From e98a15838d8aed330ac7b1bb373b54524ea2a269 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 1 Aug 2014 11:47:00 +0200
Subject: [PATCH] Improved input validation for settings that are acessible by
 the admin user.

---
 .../lib/classes/validate_systemuser.inc.php   |  64 ++++
 .../web/admin/form/server_config.tform.php    | 353 +++++++++++++-----
 .../web/admin/lib/lang/en_server_config.lng   |  50 +++
 interface/web/sites/form/ftp_user.tform.php   |  14 +
 interface/web/sites/form/shell_user.tform.php |  14 +
 interface/web/sites/ftp_user_edit.php         |   8 -
 interface/web/sites/shell_user_edit.php       |   7 -
 .../web/sites/web_vhost_subdomain_edit.php    |   2 +
 8 files changed, 407 insertions(+), 105 deletions(-)
 create mode 100644 interface/lib/classes/validate_systemuser.inc.php

diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php
new file mode 100644
index 0000000000..f1bbd2bb39
--- /dev/null
+++ b/interface/lib/classes/validate_systemuser.inc.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+Copyright (c) 2014, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class validate_systemuser {
+
+	/*
+		Validator function to check if a given user is ok.
+	*/
+	function check_sysuser($field_name, $field_value, $validator) {
+		global $app;
+		
+		$errmsg = $validator['errmsg'];
+		$check_names = (isset($validator['check_names']) && $validator['check_names'] == true)?true:false;
+
+		if($app->functions->is_allowed_user(trim(strtolower($field_value)),$check_names) == false) {
+			return $app->tform->wordbook[$errmsg]."<br>\r\n";
+		}
+	}
+	
+	/*
+		Validator function to check if a given group is ok.
+	*/
+	function check_sysgroup($field_name, $field_value, $validator) {
+		global $app;
+		
+		$errmsg = $validator['errmsg'];
+		$check_names = (isset($validator['check_names']) && $validator['check_names'] == true)?true:false;
+
+		if($app->functions->is_allowed_group(trim(strtolower($field_value)),$check_names) == false) {
+			return $app->tform->wordbook[$errmsg]."<br>\r\n";
+		}
+	}
+
+
+
+
+}
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 4fa71790cb..01ac5681d9 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -167,8 +167,11 @@ $form["tabs"]['server'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '/var/backup',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'backup_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'backup_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'backup_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -274,8 +277,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '/home/vmail/[domain]/[localpart]/',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'maildir_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'maildir_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{5,128}$/',
+										'errmsg'=> 'maildir_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -285,8 +291,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '/home/vmail/',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'homedir_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'homedir_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'homedir_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -308,8 +317,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'INTEGER',
 			'formtype' => 'TEXT',
 			'default' => '5000',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'mailuser_uid_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'mailuser_uid_error_empty'),
+									1 => array('type' => 'RANGE',
+										'range' => '1999:',
+										'errmsg' => 'mailuser_uid_error_range'),
 			),
 			'value' => '',
 			'width' => '10',
@@ -319,8 +331,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'INTEGER',
 			'formtype' => 'TEXT',
 			'default' => '5000',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'mailuser_gid_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'mailuser_gid_error_empty'),
+									1 => array('type' => 'RANGE',
+										'range' => '1999:',
+										'errmsg' => 'mailuser_gid_error_range'),
 			),
 			'value' => '',
 			'width' => '10',
@@ -330,8 +345,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => 'vmail',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'mailuser_name_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'mailuser_name_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^(?!ispconfig|root)([a-zA-Z0-9]{1,20})$/',
+										'errmsg'=> 'mailuser_name_error_regex'),
 			),
 			'value' => '',
 			'width' => '10',
@@ -341,8 +359,11 @@ $form["tabs"]['mail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => 'vmail',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'mailuser_group_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'mailuser_group_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^(?!ispconfig|root)([a-zA-Z0-9]{1,20})$/',
+										'errmsg'=> 'mailuser_group_name_error_regex'),
 			),
 			'value' => '',
 			'width' => '10',
@@ -450,8 +471,11 @@ $form["tabs"]['getmail'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'getmail_config_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'getmail_config_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'getmail_config_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -481,8 +505,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'website_basedir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'website_basedir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'website_basedir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -492,8 +519,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'website_path_error_empty'),
