diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 6a1c5048e870bcbea2c96a7f3d99f612ad5398bd..4a7c9cfbfe2f831795ffd9fa33f8569f43b5b306 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -30,7 +30,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
class installer_dist extends installer_base {
protected $mailman_group = 'mailman';
-
+
public function __construct() {
//** check apache modules */
$mods = getapachemodules();
@@ -42,7 +42,7 @@ class installer_dist extends installer_base {
swriteln($inst->lng(' AllowOverride None'));
swriteln($inst->lng(' Require all denied'));
swriteln($inst->lng(' </Directory>'."\n"));
-
+
swriteln($inst->lng(' If it uses the old syntax (deny from all) ISPConfig would fail to work.'));
}
}
@@ -80,7 +80,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_sender_login_maps.cf
$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
-
+
//* mysql-virtual_client.cf
$this->process_postfix_config('mysql-virtual_client.cf');
@@ -89,7 +89,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_relayrecipientmaps.cf
$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
-
+
//* mysql-virtual_outgoing_bcc.cf
$this->process_postfix_config('mysql-virtual_outgoing_bcc.cf');
@@ -142,19 +142,19 @@ class installer_dist extends installer_base {
}
}
unset($rbl_hosts);
-
+
//* If Postgrey is installed, configure it
$greylisting = '';
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
-
+
$reject_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
}
unset($server_ini_array);
-
+
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
@@ -163,7 +163,7 @@ class installer_dist extends installer_base {
'{greylisting}' => $greylisting,
'{reject_slm}' => $reject_sender_login_mismatch,
);
-
+
$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_postfix.conf.master', 'tpl/fedora_postfix.conf.master');
$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
@@ -368,13 +368,13 @@ class installer_dist extends installer_base {
$virtual_transport = 'dovecot';
$configure_lmtp = false;
-
+
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
-
+
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
@@ -452,7 +452,7 @@ class installer_dist extends installer_base {
if(version_compare($dovecot_version,2.3) >= 0) {
// Remove deprecated setting(s)
removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
-
+
// Check if we have a dhparams file and if not, create it
if(!file_exists('/etc/dovecot/dh.pem')) {
swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
@@ -475,7 +475,7 @@ class installer_dist extends installer_base {
$content = str_replace('#2.3+','',$content);
file_put_contents($config_dir.'/'.$configfile,$content);
unset($content);
-
+
} else {
// remove settings which are not supported in Dovecot < 2.3
removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
@@ -502,7 +502,7 @@ class installer_dist extends installer_base {
copy("$config_dir/$configfile", "$config_dir/$configfile~");
exec("chmod 400 $config_dir/$configfile~");
}
-
+
if(!@file_exists('/etc/dovecot-sql.conf')) exec('ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf');
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_dovecot-sql.conf.master', "tpl/fedora_dovecot-sql.conf.master");
@@ -520,7 +520,7 @@ class installer_dist extends installer_base {
exec("chmod 600 $config_dir/$configfile");
exec("chown root:root $config_dir/$configfile");
-
+
// Dovecot shall ignore mounts in website directory
if(is_installed('doveadm')) exec("doveadm mount add '/var/www/*' ignore > /dev/null 2> /dev/null");
@@ -543,12 +543,12 @@ class installer_dist extends installer_base {
$content = str_replace('{amavis_config_dir}', $conf['amavis']['config_dir'], $content);
wf($conf["amavis"]["config_dir"].'/amavisd.conf', $content);
chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
-
+
if(!is_file($conf['amavis']['config_dir'].'/60-dkim')) {
touch($conf['amavis']['config_dir'].'/60-dkim');
chmod($conf['amavis']['config_dir'].'/60-dkim', 0640);
}
-
+
// for CentOS 7.2 only
if($dist['confid'] == 'centos72') {
chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0750);
@@ -752,16 +752,16 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
-
+
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
-
+
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
-
+
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
@@ -780,7 +780,7 @@ class installer_dist extends installer_base {
}
}
}
-
+
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab());
@@ -843,7 +843,7 @@ class installer_dist extends installer_base {
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
// add anonymized log option to nginxx.conf file
$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
if(is_file($nginx_conf_file)) {
@@ -853,7 +853,7 @@ class installer_dist extends installer_base {
replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
}
}
-
+
}
public function configure_bastille_firewall()
@@ -946,14 +946,14 @@ class installer_dist extends installer_base {
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
-
+
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
$configfile = 'security_settings.ini';
if(is_file($install_dir.'/security/'.$configfile)) {
copy($install_dir.'/security/'.$configfile, $install_dir.'/security/'.$configfile.'~');
@@ -1100,15 +1100,15 @@ class installer_dist extends installer_base {
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1163,12 +1163,12 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
-
+
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
-
+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
@@ -1199,7 +1199,7 @@ class installer_dist extends installer_base {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
-
+
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
@@ -1228,7 +1228,7 @@ class installer_dist extends installer_base {
} else {
$tpl->setVar('ssl_bundle_comment','#');
}
-
+
$tpl->setVar('apache_version',getapacheversion());
wf($vhost_conf_dir.'/ispconfig.vhost', $tpl->grab());
@@ -1241,24 +1241,16 @@ class installer_dist extends installer_base {
exec("ln -s $vhost_conf_dir/ispconfig.vhost $vhost_conf_enabled_dir/000-ispconfig.vhost");
}
- /*
- exec('mkdir -p /var/www/php-fcgi-scripts/ispconfig');
- exec('cp tpl/apache_ispconfig_fcgi_starter.master /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
- exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
- exec('ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig');
- exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
-
- replaceLine('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter','PHPRC=','PHPRC=/etc/',0,0);
- */
- //if(!is_file('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter')) {
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/apache_ispconfig_fcgi_starter.master', 'tpl/apache_ispconfig_fcgi_starter.master');
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
