Commit 6b029af6 authored by tbrehm's avatar tbrehm
Browse files

Added security levels for apache.

parent c8d40dcd
......@@ -444,6 +444,10 @@ class installer_dist extends installer_base {
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
public function configure_firewall()
......
......@@ -464,6 +464,10 @@ class installer_dist extends installer_base {
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
public function configure_firewall()
......
......@@ -211,6 +211,9 @@ class installer_base {
$tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
$tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
$tpl_ini_array['cron']['crontab_dir'] = $conf['cron']['crontab_dir'];
$tpl_ini_array['web']['security_level'] = 20;
$tpl_ini_array['web']['user'] = $conf['web']['user'];
$tpl_ini_array['web']['group'] = $conf['web']['group'];
$server_ini_content = array_to_ini($tpl_ini_array);
$server_ini_content = mysql_real_escape_string($server_ini_content);
......@@ -815,6 +818,11 @@ class installer_base {
exec('ln -s /etc/webalizer.conf /etc/webalizer/webalizer.conf');
}
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
......
......@@ -34,6 +34,9 @@ website_path=/var/www/clients/client[client_id]/web[website_id]
website_symlinks=/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/
vhost_conf_dir=/etc/apache2/sites-available
vhost_conf_enabled_dir=/etc/apache2/sites-enabled
securiry_level=10
apache_user=www-data
apache_group=www-data
[fastcgi]
fastcgi_starter_path=/var/www/php-fcgi-scripts/[system_user]/
......
......@@ -339,6 +339,34 @@ $form["tabs"]['web'] = array (
'width' => '40',
'maxlength' => '255'
),
'security_level' => array (
'datatype' => 'VARCHAR',
'formtype' => 'SELECT',
'default' => '20',
'value' => array('10' => 'Medium', '20' => 'High')
),
'user' => array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'default' => '',
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'apache_user_error_empty'),
),
'value' => '',
'width' => '40',
'maxlength' => '255'
),
'group' => array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'default' => '',
'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
'errmsg'=> 'apache_group_error_empty'),
),
'value' => '',
'width' => '40',
'maxlength' => '255'
),
##################################
# ENDE Datatable fields
##################################
......
......@@ -43,4 +43,5 @@ $wb["config_dir_txt"] = 'Config directory';
$wb["init_script_txt"] = 'Cron init script name';
$wb["crontab_dir_txt"] = 'Path for individual crontabs';
$wb["wget_txt"] = 'Path to wget program';
$wb["security_level_txt"] = 'Security level';
?>
\ No newline at end of file
......@@ -25,6 +25,22 @@
<label for="vhost_conf_enabled_dir">{tmpl_var name='vhost_conf_enabled_dir_txt'}</label>
<input name="vhost_conf_enabled_dir" id="vhost_conf_enabled_dir" value="{tmpl_var name='vhost_conf_enabled_dir'}" size="40" maxlength="255" type="text" class="textInput" />
</div>
<div class="ctrlHolder">
<p class="label">{tmpl_var name='security_level_txt'}</p>
<div class="multiField">
<select name="security_level" id="security_level" class="selectInput">
{tmpl_var name='security_level'}
</select>
</div>
</div>
<div class="ctrlHolder">
<label for="user">{tmpl_var name='user_txt'}</label>
<input name="user" id="user" value="{tmpl_var name='user'}" size="40" maxlength="255" type="text" class="textInput" />
</div>
<div class="ctrlHolder">
<label for="group">{tmpl_var name='group_txt'}</label>
<input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
</div>
</fieldset>
<input type="hidden" name="id" value="{tmpl_var name='id'}">
......
......@@ -6,6 +6,26 @@ $module["template"] = "module.tpl.htm";
$module["startpage"] = "dns/dns_soa_list.php";
$module["tab_width"] = '';
$items[] = array( 'title' => "Add DNS Zone",
'target' => 'content',
'link' => 'dns/dns_wizard.php');
if($_SESSION["s"]["user"]["typ"] == 'admin') {
$items[] = array( 'title' => "Templates",
'target' => 'content',
'link' => 'dns/dns_template_list.php');
}
$module["nav"][] = array( 'title' => 'DNS Wizard',
'open' => 1,
'items' => $items);
unset($items);
/*
Email accounts menu
*/
......@@ -28,26 +48,6 @@ $module["nav"][] = array( 'title' => 'DNS',
unset($items);
$items[] = array( 'title' => "Add DNS Zone",
'target' => 'content',
'link' => 'dns/dns_wizard.php');
if($_SESSION["s"]["user"]["typ"] == 'admin') {
$items[] = array( 'title' => "Templates",
'target' => 'content',
'link' => 'dns/dns_template_list.php');
}
$module["nav"][] = array( 'title' => 'DNS Wizard',
'open' => 1,
'items' => $items);
......
......@@ -95,7 +95,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
#php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
<tmpl_if name='security_level' op='==' value='20'>
php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
</tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
# suphp enabled
......@@ -249,7 +251,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
#php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
<tmpl_if name='security_level' op='==' value='20'>
php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
</tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
suPHP_Engine on
......
......@@ -443,7 +443,7 @@ class apache2_plugin {
$username = escapeshellcmd($data["new"]["system_user"]);
if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
$app->log("Adding the user: $username",LOGLEVEL_DEBUG);
}
......@@ -459,7 +459,6 @@ class apache2_plugin {
exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
}
if($this->action == 'insert') {
// Chown and chmod the directories below the document root
exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
......@@ -468,8 +467,40 @@ class apache2_plugin {
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
}
// make temp direcory writable for the apache user and the website user
exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
// If the security level is set to high
if($web_config['security_level'] == 20) {
exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/*"));
exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
//* Change the home directory and group of the website user
$command = 'usermod';
$command .= ' --groups sshusers,'.escapeshellcmd($web_config['group']);
$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
exec($command);
$app->log("Modifying user: $command",LOGLEVEL_DEBUG);
// make temp direcory writable for the apache user and the website user
// exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
// If the security Level is set to medium
} else {
exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
//* Change the home directory and group of the website user
$command = 'usermod';
$command .= ' --groups sshusers ';
$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
exec($command);
$app->log("Modifying user: $command",LOGLEVEL_DEBUG);
// make temp direcory writable for the apache user and the website user
exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
}
// Create the vhost config file
......@@ -482,6 +513,7 @@ class apache2_plugin {
$vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
$vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
$vhost_data["web_basedir"] = $web_config["website_basedir"];
$vhost_data["security_level"] = $web_config["security_level"];
// Check if a SSL cert exists
$ssl_dir = $data["new"]["document_root"]."/ssl";
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment