diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php
index 5be11cb7b48159a725fd85553c3e9491358fdeda..70c1722aedc9ff7b48226fa61d3f38cc0a6a105d 100644
--- a/interface/lib/classes/auth.inc.php
+++ b/interface/lib/classes/auth.inc.php
@@ -46,7 +46,7 @@ class auth {
}
public function is_superadmin() {
- if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) {
+ if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) {
return true;
} else {
return false;
@@ -136,6 +136,22 @@ class auth {
exit;
}
}
+
+ public function check_security_permissions($permission) {
+
+ global $app;
+
+ $app->uses('getconf');
+ $security_config = $app->getconf->get_security_config('permissions');
+
+ $security_check = false;
+ if($security_config[$permission] == 'yes') $security_check = true;
+ if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true;
+ if($security_check !== true) {
+ $app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt'));
+ }
+
+ }
public function get_random_password($length = 8) {
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
diff --git a/interface/lib/classes/getconf.inc.php b/interface/lib/classes/getconf.inc.php
index 45fefa601b503a46b57898046183cafd5f96d556..7a29dbf4258ce9fda6900e3b77c14f7e010168d7 100644
--- a/interface/lib/classes/getconf.inc.php
+++ b/interface/lib/classes/getconf.inc.php
@@ -54,6 +54,15 @@ class getconf {
}
return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
}
+
+ public function get_security_config($section = '') {
+ global $app;
+
+ $app->uses('ini_parser');
+ $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+
+ return ($section == '') ? $security_config : $security_config[$section];
+ }
}
diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php
index f1bbd2bb39f940f968ff6b4a9d03f044968eea38..6df3a4589c6305a58e1357ac7c406c7a0241f581 100644
--- a/interface/lib/classes/validate_systemuser.inc.php
+++ b/interface/lib/classes/validate_systemuser.inc.php
@@ -58,7 +58,63 @@ class validate_systemuser {
}
}
+ /*
+ Validator function to check if a given dir is ok.
+ */
+ function shelluser_dir($field_name, $field_value, $validator) {
+ global $app;
+
+ if($app->tform->primary_id == 0) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."
\r\n";
+ } else {
+ return $errmsg."
\r\n";
+ }
+ }
+
+
+ $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'");
+ if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."
\r\n";
+ } else {
+ return $errmsg."
\r\n";
+ }
+ }
+ $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'");
+ if(!is_array($domain_data) || $domain_data["domain_id"] < 1) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."
\r\n";
+ } else {
+ return $errmsg."
\r\n";
+ }
+ }
+
+ $doc_root = $domain_data["document_root"];
+ $is_ok = false;
+ if($doc_root == $field_value) $is_ok = true;
+
+ $doc_root .= "/";
+ if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true;
+
+ if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false;
+
+ //* Final check if docroot path of website is >= 5 chars
+ if(strlen($doc_root) < 5) $is_ok = false;
+
+ if($is_ok == false) {
+ $errmsg = $validator['errmsg'];
+ if(isset($app->tform->wordbook[$errmsg])) {
+ return $app->tform->wordbook[$errmsg]."
\r\n";
+ } else {
+ return $errmsg."
\r\n";
+ }
+ }
+ }
}
diff --git a/interface/lib/lang/ar.lng b/interface/lib/lang/ar.lng
index 2bef4b0d64c9b795daa7f4ef7d0b519476788ba5..ed4bb29c049283f02db0d6f479a550391fc54f5d 100644
--- a/interface/lib/lang/ar.lng
+++ b/interface/lib/lang/ar.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/bg.lng b/interface/lib/lang/bg.lng
index 09b399ad5eb6aa2c36f1105e0defd452b5f91d6f..04380173ae5e488b027ce9294b4aa73dccc547cd 100644
--- a/interface/lib/lang/bg.lng
+++ b/interface/lib/lang/bg.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/br.lng b/interface/lib/lang/br.lng
index 7007f7dec62ae4e644704b3ada6253fe71c210b8..275be4d1bddeb8accea22c7f3eda6107a1dcc2e1 100644
--- a/interface/lib/lang/br.lng
+++ b/interface/lib/lang/br.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/cz.lng b/interface/lib/lang/cz.lng
index a48a835bb45dfe8be1db529730ab7b09b2c402c8..27fa49431b029664d4b31e1d22af58655564811a 100644
--- a/interface/lib/lang/cz.lng
+++ b/interface/lib/lang/cz.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Silná';
$wb['strength_5'] = 'Velmi silná';
$wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/de.lng b/interface/lib/lang/de.lng