if(!is_dir('/var/www/php-fcgi-scripts/ispconfig')) exec('mkdir -p /var/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
if(!is_link('/var/www/ispconfig')) exec('ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
//}
//}
}
@@ -1373,10 +1365,10 @@ class installer_dist extends installer_base {
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
-
+
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
-
+
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php
index 5bb0d9df1966347d54e9dd1b39d62dc462977560..a39c3463761b049708a9e0adcc8ac7908d65f4d7 100644
--- a/install/dist/lib/gentoo.lib.php
+++ b/install/dist/lib/gentoo.lib.php
@@ -100,13 +100,13 @@ class installer extends installer_base
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
-
+
$reject_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
}
unset($server_ini_array);
-
+
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
@@ -277,13 +277,13 @@ class installer extends installer_base
$virtual_transport = 'dovecot';
$configure_lmtp = false;
-
+
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"].".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
-
+
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
@@ -602,16 +602,16 @@ class installer extends installer_base
//* Copy the ISPConfig configuration include
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
-
+
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
-
+
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
-
+
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
@@ -630,7 +630,7 @@ class installer extends installer_base
}
}
}
-
+
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($conf['apache']['vhost_conf_dir'].'/000-ispconfig.conf', $tpl->grab());
@@ -727,10 +727,11 @@ class installer extends installer_base
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
mkdir($conf['web']['website_basedir'].'/php-fcgi-scripts/apps', 0755, true);
//copy('tpl/apache_apps_fcgi_starter.master',$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
+ $this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', false);
wf($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', $content);
exec('chmod +x '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
exec('chown -R ispapps:ispapps '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps');
-
+ $this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', true);
//}
}
if($conf['nginx']['installed'] == true){
@@ -783,11 +784,11 @@ class installer extends installer_base
//$content = str_replace('{fpm_port}', ($conf['nginx']['php_fpm_start_port']+1), $content);
$content = str_replace('{fpm_socket}', $fpm_socket, $content);
$content = str_replace('{cgi_socket}', $cgi_socket, $content);
-
+
// SSL in apps vhost is off by default. Might change later.
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '#', $content);
-
+
wf($vhost_conf_dir.'/apps.vhost', $content);
// PHP-FPM
@@ -843,14 +844,14 @@ class installer extends installer_base
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
-
+
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Apply changed security_settings.ini values to new security_settings.ini file
if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
@@ -983,15 +984,15 @@ class installer extends installer_base
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1005,7 +1006,7 @@ class installer extends installer_base
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
@@ -1058,7 +1059,7 @@ class installer extends installer_base
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
-
+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
@@ -1089,7 +1090,7 @@ class installer extends installer_base
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
-
+
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
$content = $this->get_template_file("apache_ispconfig.vhost", true);
@@ -1121,11 +1122,13 @@ class installer extends installer_base
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
@mkdir('/var/www/php-fcgi-scripts/ispconfig', 0755, true);
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
chmod('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', 0755);
@symlink($install_dir.'/interface/web', '/var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
}
}
@@ -1238,16 +1241,16 @@ class installer extends installer_base
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
-
+
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
-
+
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf')) chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf~')) chmod($conf['amavis']['config_dir'].'/amavisd.conf~', 0400);
-
+
}
}
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index 21cfd9f2bad9d929e280f9abd5d091444131bff7..60fb0511fd8998118a2140d2c2aca8e49128c284 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -30,7 +30,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
class installer_dist extends installer_base {
protected $mailman_group = 'mailman';
-
+
public function __construct() {
//** check apache modules */
$mods = getapachemodules();
@@ -42,7 +42,7 @@ class installer_dist extends installer_base {
swriteln($inst->lng(' AllowOverride None'));
swriteln($inst->lng(' Require all denied'));
swriteln($inst->lng(' </Directory>'."\n"));
-
+
swriteln($inst->lng(' If it uses the old syntax (deny from all) ISPConfig would fail to work.'));
}
}
@@ -80,7 +80,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_sender_login_maps.cf
$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
-
+
//* mysql-virtual_client.cf
$this->process_postfix_config('mysql-virtual_client.cf');
@@ -159,13 +159,13 @@ class installer_dist extends installer_base {
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
-
+
$reject_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
}
unset($server_ini_array);
-
+
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
@@ -174,7 +174,7 @@ class installer_dist extends installer_base {
'{greylisting}' => $greylisting,
'{reject_slm}' => $reject_sender_login_mismatch,
);
-
+
$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/opensuse_postfix.conf.master', 'tpl/opensuse_postfix.conf.master');
$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
@@ -378,13 +378,13 @@ class installer_dist extends installer_base {
$virtual_transport = 'dovecot';
$configure_lmtp = false;
-
+
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
-
+
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
@@ -487,7 +487,7 @@ class installer_dist extends installer_base {
exec("chmod 600 $config_dir/$configfile");
exec("chown root:root $config_dir/$configfile");
-
+
// Dovecot shall ignore mounts in website directory
if(is_installed('doveadm')) exec("doveadm mount add '/srv/www/*' ignore > /dev/null 2> /dev/null");
@@ -659,7 +659,7 @@ class installer_dist extends installer_base {
if($conf['apache']['installed'] == false) return;
//* Create the logging directory for the vhost logfiles
exec('mkdir -p /var/log/ispconfig/httpd');
-
+
//* enable apache logio module