+			'validators' => array(	0 => array(	'type' => 'NOTEMPTY',
+										'errmsg' => 'website_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{5,128}$/',
+										'errmsg'=> 'website_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -503,8 +533,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'website_symlinks_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'website_symlinks_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]\:]{5,128}$/',
+										'errmsg'=> 'website_symlinks_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -536,8 +569,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'vhost_conf_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'vhost_conf_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'vhost_conf_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -547,8 +583,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'vhost_conf_enabled_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'vhost_conf_enabled_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'vhost_conf_enabled_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -558,8 +597,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'nginx_vhost_conf_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'nginx_vhost_conf_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'nginx_vhost_conf_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -569,8 +611,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'nginx_vhost_conf_enabled_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'nginx_vhost_conf_enabled_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'nginx_vhost_conf_enabled_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -579,6 +624,10 @@ $form["tabs"]['web'] = array(
 		'CA_path' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'validators' => array(	0 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/]{0,128}$/',
+										'errmsg'=> 'ca_path_error_regex'),
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -678,6 +727,13 @@ $form["tabs"]['web'] = array(
 			'default' => '',
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'apache_user_error_empty'),
+					1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysuser',
+							'check_names' => false,
+							'errmsg' => 'invalid_apache_user_txt'
+						),
 			),
 			'value' => '',
 			'width' => '40',
@@ -689,6 +745,13 @@ $form["tabs"]['web'] = array(
 			'default' => '',
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'apache_group_error_empty'),
+					1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysgroup',
+							'check_names' => false,
+							'errmsg' => 'invalid_apache_group_txt'
+						),
 			),
 			'value' => '',
 			'width' => '40',
@@ -715,8 +778,15 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'nginx_user_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'nginx_user_error_empty'),
+									1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysuser',
+							'check_names' => false,
+							'errmsg' => 'invalid_nginx_user_txt'
+						),
 			),
 			'value' => '',
 			'width' => '40',
@@ -726,8 +796,15 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'nginx_group_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'nginx_group_error_empty'),
+									1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysgroup',
+							'check_names' => false,
+							'errmsg' => 'invalid_nginx_group_txt'
+						),
 			),
 			'value' => '',
 			'width' => '40',
@@ -737,8 +814,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_ini_path_apache_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_ini_path_apache_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'php_ini_path_apache_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -748,8 +828,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_ini_path_cgi_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_ini_path_cgi_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'php_ini_path_cgi_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -759,8 +842,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_fpm_init_script_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_fpm_init_script_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_]{1,128}$/',
+										'errmsg'=> 'php_fpm_init_script_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -770,8 +856,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_fpm_ini_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_fpm_ini_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'php_fpm_ini_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -781,8 +870,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_fpm_pool_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_fpm_pool_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'php_fpm_pool_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -792,7 +884,7 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
+			'validators' => array(0 => array('type' => 'ISPOSITIVE',
 					'errmsg' => 'php_fpm_start_port_error_empty'),
 			),
 			'value' => '',
@@ -803,8 +895,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_fpm_socket_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_fpm_socket_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{5,128}$/',