index dfd1c9b77d9287b094dcbe27b56d8cc88a2a8ac7..735b1da09cf850006c07e65ff7f4ab1a44d5c2ce 100644
--- a/interface/lib/lang/de.lng
+++ b/interface/lib/lang/de.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Stark';
$wb['strength_5'] = 'Sehr stark';
$wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.';
$wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.';
+$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:';
+$wb['security_check2_txt'] = 'fehlgeschlagen.';
?>
diff --git a/interface/lib/lang/el.lng b/interface/lib/lang/el.lng
index 20f26a448d9ad9050b7c059b6d5d8daa933292f6..d8a27159099dfe87f7830223826b9ed7716807e6 100644
--- a/interface/lib/lang/el.lng
+++ b/interface/lib/lang/el.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/en.lng b/interface/lib/lang/en.lng
index ec309d9f850adf2f1540598fda4ab7c366067569..c89c97a7ccaed04036a54541fcb431b2ef608ce2 100644
--- a/interface/lib/lang/en.lng
+++ b/interface/lib/lang/en.lng
@@ -131,7 +131,6 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
$wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
$wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
$wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
-
$wb['login_as_txt'] = 'Log in as';
$wb["no_domain_perm"] = 'You have no permission for this domain.';
$wb["no_destination_perm"] = 'You have no permission for this destination.';
@@ -149,5 +148,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/es.lng b/interface/lib/lang/es.lng
index 63b62451be4ad1c5559368c52731050df6bd76ea..ae21baf04ef1f962c0a931742c0df21f3bbf1363 100644
--- a/interface/lib/lang/es.lng
+++ b/interface/lib/lang/es.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/fi.lng b/interface/lib/lang/fi.lng
index 3cdfa12d8d98b6ccdbc57323db31aeef5b833e7e..059c9b2deb372789d517171aac1120f95405505c 100755
--- a/interface/lib/lang/fi.lng
+++ b/interface/lib/lang/fi.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/fr.lng b/interface/lib/lang/fr.lng
index 613f2a3428567c02f5a85bd51e123e118be314bb..c59aac41a1e9fd719b1bb743510dde6cd74e69d0 100644
--- a/interface/lib/lang/fr.lng
+++ b/interface/lib/lang/fr.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
?>
diff --git a/interface/lib/lang/hr.lng b/interface/lib/lang/hr.lng
index 26a98bfc14371f80f6c9f009028ed120cafb28ba..634a396488bc796a7442983337e470e127addcbc 100644
--- a/interface/lib/lang/hr.lng
+++ b/interface/lib/lang/hr.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/hu.lng b/interface/lib/lang/hu.lng
index ce9a102599dae331c9d3cc4bab31f3a5bebb6807..9aa46b48827e08941697108be42a77e27c5b75f8 100644
--- a/interface/lib/lang/hu.lng
+++ b/interface/lib/lang/hu.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/id.lng b/interface/lib/lang/id.lng
index a781fb597aa6cc4f92abaca2c444a0568d26a740..bc0a5f9504089ad6e278cda9a5f3ac52ef6c1605 100644
--- a/interface/lib/lang/id.lng
+++ b/interface/lib/lang/id.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/it.lng b/interface/lib/lang/it.lng
index 8b2b810c3a84020d23ba244d5b8eec57bf59cdd0..1f46893fe53b3dd560637adf4f4e7aeea6955569 100644
--- a/interface/lib/lang/it.lng
+++ b/interface/lib/lang/it.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ja.lng b/interface/lib/lang/ja.lng
index 04fef3d96f2a79937423c54d112b4d954d25362c..41cd638f8911467c6737956cd5b1c29331899401 100644
--- a/interface/lib/lang/ja.lng
+++ b/interface/lib/lang/ja.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/nl.lng b/interface/lib/lang/nl.lng
index 458b53fa3eae20f9a6b6ae4e4f4fd400900df19c..b359dee1c5f2fb4eed7f32ba4bf25140d84baada 100644
--- a/interface/lib/lang/nl.lng
+++ b/interface/lib/lang/nl.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/pl.lng b/interface/lib/lang/pl.lng
index 87973f64b19985b539950bcbb0e33522c88bf055..058680c471b55fcf74bd260e6b4f1679fc4d6102 100644
--- a/interface/lib/lang/pl.lng
+++ b/interface/lib/lang/pl.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/pt.lng b/interface/lib/lang/pt.lng
index 84cd748af3984d499c8e207e7ef7a1aab2f83a1b..48beea8dd3a7553b86106799fa1000a57df7f624 100644
--- a/interface/lib/lang/pt.lng
+++ b/interface/lib/lang/pt.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ro.lng b/interface/lib/lang/ro.lng
index 6431e11803885431c8c71186386dc5c75b38af7c..c5234fb838f428bcf3d7fd5f99290ae1b89ed3ca 100644
--- a/interface/lib/lang/ro.lng