exec('a2enmod logio');
@@ -690,16 +690,16 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
-
+
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
-
+
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
-
+
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
@@ -718,7 +718,7 @@ class installer_dist extends installer_base {
}
}
}
-
+
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab());
@@ -823,7 +823,7 @@ class installer_dist extends installer_base {
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
// add anonymized log option to nginxx.conf file
$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
if(is_file($nginx_conf_file)) {
@@ -925,14 +925,14 @@ class installer_dist extends installer_base {
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
-
+
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Apply changed security_settings.ini values to new security_settings.ini file
if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
@@ -1090,15 +1090,15 @@ class installer_dist extends installer_base {
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1112,7 +1112,7 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
@@ -1153,12 +1153,12 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
-
+
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
-
+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
@@ -1192,7 +1192,7 @@ class installer_dist extends installer_base {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
-
+
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
@@ -1221,7 +1221,7 @@ class installer_dist extends installer_base {
} else {
$tpl->setVar('ssl_bundle_comment','#');
}
-
+
$tpl->setVar('apache_version',getapacheversion());
$content = $tpl->grab();
@@ -1233,10 +1233,12 @@ class installer_dist extends installer_base {
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
exec('mkdir -p /srv/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
exec('ln -s /usr/local/ispconfig/interface/web /srv/www/ispconfig');
exec('chown -R ispconfig:ispconfig /srv/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
//}
@@ -1362,10 +1364,10 @@ class installer_dist extends installer_base {
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
-
+
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
-
+
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index bc9ed26e1847eab11b04543228d71d9fb43a5e32..81b1257db006458c4ce968415890dfb147c96b53 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -143,6 +143,16 @@ class installer_base {
}
*/
+ public function set_immutable($path, $enable = true) {
+ if($path != '' && $path != '/' && strlen($path) > 6 && strpos($path, '..') === false && (is_file($path) || is_dir($path))) {
+ if($enable) {
+ exec('chattr +i ' . escapeshellarg($path));
+ } else {
+ exec('chattr -i ' . escapeshellarg($path));
+ }
+ }
+ }
+
//** Detect PHP-Version
public function get_php_version() {
if(version_compare(PHP_VERSION, $this->min_php, '<')) return false;
@@ -235,7 +245,7 @@ class installer_base {
die();
}*/
- $unwanted_sql_plugins = array('validate_password');
+ $unwanted_sql_plugins = array('validate_password');
$sql_plugins = $this->db->queryAllRecords("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ?", $unwanted_sql_plugins);
if(is_array($sql_plugins) && !empty($sql_plugins)) {
foreach ($sql_plugins as $plugin) echo "Login in to MySQL and disable $plugin[plugin_name] with:\n\n UNINSTALL PLUGIN $plugin[plugin_name];";
@@ -357,7 +367,7 @@ class installer_base {
}
$server_ini_content = array_to_ini($tpl_ini_array);
-
+
$mail_server_enabled = ($conf['services']['mail'])?1:0;
$web_server_enabled = ($conf['services']['web'])?1:0;
$dns_server_enabled = ($conf['services']['dns'])?1:0;
@@ -427,7 +437,7 @@ class installer_base {
public function detect_ips(){
global $conf;
-
+
$output = $this->get_host_ips();
if(is_array($output) && !empty($output)){
@@ -675,7 +685,7 @@ class installer_base {
if(!$this->dbmaster->query($query, $value['db'] . '.aps_instances', $value['user'], $host)) {
$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
}
-
+
$query = "GRANT SELECT, DELETE ON ?? TO ?@?";
if ($verbose){
echo $query ."\n";
@@ -699,7 +709,7 @@ class installer_base {
if(!$this->dbmaster->query($query, $value['db'] . '.mail_backup', $value['user'], $host)) {
$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
}
-
+
$query = "GRANT SELECT, UPDATE(`dnssec_initialized`, `dnssec_info`, `dnssec_last_signed`) ON ?? TO ?@?";
if ($verbose){
echo $query ."\n";
@@ -707,7 +717,7 @@ class installer_base {
if(!$this->dbmaster->query($query, $value['db'] . '.dns_soa', $value['user'], $host)) {
$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
}
-
+
$query = "GRANT SELECT, INSERT, UPDATE ON ?? TO ?@?";
if ($verbose){
echo $query ."\n";
@@ -866,7 +876,7 @@ class installer_base {
$postfix_service = @($out[0]=='')?false:true;
} else { //* fallback - Postfix < 2.9
$content = rf($conf['postfix']['config_dir'].'/master.cf');
- $regex = "/^((?!#)".$service.".*".$type.".*)$/m";
+ $regex = "/^((?!#)".$service.".*".$type.".*)$/m";
$postfix_service = @(preg_match($regex, $content))?true:false;
}
@@ -976,7 +986,7 @@ class installer_base {
//* mysql-virtual_relayrecipientmaps.cf
$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
-
+
//* mysql-virtual_outgoing_bcc.cf
$this->process_postfix_config('mysql-virtual_outgoing_bcc.cf');
@@ -1044,13 +1054,13 @@ class installer_base {
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
-
+
$reject_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
}
unset($server_ini_array);
-
+
$tmp = str_replace('.','\.',$conf['hostname']);
$postconf_placeholders = array('{config_dir}' => $config_dir,
@@ -1188,7 +1198,7 @@ class installer_base {
caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
-
+
public function configure_saslauthd() {
global $conf;
@@ -1304,7 +1314,7 @@ class installer_base {
public function configure_dovecot() {
global $conf;
-
+
$virtual_transport = 'dovecot';
$configure_lmtp = false;
@@ -1319,7 +1329,7 @@ class installer_base {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
-
+
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
@@ -1403,7 +1413,7 @@ class installer_base {
if(version_compare($dovecot_version,2.3) >= 0) {
// Remove deprecated setting(s)
removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
-
+
// Check if we have a dhparams file and if not, create it
if(!file_exists('/etc/dovecot/dh.pem')) {
swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
@@ -1426,7 +1436,7 @@ class installer_base {
$content = str_replace('#2.3+ ','',$content);
file_put_contents($config_dir.'/'.$configfile,$content);
unset($content);
-
+
} else {
// remove settings which are not supported in Dovecot < 2.3
removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
@@ -1470,7 +1480,7 @@ class installer_base {
chmod($config_dir.'/'.$configfile, 0600);
chown($config_dir.'/'.$configfile, 'root');
chgrp($config_dir.'/'.$configfile, 'root');
