin_allow_server_config=superadmin +admin_allow_server_services=superadmin +admin_allow_server_ip=superadmin +admin_allow_remote_users=superadmin +admin_allow_system_config=superadmin +admin_allow_server_php=superadmin +admin_allow_langedit=superadmin +admin_allow_new_admin=superadmin +admin_allow_del_cpuser=superadmin +admin_allow_cpuser_group=superadmin +admin_allow_firewall_config=superadmin +admin_allow_osupdate=superadmin +admin_allow_software_packages=superadmin +admin_allow_software_repo=superadmin +remote_api_allowed=yes + +[systemcheck] +security_admin_email=root@localhost +warn_new_admin=yes +warn_passwd_change=no +warn_shadow_change=no +check_groups_in_passwd=yes +check_ispconfig_md5=yes \ No newline at end of file diff --git a/server/lib/classes/getconf.inc.php b/server/lib/classes/getconf.inc.php index c5ca6c6..768ea2c 100644 --- a/server/lib/classes/getconf.inc.php +++ b/server/lib/classes/getconf.inc.php @@ -59,6 +59,15 @@ } return ($section == '') ? $this->config['global'] : $this->config['global'][$section]; } + + public function get_security_config($section = '') { + global $app; + + $app->uses('ini_parser'); + $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini')); + + return ($section == '') ? $security_config : $security_config[$section]; + } } diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php index 67cbee0..3cb9d36 100755 --- a/server/plugins-available/shelluser_base_plugin.inc.php +++ b/server/plugins-available/shelluser_base_plugin.inc.php @@ -58,19 +58,25 @@ /* Register for the events */ - + $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert'); $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update'); $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete'); - + } function insert($event_name, $data) { global $app, $conf; - - $app->uses('system'); + + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } //* Check if the resulting path is inside the docroot $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); @@ -144,7 +150,13 @@ function update($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } //* Check if the resulting path is inside the docroot $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); @@ -223,7 +235,13 @@ function delete($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } if($app->system->is_user($data['old']['username'])) { // Get the UID of the user diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index f0fb279..cb222fd 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -59,11 +59,11 @@ /* Register for the events */ - + $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert'); $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update'); $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete'); - + } @@ -71,7 +71,15 @@ function insert($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } + + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) @@ -143,7 +151,14 @@ function update($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) @@ -209,7 +224,13 @@ function delete($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']); -- Gitblit v1.9.1