diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index bc6f25eb62efb660079fe997e842f2a922efa645..6dcf988e6a3c0cc82c5d336c1fe16e7926605d27 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -444,6 +444,10 @@ class installer_dist extends installer_base {
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
}
public function configure_firewall()
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index b175e0774ea34980ef2b8a4aa7c0125cc297d137..bb3cfab246e14134a34beb53270c3dcfa6c12e44 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -464,6 +464,10 @@ class installer_dist extends installer_base {
exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
}
public function configure_firewall()
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 82b5b170ede01c75928e2131317ca89d37cbcf49..28bf4ae93fcc36fe6098b34dd1da76d50e16ffd0 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -211,6 +211,9 @@ class installer_base {
$tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
$tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
$tpl_ini_array['cron']['crontab_dir'] = $conf['cron']['crontab_dir'];
+ $tpl_ini_array['web']['security_level'] = 20;
+ $tpl_ini_array['web']['user'] = $conf['web']['user'];
+ $tpl_ini_array['web']['group'] = $conf['web']['group'];
$server_ini_content = array_to_ini($tpl_ini_array);
$server_ini_content = mysql_real_escape_string($server_ini_content);
@@ -815,6 +818,11 @@ class installer_base {
exec('ln -s /etc/webalizer.conf /etc/webalizer/webalizer.conf');
}
+ //* add a sshusers group
+ $command = 'groupadd sshusers';
+ if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+
}
diff --git a/install/tpl/server.ini.master b/install/tpl/server.ini.master
index d33afc7d3b18a4d85bda9cf418232077b7cec0ba..6ded54ebba3988a664be37d3fcb1a8ef2f85eb50 100644
--- a/install/tpl/server.ini.master
+++ b/install/tpl/server.ini.master
@@ -34,6 +34,9 @@ website_path=/var/www/clients/client[client_id]/web[website_id]
website_symlinks=/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/
vhost_conf_dir=/etc/apache2/sites-available
vhost_conf_enabled_dir=/etc/apache2/sites-enabled
+securiry_level=10
+apache_user=www-data
+apache_group=www-data
[fastcgi]
fastcgi_starter_path=/var/www/php-fcgi-scripts/[system_user]/
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 3e081b40d74b1b4431b63452dc454430955eb185..999a1f914aed368e0c32fb160ba9991edeb35c1e 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -339,6 +339,34 @@ $form["tabs"]['web'] = array (
'width' => '40',
'maxlength' => '255'
),
+ 'security_level' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'SELECT',
+ 'default' => '20',
+ 'value' => array('10' => 'Medium', '20' => 'High')
+ ),
+ 'user' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => '',
+ 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
+ 'errmsg'=> 'apache_user_error_empty'),
+ ),
+ 'value' => '',
+ 'width' => '40',
+ 'maxlength' => '255'
+ ),
+ 'group' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => '',
+ 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
+ 'errmsg'=> 'apache_group_error_empty'),
+ ),
+ 'value' => '',
+ 'width' => '40',
+ 'maxlength' => '255'
+ ),
##################################
# ENDE Datatable fields
##################################
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index ef736cc42b1f864fe2dfe99ca2c11ffd79777da4..6e817f4de94d39af5c214c536741d14b88fdf89f 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -43,4 +43,5 @@ $wb["config_dir_txt"] = 'Config directory';
$wb["init_script_txt"] = 'Cron init script name';
$wb["crontab_dir_txt"] = 'Path for individual crontabs';
$wb["wget_txt"] = 'Path to wget program';
+$wb["security_level_txt"] = 'Security level';
?>
\ No newline at end of file
diff --git a/interface/web/admin/templates/server_config_web_edit.htm b/interface/web/admin/templates/server_config_web_edit.htm
index 92d52623f137a0514a82831014c59a6fe78f1689..e5a317f331ef1109440869aff8fbc4ef522fd51d 100644
--- a/interface/web/admin/templates/server_config_web_edit.htm
+++ b/interface/web/admin/templates/server_config_web_edit.htm
@@ -25,6 +25,22 @@
<label for="vhost_conf_enabled_dir">{tmpl_var name='vhost_conf_enabled_dir_txt'}</label>
<input name="vhost_conf_enabled_dir" id="vhost_conf_enabled_dir" value="{tmpl_var name='vhost_conf_enabled_dir'}" size="40" maxlength="255" type="text" class="textInput" />
</div>
+ <div class="ctrlHolder">
+ <p class="label">{tmpl_var name='security_level_txt'}</p>
+ <div class="multiField">
+ <select name="security_level" id="security_level" class="selectInput">
+ {tmpl_var name='security_level'}
+ </select>
+ </div>
+ </div>
+ <div class="ctrlHolder">
+ <label for="user">{tmpl_var name='user_txt'}</label>
+ <input name="user" id="user" value="{tmpl_var name='user'}" size="40" maxlength="255" type="text" class="textInput" />
+ </div>