+										'errmsg'=> 'php_fpm_socket_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -814,8 +909,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'php_open_basedir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'php_open_basedir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/\]\[\:]{1,}$/',
+										'errmsg'=> 'php_open_basedir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -825,8 +923,11 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'nginx_cgi_socket_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'nginx_cgi_socket_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'nginx_cgi_socket_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -836,8 +937,8 @@ $form["tabs"]['web'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'htaccess_allow_override_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'htaccess_allow_override_error_empty'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -884,6 +985,12 @@ $form["tabs"]['web'] = array(
 		'awstats_data_dir' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'awstats_data_dir_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'awstats_data_dir_error_regex'),
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -892,6 +999,12 @@ $form["tabs"]['web'] = array(
 		'awstats_pl' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'awstats_pl_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'awstats_pl_error_regex'),
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -900,6 +1013,12 @@ $form["tabs"]['web'] = array(
 		'awstats_buildstaticpages_pl' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'awstats_buildstaticpages_pl_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'awstats_buildstaticpages_pl_error_regex'),
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -923,8 +1042,11 @@ $form["tabs"]['dns'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'bind_user_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'bind_user_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^(?!ispconfig)([a-zA-Z0-9]{1,20})$/',
+										'errmsg'=> 'invalid_bind_user_txt'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -934,8 +1056,11 @@ $form["tabs"]['dns'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'bind_group_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'bind_group_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^(?!ispconfig)([a-zA-Z0-9]{1,20})$/',
+										'errmsg'=> 'invalid_bind_group_txt'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -945,8 +1070,11 @@ $form["tabs"]['dns'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'bind_zonefiles_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'bind_zonefiles_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'bind_zonefiles_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -956,8 +1084,11 @@ $form["tabs"]['dns'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'named_conf_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'named_conf_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'named_conf_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -967,8 +1098,11 @@ $form["tabs"]['dns'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'named_conf_local_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'named_conf_local_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'named_conf_local_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -992,8 +1126,11 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'fastcgi_starter_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'fastcgi_starter_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{1,128}$/',
+										'errmsg'=> 'fastcgi_starter_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1003,8 +1140,11 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'fastcgi_starter_script_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'fastcgi_starter_script_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'fastcgi_starter_script_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1014,8 +1154,11 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'fastcgi_alias_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'fastcgi_alias_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'fastcgi_alias_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1025,8 +1168,11 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'fastcgi_phpini_path_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'fastcgi_phpini_path_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{1,128}$/',
+										'errmsg'=> 'fastcgi_phpini_path_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1036,7 +1182,7 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
+			'validators' => array(0 => array('type' => 'ISPOSITIVE',
 					'errmsg' => 'fastcgi_children_error_empty'),
 			),
 			'value' => '',
@@ -1061,8 +1207,11 @@ $form["tabs"]['fastcgi'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'fastcgi_bin_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'fastcgi_bin_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{1,128}$/',
+										'errmsg'=> 'fastcgi_bin_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1095,8 +1244,11 @@ $form["tabs"]['jailkit'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'jailkit_chroot_home_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'jailkit_chroot_home_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/\[\]]{1,128}$/',