-
+
// Dovecot shall ignore mounts in website directory
if(is_installed('doveadm')) exec("doveadm mount add '/var/www/*' ignore > /dev/null 2> /dev/null");
@@ -1576,12 +1586,12 @@ class installer_base {
public function configure_rspamd() {
global $conf;
-
+
//* These postconf commands will be executed on installation and update
$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
unset($server_ini_rec);
-
+
$mail_config = $server_ini_array['mail'];
if($mail_config['content_filter'] === 'rspamd') {
exec("postconf -X 'receive_override_options'");
@@ -1603,7 +1613,7 @@ class installer_base {
}
}
exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
-
+
}
if(is_user('_rspamd') && is_group('amavis')) {
@@ -1611,7 +1621,7 @@ class installer_base {
} elseif(is_user('rspamd') && is_group('amavis')) {
exec("usermod -G amavis rspamd");
}
-
+
if(!is_dir('/etc/rspamd/local.d/')){
mkdir('/etc/rspamd/local.d/', 0755, true);
}
@@ -1619,7 +1629,7 @@ class installer_base {
if(!is_dir('/etc/rspamd/override.d/')){
mkdir('/etc/rspamd/override.d/', 0755, true);
}
-
+
if ( substr($mail_config['dkim_path'], strlen($mail_config['dkim_path'])-1) == '/' ) {
$mail_config['dkim_path'] = substr($mail_config['dkim_path'], 0, strlen($mail_config['dkim_path'])-1);
}
@@ -1731,17 +1741,17 @@ class installer_base {
wf('/etc/rspamd/local.d/dkim_signing.conf', $tpl->grab());
exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/override.d/*');
-
+
$command = 'usermod -a -G amavis _rspamd';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
if(strpos(rf('/etc/rspamd/rspamd.conf'), '.include "$LOCAL_CONFDIR/local.d/users.conf"') === false){
af('/etc/rspamd/rspamd.conf', '.include "$LOCAL_CONFDIR/local.d/users.conf"');
}
-
+
if(!isset($mail_config['rspamd_password']) || !$mail_config['rspamd_password']) {
$mail_config['rspamd_password'] = str_shuffle(bin2hex(openssl_random_pseudo_bytes(12)));
-
+
$server_ini_array['mail']['rspamd_password'] = $mail_config['rspamd_password'];
}
@@ -1753,7 +1763,7 @@ class installer_base {
$this->db->query('UPDATE `server` SET `config` = ? WHERE `server_id` = ?', $server_ini_string, $conf['server_id']);
unset($server_ini_array);
unset($server_ini_string);
-
+
$tpl = new tpl();
$tpl->newTemplate('rspamd_worker-controller.inc.master');
$tpl->setVar('rspamd_password', $mail_config['rspamd_password']);
@@ -1896,14 +1906,14 @@ class installer_base {
}
-
+
//** writes bind configuration files
public function process_bind_file($configfile, $target='/', $absolute=false) {
global $conf;
if ($absolute) $full_file_name = $target.$configfile;
else $full_file_name = $conf['ispconfig_install_dir'].$target.$configfile;
-
+
//* Backup exiting file
if(is_file($full_file_name)) {
copy($full_file_name, $config_dir.$configfile.'~');
@@ -1935,7 +1945,7 @@ class installer_base {
chown($content, $conf['bind']['bind_user']);
chgrp($content, $conf['bind']['bind_group']);
chmod($content, 02770);
-
+
//* Install scripts for dnssec implementation
$this->process_bind_file('named.conf.options', '/etc/bind/', true); //TODO replace hardcoded path
}
@@ -2055,12 +2065,12 @@ class installer_base {
if(is_file('/etc/apache2/ports.conf')) {
// add a line "Listen 443" to ports conf if line does not exist
replaceLine('/etc/apache2/ports.conf', 'Listen 443', 'Listen 443', 1);
-
+
// Comment out the namevirtualhost lines, as they were added by ispconfig in ispconfig.conf file again
replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:80', '# NameVirtualHost *:80', 1);
replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:443', '# NameVirtualHost *:443', 1);
}
-
+
if(is_file('/etc/apache2/mods-available/fcgid.conf')) {
// add or modify the parameters for fcgid.conf
replaceLine('/etc/apache2/mods-available/fcgid.conf','MaxRequestLen','MaxRequestLen 15728640',1);
@@ -2075,7 +2085,7 @@ class installer_base {
}
}
}
-
+
if(is_file('/etc/apache2/apache2.conf')) {
if(hasLine('/etc/apache2/apache2.conf', 'Include sites-enabled/', 1) == false && hasLine('/etc/apache2/apache2.conf', 'IncludeOptional sites-enabled/', 1) == false) {
if(hasLine('/etc/apache2/apache2.conf', 'Include sites-enabled/*.conf', 1) == true) {
@@ -2092,16 +2102,16 @@ class installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
-
+
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
-
+
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
-
+
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
@@ -2120,9 +2130,9 @@ class installer_base {
}
}
}
-
+
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
-
+
wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab());
unset($tpl);
@@ -2182,7 +2192,7 @@ class installer_base {
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
// add anonymized log option to nginxx.conf file
$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
if(is_file($nginx_conf_file)) {
@@ -2192,7 +2202,7 @@ class installer_base {
replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
}
}
-
+
}
public function configure_fail2ban() {
@@ -2352,7 +2362,7 @@ class installer_base {
$vhost_conf_dir = $conf['apache']['vhost_conf_dir'];
$vhost_conf_enabled_dir = $conf['apache']['vhost_conf_enabled_dir'];
$apps_vhost_servername = ($conf['web']['apps_vhost_servername'] == '')?'':'ServerName '.$conf['web']['apps_vhost_servername'];
-
+
//* Get the apps vhost port
if($this->is_update == true) {
$conf['web']['apps_vhost_port'] = get_apps_vhost_port_number();
@@ -2375,7 +2385,7 @@ class installer_base {
if($conf['rspamd']['installed'] == true) {
$tpl->setVar('use_rspamd', 'yes');
}
-
+
// comment out the listen directive if port is 80 or 443
if($conf['web']['apps_vhost_ip'] == 80 or $conf['web']['apps_vhost_ip'] == 443) {
$tpl->setVar('vhost_port_listen','#');
@@ -2398,11 +2408,12 @@ class installer_base {
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
mkdir($conf['web']['website_basedir'].'/php-fcgi-scripts/apps', 0755, true);
+ $this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', false);
//copy('tpl/apache_apps_fcgi_starter.master',$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
wf($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', $content);
exec('chmod +x '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
exec('chown -R ispapps:ispapps '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps');
-
+ $this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', true);
}
}
if($conf['nginx']['installed'] == true){
@@ -2448,7 +2459,7 @@ class installer_base {
} else {
$content = str_replace('{use_rspamd}', '# ', $content);
}
-
+
$socket_dir = escapeshellcmd($conf['nginx']['php_fpm_socket_dir']);
if(substr($socket_dir, -1) != '/') $socket_dir .= '/';
if(!is_dir($socket_dir)) exec('mkdir -p '.$socket_dir);
@@ -2478,11 +2489,11 @@ class installer_base {
}
$content = str_replace('{use_tcp}', $use_tcp, $content);
$content = str_replace('{use_socket}', $use_socket, $content);
-
+
// SSL in apps vhost is off by default. Might change later.