+ <div class="ctrlHolder">
+ <label for="group">{tmpl_var name='group_txt'}</label>
+ <input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
+ </div>
</fieldset>
<input type="hidden" name="id" value="{tmpl_var name='id'}">
diff --git a/interface/web/dns/lib/module.conf.php b/interface/web/dns/lib/module.conf.php
index ccb560d7ecf59052b8c36a4160420daf1c2ac3a9..0d33ad84f369d3e14bba82d5188d4afa4beecd05 100644
--- a/interface/web/dns/lib/module.conf.php
+++ b/interface/web/dns/lib/module.conf.php
@@ -6,6 +6,26 @@ $module["template"] = "module.tpl.htm";
$module["startpage"] = "dns/dns_soa_list.php";
$module["tab_width"] = '';
+
+$items[] = array( 'title' => "Add DNS Zone",
+ 'target' => 'content',
+ 'link' => 'dns/dns_wizard.php');
+
+if($_SESSION["s"]["user"]["typ"] == 'admin') {
+
+ $items[] = array( 'title' => "Templates",
+ 'target' => 'content',
+ 'link' => 'dns/dns_template_list.php');
+}
+
+
+$module["nav"][] = array( 'title' => 'DNS Wizard',
+ 'open' => 1,
+ 'items' => $items);
+
+
+unset($items);
+
/*
Email accounts menu
*/
@@ -28,26 +48,6 @@ $module["nav"][] = array( 'title' => 'DNS',
unset($items);
-$items[] = array( 'title' => "Add DNS Zone",
- 'target' => 'content',
- 'link' => 'dns/dns_wizard.php');
-
-if($_SESSION["s"]["user"]["typ"] == 'admin') {
-
- $items[] = array( 'title' => "Templates",
- 'target' => 'content',
- 'link' => 'dns/dns_template_list.php');
-}
-
-
-$module["nav"][] = array( 'title' => 'DNS Wizard',
- 'open' => 1,
- 'items' => $items);
-
-
-
-
-
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index d828fdffa38138855ebd2becd3d85d357d74362c..e839ccc3b0e0d7f3920e5cf205b99eaa9f3f3c24 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -95,7 +95,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
- #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+ <tmpl_if name='security_level' op='==' value='20'>
+ php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+ </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
# suphp enabled
@@ -249,7 +251,9 @@
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
- #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+ <tmpl_if name='security_level' op='==' value='20'>
+ php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+ </tmpl_if>
</tmpl_if>
<tmpl_if name='php' op='==' value='suphp'>
suPHP_Engine on
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 665a8ddcc910e1a7e002b6d9df89e12849f14e3f..bfdc6bfacee0b518facc5cf4809883acc7039864 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -443,7 +443,7 @@ class apache2_plugin {
$username = escapeshellcmd($data["new"]["system_user"]);
if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
- exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
+ exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
$app->log("Adding the user: $username",LOGLEVEL_DEBUG);
}
@@ -459,7 +459,6 @@ class apache2_plugin {
exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
}
-
if($this->action == 'insert') {
// Chown and chmod the directories below the document root
exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
@@ -468,8 +467,40 @@ class apache2_plugin {
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
}
- // make temp direcory writable for the apache user and the website user
- exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+
+
+ // If the security level is set to high
+ if($web_config['security_level'] == 20) {
+
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+ exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
+
+ //* Change the home directory and group of the website user
+ $command = 'usermod';
+ $command .= ' --groups sshusers,'.escapeshellcmd($web_config['group']);
+ $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+ exec($command);
+ $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+
+ // make temp direcory writable for the apache user and the website user
+ // exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ // If the security Level is set to medium
+ } else {
+
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+
+ //* Change the home directory and group of the website user
+ $command = 'usermod';
+ $command .= ' --groups sshusers ';
+ $command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+ exec($command);
+ $app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+
+ // make temp direcory writable for the apache user and the website user
+ exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ }
// Create the vhost config file
@@ -482,6 +513,7 @@ class apache2_plugin {
$vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
$vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
$vhost_data["web_basedir"] = $web_config["website_basedir"];
+ $vhost_data["security_level"] = $web_config["security_level"];
// Check if a SSL cert exists
$ssl_dir = $data["new"]["document_root"]."/ssl";