+										'errmsg'=> 'jailkit_chroot_home_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1106,8 +1258,11 @@ $form["tabs"]['jailkit'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'jailkit_chroot_app_sections_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'jailkit_chroot_app_sections_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\-\_\ ]{1,128}$/',
+										'errmsg'=> 'jailkit_chroot_app_sections_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1117,8 +1272,11 @@ $form["tabs"]['jailkit'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'jailkit_chroot_app_programs_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'jailkit_chroot_app_programs_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/\ ]{1,}$/',
+										'errmsg'=> 'jailkit_chroot_app_programs_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1128,8 +1286,11 @@ $form["tabs"]['jailkit'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'jailkit_chroot_cron_programs_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'jailkit_chroot_cron_programs_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\.\-\_\/\ ]{1,}$/',
+										'errmsg'=> 'jailkit_chroot_cron_programs_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1217,8 +1378,11 @@ $form["tabs"]['vlogger'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'vlogger_config_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'vlogger_config_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'vlogger_config_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1244,8 +1408,11 @@ $form["tabs"]['cron'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'cron_init_script_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'cron_init_script_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^[a-zA-Z0-9\-\_]{1,30}$/',
+										'errmsg'=> 'cron_init_script_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1255,8 +1422,11 @@ $form["tabs"]['cron'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'crontab_dir_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'crontab_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'crontab_dir_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
@@ -1266,8 +1436,11 @@ $form["tabs"]['cron'] = array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
-			'validators' => array(0 => array('type' => 'NOTEMPTY',
-					'errmsg' => 'cron_wget_error_empty'),
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'cron_wget_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'cron_wget_error_regex'),
 			),
 			'value' => '',
 			'width' => '40',
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index 5ce704d9e8..cc34e05ac3 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -191,4 +191,54 @@ $wb['munin_url_error_regex'] = 'Invalid Munin URL';
 $wb['munin_url_note_txt'] = 'Placeholder:';
 $wb['backup_dir_is_mount_txt'] = 'Backup directory is a mount?';
 $wb['monitor_system_updates_txt'] = 'Check for Linux updates';
+$wb['invalid_apache_user_txt'] = 'Invalid apache user.';
+$wb['invalid_apache_group_txt'] = 'Invalid apache group.';
+$wb['backup_dir_error_regex'] = 'Invalid backup directory.';
+$wb['maildir_path_error_regex'] = 'Invalid maildir path.';
+$wb['homedir_path_error_regex'] = 'Invalid homedir path.';
+$wb['mailuser_name_error_regex'] = 'Invalid mailuser name.';
+$wb['mailuser_group_name_error_regex'] = 'Invalid mailuser group name.';
+$wb['mailuser_uid_error_range'] = 'Mailuser uid must be >= 2000';
+$wb['mailuser_gid_error_range'] = 'Mailuser gid must be >= 2000';
+$wb['getmail_config_dir_error_regex'] = 'Invalid getmail config directory.';
+$wb['website_basedir_error_regex'] = 'Invalid website basedir.';
+$wb['website_symlinks_error_regex'] = 'Invalid website symlinks.';
+$wb['vhost_conf_dir_error_regex'] = 'Invalid vhost config directory.';
+$wb['vhost_conf_enabled_dir_error_regex'] = 'Invalid vhost conf enabled directory.';
+$wb['nginx_vhost_conf_dir_error_regex'] = 'Invalid nginx config directory.';
+$wb['nginx_vhost_conf_enabled_dir_error_regex'] = 'Invalid nginx conf enabled directory.';
+$wb['ca_path_error_regex'] = 'Invalid CA path.';
+$wb['invalid_nginx_user_txt'] = 'Invalid nginx user.';
+$wb['invalid_nginx_group_txt'] = 'Invalid nginx group.';
+$wb['php_ini_path_apache_error_regex'] = 'Invalid apache php.ini path.';
+$wb['php_ini_path_cgi_error_regex'] = 'Invalid cgi php.ini path.';
+$wb['php_fpm_init_script_error_regex'] = 'Invalid php-fpm init script.';
+$wb['php_fpm_ini_path_error_regex'] = 'Invalid php-fpm ini path.';
+$wb['php_fpm_pool_dir_error_regex'] = 'Invalid php-fpm pool directory.';
+$wb['php_fpm_socket_dir_error_regex'] = 'Invalid php-fpm socket directory.';
+$wb['php_open_basedir_error_regex'] = 'Invalid php open_basedir.';
+$wb['awstats_data_dir_empty'] = 'awstats data directory is empty';
+$wb['awstats_data_dir_error_regex'] = 'Invalid awstats data directory.';
+$wb['awstats_pl_empty'] = 'awstats.pl setting is empty.';
+$wb['awstats_pl_error_regex'] = 'Invalid awstats.pl path.';
+$wb['awstats_buildstaticpages_pl_empty'] = 'awstats_buildstaticpages.pl is empty';
+$wb['awstats_buildstaticpages_pl_error_regex'] = 'Invalid awstats_buildstaticpages.pl path.';
+$wb['invalid_bind_user_txt'] = 'Invalid BIND user.';
+$wb['invalid_bind_group_txt'] = 'Invalid BIND group.';