$content = str_replace('{ssl_on}', '', $content);
$content = str_replace('{ssl_comment}', '#', $content);
-
+
// Fix socket path on PHP 7 systems
if(file_exists('/var/run/php/php7.0-fpm.sock')) $content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.0-fpm.sock', $content);
if(file_exists('/var/run/php/php7.1-fpm.sock')) $content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.1-fpm.sock', $content);
@@ -2534,7 +2545,7 @@ class installer_base {
exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
rename($ssl_key_file, $ssl_key_file.'.secure');
rename($ssl_key_file.'.insecure', $ssl_key_file);
-
+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
}
@@ -2564,20 +2575,20 @@ class installer_base {
//* copy the ISPConfig server part
$command = 'cp -rf ../server '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
-
+
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
$configfile = 'security_settings.ini';
if(is_file($install_dir.'/security/'.$configfile)) {
copy($install_dir.'/security/'.$configfile, $install_dir.'/security/'.$configfile.'~');
}
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
- wf($install_dir.'/security/'.$configfile, $content);
+ wf($install_dir.'/security/'.$configfile, $content);
//* Create a symlink, so ISPConfig is accessible via web
// Replaced by a separate vhost definition for port 8080
@@ -2739,15 +2750,15 @@ class installer_base {
//* Chmod the files and directories in the acme dir
$command = 'chmod -R 755 '.$install_dir.'/interface/acme';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -2761,7 +2772,7 @@ class installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
+
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
@@ -2812,7 +2823,7 @@ class installer_base {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
-
+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
@@ -2870,7 +2881,7 @@ class installer_base {
} else {
$tpl->setVar('ssl_bundle_comment','#');
}
-
+
$tpl->setVar('apache_version',getapacheversion());
wf($vhost_conf_dir.'/ispconfig.vhost', $tpl->grab());
@@ -2887,10 +2898,12 @@ class installer_base {
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
@mkdir('/var/www/php-fcgi-scripts/ispconfig', 0755, true);
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
@symlink($install_dir.'/interface/web', '/var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
+ $this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
//}
}
@@ -3009,16 +3022,16 @@ class installer_base {
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
-
+
//* Disable rkhunter run and update in debian cronjob as ispconfig is running and updating rkhunter
if(is_file('/etc/default/rkhunter')) {
replaceLine('/etc/default/rkhunter', 'CRON_DAILY_RUN="yes"', 'CRON_DAILY_RUN="no"', 1, 0);
replaceLine('/etc/default/rkhunter', 'CRON_DB_UPDATE="yes"', 'CRON_DB_UPDATE="no"', 1, 0);
}
-
+
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
-
+
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
@@ -3112,12 +3125,12 @@ class installer_base {
chmod($conf['ispconfig_log_dir'].'/cron.log', 0660);
}
-
+
public function create_mount_script(){
global $app, $conf;
$mount_script = '/usr/local/ispconfig/server/scripts/backup_dir_mount.sh';
$mount_command = '';
-
+
if(is_file($mount_script)) return;
if(is_file('/etc/rc.local')){
$rc_local = file('/etc/rc.local');
@@ -3138,25 +3151,25 @@ class installer_base {
}
}
}
-
+
// This function is called at the end of the update process and contains code to clean up parts of old ISPCONfig releases
public function cleanup_ispconfig() {
global $app,$conf;
-
+
// Remove directories recursively
if(is_dir('/usr/local/ispconfig/interface/web/designer')) exec('rm -rf /usr/local/ispconfig/interface/web/designer');
if(is_dir('/usr/local/ispconfig/interface/web/themes/default-304')) exec('rm -rf /usr/local/ispconfig/interface/web/themes/default-304');
-
+
// Remove files
if(is_file('/usr/local/ispconfig/interface/lib/classes/db_firebird.inc.php')) unlink('/usr/local/ispconfig/interface/lib/classes/db_firebird.inc.php');
if(is_file('/usr/local/ispconfig/interface/lib/classes/form.inc.php')) unlink('/usr/local/ispconfig/interface/lib/classes/form.inc.php');
-
+
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf')) chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf~')) chmod($conf['amavis']['config_dir'].'/amavisd.conf~', 0400);
-
+
}
public function getinitcommand($servicename, $action, $init_script_directory = ''){
@@ -3246,7 +3259,7 @@ class installer_base {
wf($tConf, $tContents); // write file
if (func_num_args() >= 4) // override rights and/or ownership
{
-
+
$output = array_slice($args, 2);
switch (sizeof($output)) {
diff --git a/install/uninstall.php b/install/uninstall.php
index c565d4653d71c2667dfc6c8e6cef70fcfb502450..fdac79d61ec3800f994e8e2e4014ca5e86960399 100644
--- a/install/uninstall.php
+++ b/install/uninstall.php
@@ -70,31 +70,32 @@ if($do_uninstall == 'yes') {
if (!$result) echo "Unable to remove the ispconfig-database-user ".$conf['db_user']." ".mysqli_error($link)."\n";
}
mysqli_close($link);
-
+
// Deleting the symlink in /var/www
// Apache
@unlink("/etc/apache2/sites-enabled/000-ispconfig.vhost");
@unlink("/etc/apache2/sites-available/ispconfig.vhost");
@unlink("/etc/apache2/sites-enabled/000-apps.vhost");
@unlink("/etc/apache2/sites-available/apps.vhost");
-
+
// nginx
@unlink("/etc/nginx/sites-enabled/000-ispconfig.vhost");
@unlink("/etc/nginx/sites-available/ispconfig.vhost");
@unlink("/etc/nginx/sites-enabled/000-apps.vhost");
@unlink("/etc/nginx/sites-available/apps.vhost");
-
+
// Delete the ispconfig files
exec('rm -rf /usr/local/ispconfig');
-
+
// Delete various other files
@unlink("/usr/local/bin/ispconfig_update.sh");
@unlink("/usr/local/bin/ispconfig_update_from_svn.sh");
@unlink("/var/spool/mail/ispconfig");
@unlink("/var/www/ispconfig");
- @unlink("/var/www/php-fcgi-scripts/ispconfig");
+ @exec('chattr -i /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
@unlink("/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter");
-
+ @unlink("/var/www/php-fcgi-scripts/ispconfig");
+
echo "Backups in /var/backup/ and log files in /var/log/ispconfig are not deleted.";
echo "Finished uninstalling.\n";
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
index 078c225c107b99f463f58a79dce0ab243b35ef47..0556578a963ad217dff169d260d176f469a2e4d3 100644
--- a/server/lib/classes/system.inc.php
+++ b/server/lib/classes/system.inc.php
@@ -36,10 +36,10 @@ class system{
var $data;
var $min_uid = 500;
var $min_gid = 500;
-
+
private $_last_exec_out = null;
private $_last_exec_retcode = null;
-
+
/**
* Construct for this class
*
@@ -872,7 +872,7 @@ class system{
$app->log("Action aborted, file is a symlink: $filename", LOGLEVEL_WARN);
return false;
}
-
+
if($run_as_user !== null && $run_as_user !== 'root') {
if(!$this->check_run_as_user($run_as_user)) {
$app->log("Action aborted, invalid run-as-user: $run_as_user", LOGLEVEL_WARN);
@@ -1657,7 +1657,7 @@ class system{
function maildirmake($maildir_path, $user = '', $subfolder = '', $group = '') {
global $app, $conf;
-
+
// load the server configuration options
$app->uses("getconf");
$mail_config = $app->getconf->get_server_config($conf["server_id"], 'mail');
@@ -1678,7 +1678,7 @@ class system{
if($group != '' && $group != 'root' && $this->is_group($group)) {
if(is_dir($dir)) $this->chgrp($dir, $group);
-
+
$chgrp_mdsub = true;
}
@@ -1694,7 +1694,7 @@ class system{
//* Add the subfolder to the subscriptions and courierimapsubscribed files
if($subfolder != '') {
-
+
// Courier
if($mail_config['pop3_imap_daemon'] == 'courier') {
if(!is_file($maildir_path.'/courierimapsubscribed')) {
@@ -1741,7 +1741,7 @@ class system{
}
}
-
+
function _exec($command, $allow_return_codes = null) {
global $app;
$out = array();
@@ -1765,6 +1765,28 @@ class system{
}
}
+ function set_immutable($path, $enable = true, $recursive = false) {
+ global $app;
+
+ if($this->checkpath($path) == false) {
+ $app->log("Action aborted, target is a symlink: $path", LOGLEVEL_DEBUG);
+ return false;
+ }
+
+ if($path != '' && $path != '/' && strlen($path) > 6 && strpos($path, '..') === false && (is_file($path) || is_dir($path))) {
+ if($enable) {
+ $this->exec_safe('chattr +i ?', $path);
+ } else {
+ $this->exec_safe('chattr -i ?', $path);
+ }
+
+ if($enable === false && $recursive === true && is_dir($path)) {
+ // only allow when removing immutable
+ $this->exec_safe('chattr -R -i ?', $path);
+ }
+ }
+ }
+
function web_folder_protection($document_root, $protect) {
global $app, $conf;
@@ -1902,9 +1924,9 @@ class system{
function mount_backup_dir($backup_dir, $mount_cmd = '/usr/local/ispconfig/server/scripts/backup_dir_mount.sh'){
global $app, $conf;
-
+
if($this->is_mounted($backup_dir)) return true;
-
+
$mounted = true;
if ( is_file($mount_cmd) &&
is_executable($mount_cmd) &&
@@ -2000,7 +2022,7 @@ class system{
function getapacheversion($get_minor = false) {
global $app;
-
+
$cmd = '';
if($this->is_installed('apache2ctl')) $cmd = 'apache2ctl -v';
elseif($this->is_installed('apachectl')) $cmd = 'apachectl -v';
@@ -2008,13 +2030,13 @@ class system{
$app->log("Could not check apache version, apachectl not found.", LOGLEVEL_DEBUG);
return '2.2';
}
-
+
exec($cmd, $output, $return_var);
if($return_var != 0 || !$output[0]) {
$app->log("Could not check apache version, apachectl did not return any data.", LOGLEVEL_WARN);
return '2.2';
}
-
+
if(preg_match('/version:\s*Apache\/(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
} else {
@@ -2025,7 +2047,7 @@ class system{
function getapachemodules() {
global $app;
-
+
$cmd = '';
if($this->is_installed('apache2ctl')) $cmd = 'apache2ctl -t -D DUMP_MODULES';
elseif($this->is_installed('apachectl')) $cmd = 'apachectl -t -D DUMP_MODULES';
@@ -2033,23 +2055,23 @@ class system{
$app->log("Could not check apache modules, apachectl not found.", LOGLEVEL_WARN);
return array();
}
-
+
exec($cmd . ' 2>/dev/null', $output, $return_var);
if($return_var != 0 || !$output[0]) {
$app->log("Could not check apache modules, apachectl did not return any data.", LOGLEVEL_WARN);