+$wb['bind_zonefiles_dir_error_regex'] = 'Invalid BIND zonefiles directory.';
+$wb['named_conf_path_error_regex'] = 'Invalid named.conf path.';
+$wb['named_conf_local_path_error_regex'] = 'Invalid named.conf.local path.';
+$wb['fastcgi_starter_path_error_regex'] = 'Invalid fastcgi starter path.';
+$wb['fastcgi_starter_script_error_regex'] = 'Invalid fastcgi starter script.';
+$wb['fastcgi_alias_error_regex'] = 'Invalid fastcgi alias.';
+$wb['fastcgi_phpini_path_error_regex'] = 'Invalid fastcgi path.';
+$wb['fastcgi_bin_error_regex'] = 'Invalid fastcgi bin.';
+$wb['jailkit_chroot_home_error_regex'] = 'Invalid jaikit chroot home.';
+$wb['jailkit_chroot_app_sections_error_regex'] = 'Invalid jaikit chroot sections.';
+$wb['jailkit_chroot_app_programs_error_regex'] = 'Invalid jaikit chroot app programs.';
+$wb['jailkit_chroot_cron_programs_error_regex'] = 'Invalid jaikit chroot cron programs.';
+$wb['vlogger_config_dir_error_regex'] = 'Invalid vlogger config dir.';
+$wb['cron_init_script_error_regex'] = 'Invalid cron init script.';
+$wb['crontab_dir_error_regex'] = 'Invalid crontab directory.';
+$wb['cron_wget_error_regex'] = 'Invalid cron wget path.';
 ?>
diff --git a/interface/web/sites/form/ftp_user.tform.php b/interface/web/sites/form/ftp_user.tform.php
index f328f7fdb6..ef11b6058a 100644
--- a/interface/web/sites/form/ftp_user.tform.php
+++ b/interface/web/sites/form/ftp_user.tform.php
@@ -166,6 +166,13 @@ if($app->auth->is_admin()) {
 				'formtype'  => 'TEXT',
 				'validators'    => array (  0 => array (    'type'  => 'NOTEMPTY',
 						'errmsg'=> 'uid_error_empty'),
+						1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysuser',
+							'check_names' => true,
+							'errmsg' => 'invalid_system_user_or_group_txt'
+						),
 				),
 				'default'   => '0',
 				'value'     => '',
@@ -177,6 +184,13 @@ if($app->auth->is_admin()) {
 				'formtype'  => 'TEXT',
 				'validators'    => array (  0 => array (    'type'  => 'NOTEMPTY',
 						'errmsg'=> 'gid_error_empty'),
+						1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysgroup',
+							'check_names' => true,
+							'errmsg' => 'invalid_system_user_or_group_txt'
+						),
 				),
 				'default'   => '0',
 				'value'     => '',
diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php
index d8df458aa0..062ed6e0b0 100644
--- a/interface/web/sites/form/shell_user.tform.php
+++ b/interface/web/sites/form/shell_user.tform.php
@@ -177,6 +177,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
 				'formtype' => 'TEXT',
 				'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 						'errmsg'=> 'uid_error_empty'),
+						1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysuser',
+							'check_names' => true,
+							'errmsg' => 'invalid_system_user_or_group_txt'
+						),
 				),
 				'default' => '0',
 				'value'  => '',
@@ -188,6 +195,13 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
 				'formtype' => 'TEXT',
 				'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 						'errmsg'=> 'uid_error_empty'),
+						1 => array(
+							'type' => 'CUSTOM',
+							'class' => 'validate_systemuser',
+							'function' => 'check_sysgroup',
+							'check_names' => true,
+							'errmsg' => 'invalid_system_user_or_group_txt'
+						),
 				),
 				'default' => '0',
 				'value'  => '',
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
index edf47a38d8..ba695e0ff8 100644
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -154,14 +154,6 @@ class page_action extends tform_actions {
 	function onBeforeUpdate() {
 		global $app, $conf, $interfaceConf;
 		
-
-		// Check system user and group
-		if(isset($this->dataRecord['uid'])) {
-			if($app->functions->is_allowed_user(strtolower($this->dataRecord['uid']),true) == false || $app->functions->is_allowed_group(strtolower($this->dataRecord['gid']),true) == false) {
-				$app->tform->errorMessage .= $app->tform->lng('invalid_system_user_or_group_txt');
-			}
-		}
-		
 		/*
 		 * If the names should be restricted -> do it!
 		 */
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index 9731889b74..f301139d40 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -190,13 +190,6 @@ class page_action extends tform_actions {
 			}
 		}
 		unset($blacklist);
-		
-		// Check system user and group
-		if(isset($this->dataRecord['puser'])) {
-			if($app->functions->is_allowed_user(strtolower($this->dataRecord['puser']),true) == false || $app->functions->is_allowed_group(strtolower($this->dataRecord['pgroup']),true) == false) {
-				$app->tform->errorMessage .= $app->tform->lng('invalid_system_user_or_group_txt');
-			}
-		}
 
 		/*
 		 * If the names should be restricted -> do it!
diff --git a/interface/web/sites/web_vhost_subdomain_edit.php b/interface/web/sites/web_vhost_subdomain_edit.php
index 37359a25d5..ef1fc4ca02 100644
--- a/interface/web/sites/web_vhost_subdomain_edit.php
+++ b/interface/web/sites/web_vhost_subdomain_edit.php
@@ -341,6 +341,8 @@ class page_action extends tform_actions {
 		$this->dataRecord["ipv6_address"] = $parent_domain["ipv6_address"];
 		$this->dataRecord["client_group_id"] = $parent_domain["client_group_id"];
 		$this->dataRecord["vhost_type"] = 'name';
+		$this->dataRecord["system_user"] = $parent_domain["system_user"];
+		$this->dataRecord["system_group"] = $parent_domain["system_group"];
 
 		$this->parent_domain_record = $parent_domain;
 
-- 
GitLab