return array();
}
-
+
$modules = array();
for($i = 0; $i < count($output); $i++) {
if(preg_match('/^\s*(\w+)\s+\((shared|static)\)\s*$/', $output[$i], $matches)) {
$modules[] = $matches[1];
}
}
-
+
return $modules;
}
-
+
//* ISPConfig mail function
public function mail($to, $subject, $text, $from, $filepath = '', $filetype = 'application/pdf', $filename = '', $cc = '', $bcc = '', $from_name = '') {
global $app, $conf;
@@ -2076,51 +2098,51 @@ class system{
$app->ispcmail->send($to);
$app->ispcmail->finish();
-
+
return true;
}
-
+
public function is_allowed_user($username, $check_id = true, $restrict_names = false) {
global $app;
-
+
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($username,$name_blacklist)) return false;
-
+
if(preg_match('/^[a-zA-Z0-9\.\-_]{1,32}$/', $username) == false) return false;
-
+
if($check_id && intval($this->getuid($username)) < $this->min_uid) return false;
-
+
if($restrict_names == true && preg_match('/^web\d+$/', $username) == false) return false;
-
+
return true;
}
-
+
public function is_allowed_group($groupname, $check_id = true, $restrict_names = false) {
global $app;
-
+
$name_blacklist = array('root','ispconfig','vmail','getmail');
if(in_array($groupname,$name_blacklist)) return false;
-
+
if(preg_match('/^[a-zA-Z0-9\.\-_]{1,32}$/', $groupname) == false) return false;
-
+
if($check_id && intval($this->getgid($groupname)) < $this->min_gid) return false;
-
+
if($restrict_names == true && preg_match('/^client\d+$/', $groupname) == false) return false;
-
+
return true;
}
-
+
public function last_exec_out() {
return $this->_last_exec_out;
}
-
+
public function last_exec_retcode() {
return $this->_last_exec_retcode;
}
-
+
public function exec_safe($cmd) {
global $app;
-
+
$args = func_get_args();
$arg_count = func_num_args();
if($arg_count != substr_count($cmd, '?') + 1) {
@@ -2134,7 +2156,7 @@ class system{
$a = 0;
foreach($args as $value) {
$a++;
-
+
$pos = strpos($cmd, '?', $pos);
if($pos === false) {
break;
@@ -2144,21 +2166,21 @@ class system{
$pos += strlen($value);
}
}
-
+
$this->_last_exec_out = null;
$this->_last_exec_retcode = null;
$ret = exec($cmd, $this->_last_exec_out, $this->_last_exec_retcode);
-
+
$app->log("safe_exec cmd: " . $cmd . " - return code: " . $this->_last_exec_retcode, LOGLEVEL_DEBUG);
-
+
return $ret;
}
-
+
public function system_safe($cmd) {
call_user_func_array(array($this, 'exec_safe'), func_get_args());
return implode("\n", $this->_last_exec_out);
}
-
+
public function create_jailkit_user($username, $home_dir, $user_home_dir, $shell = '/bin/bash', $p_user = null, $p_user_home_dir = null) {
// Check if USERHOMEDIR already exists
if(!is_dir($home_dir . '/.' . $user_home_dir)) {
@@ -2178,10 +2200,10 @@ class system{
$cmd = 'usermod --home=? ? 2>/dev/null';
$this->exec_safe($cmd, $home_dir . '/.' . $p_user_home_dir, $p_user);
}
-
+
return true;
}
-
+
public function create_jailkit_programs($home_dir, $programs = array()) {
if(empty($programs)) {
return true;
@@ -2192,20 +2214,20 @@ class system{
foreach($programs as $prog) {
$program_args .= ' ' . escapeshellarg($prog);
}
-
+
$cmd = 'jk_cp -k ?' . $program_args;
$this->exec_safe($cmd, $home_dir);
-
+
return true;
}
-
+
public function create_jailkit_chroot($home_dir, $app_sections = array()) {
if(empty($app_sections)) {
return true;
} elseif(is_string($app_sections)) {
$app_sections = preg_split('/[\s,]+/', $app_sections);
}
-
+
// Change ownership of the chroot directory to root
$this->chown($home_dir, 'root');
$this->chgrp($home_dir, 'root');
@@ -2214,7 +2236,7 @@ class system{
foreach($app_sections as $app_section) {
$app_args .= ' ' . escapeshellarg($app_section);
}
-
+
// Initialize the chroot into the specified directory with the specified applications
$cmd = 'jk_init -f -k -c /etc/jailkit/jk_init.ini -j ?' . $app_args;
$this->exec_safe($cmd, $home_dir);
@@ -2231,47 +2253,47 @@ class system{
// mysql needs the socket in the chrooted environment
$this->mkdirpath($home_dir . '/var/run/mysqld');
-
+
// ln /var/run/mysqld/mysqld.sock $CHROOT_HOMEDIR/var/run/mysqld/mysqld.sock
if(!file_exists("/var/run/mysqld/mysqld.sock")) {
$this->exec_safe('ln ? ?', '/var/run/mysqld/mysqld.sock', $home_dir . '/var/run/mysqld/mysqld.sock');
}
-
+
return true;
}
-
-
+
+
public function pipe_exec($cmd, $stdin, &$retval = null, &$stderr = null) {
$descriptors = array(
0 => array('pipe', 'r'),
1 => array('pipe', 'w'),
2 => array('pipe', 'w')
);
-
+
$result = '';
$pipes = null;
$proc = proc_open($cmd, $descriptors, $pipes);
if(is_resource($proc)) {
fwrite($pipes[0], $stdin);
fclose($pipes[0]);
-
+
$result = stream_get_contents($pipes[1]);
$stderr = stream_get_contents($pipes[2]);
fclose($pipes[1]);
fclose($pipes[2]);
-
+
$retval = proc_close($proc);
-
+
return $result;
} else {
return false;
}
}
-
+
private function get_sudo_command($cmd, $run_as_user) {
return 'sudo -u ' . escapeshellarg($run_as_user) . ' sh -c ' . escapeshellarg($cmd);
}
-
+
private function check_run_as_user($username) {
if(preg_match('/^[a-zA-Z0-9_\-]+$/', $username)) {
return true;
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index b969882f2b2edf294a0c6adf5902a97826793c39..61116d00411fcc97e4ea76936991b61e8abdc71e 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -1497,6 +1497,7 @@ class apache2_plugin {
$fcgi_tpl->setVar('open_basedir', $php_open_basedir);
$fcgi_starter_script = $fastcgi_starter_path.$fastcgi_config['fastcgi_starter_script'].(($data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias') ? '_web' . $data['new']['domain_id'] : '');
+ $app->system->set_immutable($fcgi_starter_script, false);
$app->system->file_put_contents($fcgi_starter_script, $fcgi_tpl->grab());
unset($fcgi_tpl);
@@ -1509,6 +1510,7 @@ class apache2_plugin {
}
$app->system->chown($fcgi_starter_script, $data['new']['system_user']);
$app->system->chgrp($fcgi_starter_script, $data['new']['system_group']);
+ $app->system->set_immutable($fcgi_starter_script, true);
$tpl->setVar('fastcgi_alias', $fastcgi_config['fastcgi_alias']);
$tpl->setVar('fastcgi_starter_path', $fastcgi_starter_path);
@@ -1522,6 +1524,7 @@ class apache2_plugin {
if ($data['old']['php'] == 'fast-cgi') {
$fastcgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $fastcgi_config['fastcgi_starter_path']);
$fastcgi_starter_path = str_replace('[client_id]', $client_id, $fastcgi_starter_path);
+ $app->system->set_immutable($fastcgi_starter_path, false, true);
if($data['old']['type'] == 'vhost') {
if(is_file($fastcgi_starter_script)) @unlink($fastcgi_starter_script);
if (is_dir($fastcgi_starter_path)) @rmdir($fastcgi_starter_path);
@@ -1633,6 +1636,7 @@ class apache2_plugin {
}
$cgi_starter_script = $cgi_starter_path.$cgi_config['cgi_starter_script'].(($data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias') ? '_web' . $data['new']['domain_id'] : '');
+ $app->system->set_immutable($cgi_starter_script, false);
$app->system->file_put_contents($cgi_starter_script, $cgi_tpl->grab());
unset($cgi_tpl);
@@ -1646,6 +1650,7 @@ class apache2_plugin {
}
$app->system->chown($cgi_starter_script, $data['new']['system_user']);
$app->system->chgrp($cgi_starter_script, $data['new']['system_group']);
+ $app->system->set_immutable($cgi_starter_script, true);
$tpl->setVar('cgi_starter_path', $cgi_starter_path);
$tpl->setVar('cgi_starter_script', $cgi_config['cgi_starter_script'].(($data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias') ? '_web' . $data['new']['domain_id'] : ''));
@@ -2175,11 +2180,13 @@ class apache2_plugin {
$fastcgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $fastcgi_config['fastcgi_starter_path']);
if($data['old']['type'] == 'vhost') {
if (is_dir($fastcgi_starter_path)) {
+ $app->system->set_immutable($fastcgi_starter_path, false, true);
$app->system->exec_safe('rm -rf ?', $fastcgi_starter_path);
}
} else {
$fcgi_starter_script = $fastcgi_starter_path.$fastcgi_config['fastcgi_starter_script'].'_web'.$data['old']['domain_id'];
if (file_exists($fcgi_starter_script)) {
+ $app->system->set_immutable($fcgi_starter_script, false);
$app->system->exec_safe('rm -f ?', $fcgi_starter_script);
}
}
@@ -2200,11 +2207,13 @@ class apache2_plugin {
$cgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $web_config['cgi_starter_path']);
if($data['old']['type'] == 'vhost') {
if (is_dir($cgi_starter_path)) {
+ $app->system->set_immutable($cgi_starter_path, false, true);
$app->system->exec_safe('rm -rf ?', $cgi_starter_path);
}
} else {
$cgi_starter_script = $cgi_starter_path.'php-cgi-starter_web'.$data['old']['domain_id'];
if (file_exists($cgi_starter_script)) {
+ $app->system->set_immutable($cgi_starter_script, false);
$app->system->exec_safe('rm -f ?', $cgi_starter_script);
}
}
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index b57d38516e993febb8f7b66ef556d5f4591ae3f5..51f566a00c6f6574be20f90f1f2d634cee43e036 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -2196,11 +2196,13 @@ class nginx_plugin {
$fastcgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $web_config['fastcgi_starter_path']);
if($data['old']['type'] == 'vhost') {
if (is_dir($fastcgi_starter_path)) {
+ $app->system->set_immutable($fastcgi_starter_path, false, true);
$app->system->exec_safe('rm -rf ?', $fastcgi_starter_path);
}
} else {
$fcgi_starter_script = $fastcgi_starter_path.$web_config['fastcgi_starter_script'].'_web'.$data['old']['domain_id'];
if (file_exists($fcgi_starter_script)) {
+ $app->system->set_immutable($fcgi_starter_script, false);
$app->system->exec_safe('rm -f ?', $fcgi_starter_script);
}
}
@@ -2222,11 +2224,13 @@ class nginx_plugin {
$cgi_starter_path = str_replace('[system_user]', $data['old']['system_user'], $web_config['cgi_starter_path']);
if($data['old']['type'] == 'vhost') {
if (is_dir($cgi_starter_path)) {
+ $app->system->set_immutable($cgi_starter_path, false, true);
$app->system->exec_safe('rm -rf ?', $cgi_starter_path);
}
} else {
$cgi_starter_script = $cgi_starter_path.'php-cgi-starter_web'.$data['old']['domain_id'];
if (file_exists($cgi_starter_script)) {
+ $app->system->set_immutable($cgi_starter_script, false);
$app->system->exec_safe('rm -f ?', $cgi_starter_script);
}
}