+++ b/interface/lib/lang/ro.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/ru.lng b/interface/lib/lang/ru.lng
index 566f8d83a16f9a118e7a5f65d5d5d6208cddc9a3..7fb0ac863f9aff5a2c34f16228b93997230ae1a1 100644
--- a/interface/lib/lang/ru.lng
+++ b/interface/lib/lang/ru.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/se.lng b/interface/lib/lang/se.lng
index 41a972f5ca41089f38bfb1a758152760d9ceeabd..a7813bc0b077c5b20fcbb1c2176ac846b2abecbc 100644
--- a/interface/lib/lang/se.lng
+++ b/interface/lib/lang/se.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Starkt';
$wb['strength_5'] = 'Väldigt starkt';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \"{strength}\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/sk.lng b/interface/lib/lang/sk.lng
index 4abcf0ca9e3a9f69ce63af3b14c55b62bb776f2b..63a16ce29e56da715d2a04e5729732521e54077e 100644
--- a/interface/lib/lang/sk.lng
+++ b/interface/lib/lang/sk.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/lib/lang/tr.lng b/interface/lib/lang/tr.lng
index 0257a68b8bdd1403d5998dbb0eceadb559ec98e6..e7d9e037fd5a5c73691f6847841a683a162685eb 100644
--- a/interface/lib/lang/tr.lng
+++ b/interface/lib/lang/tr.lng
@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>
\ No newline at end of file
diff --git a/interface/web/admin/firewall_del.php b/interface/web/admin/firewall_del.php
index c4ea5605c7d968c44980c1dd34a047d65de6ef0c..3fc23fe708a45481bb94aa9d21efc2292031cf33 100644
--- a/interface/web/admin/firewall_del.php
+++ b/interface/web/admin/firewall_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_firewall_config');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php
index d0c35db8e8e2a421ff7876e4c223712e26d2550d..6c29f766d100d03f548d815f26ffdd6c4956bd37 100644
--- a/interface/web/admin/firewall_edit.php
+++ b/interface/web/admin/firewall_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_firewall_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/groups_del.php b/interface/web/admin/groups_del.php
index 57b47d9f488bdbafb39a40763599462832f2e1d9..42eed9507b45f30229ab82cec700c47974a89653 100644
--- a/interface/web/admin/groups_del.php
+++ b/interface/web/admin/groups_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_cpuser_group');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/groups_edit.php b/interface/web/admin/groups_edit.php
index 5ecf75fdf51d4e6e853e48219a293d88027622fb..00000036160f996908ee9216d5cbef88d352e4a9 100644
--- a/interface/web/admin/groups_edit.php
+++ b/interface/web/admin/groups_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_cpuser_group');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/iptables_del.php b/interface/web/admin/iptables_del.php
index 2497768c19a91df3b89d075854aef2176b94f8a6..55371d6cb48f2023d5ed7faa7d78c01fdcca3e1f 100644
--- a/interface/web/admin/iptables_del.php
+++ b/interface/web/admin/iptables_del.php
@@ -1,4 +1,5 @@
auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php
index 67cfb86ed25c5962cd377da98b356ed34f59f784..d8f4bbda8616a57a8ce563564e6be70a0aaa90a0 100644
--- a/interface/web/admin/language_complete.php
+++ b/interface/web/admin/language_complete.php
@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
//* This is only allowed for administrators
diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
index 8199244921de1374d0c2b5f40f105d05d960df60..7d83b9bb7479dc1276f912d933dd68210b768aef 100644
--- a/interface/web/admin/language_edit.php
+++ b/interface/web/admin/language_edit.php
@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_export.php b/interface/web/admin/language_export.php
index a4c75f3df810b43a95c519e625153a6dad35237b..44bc787bd33eefdc29a28f5f3ee00bba9cddd921 100644
--- a/interface/web/admin/language_export.php
+++ b/interface/web/admin/language_export.php
@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php
index 1dfaa18468495f726defaf7e685b59b44c59b4c4..d53575ba26d456e073dd06fdc7d417f7a2537ac0 100644
--- a/interface/web/admin/language_import.php
+++ b/interface/web/admin/language_import.php
@@ -112,6 +112,7 @@ function validate_line($line) {
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php
index 4000d7f26276fc8cb04d51a5bd91668529e88975..61c6c23823689ad99558e2becba462b0905ba3e6 100644
--- a/interface/web/admin/remote_action_osupdate.php
+++ b/interface/web/admin/remote_action_osupdate.php
@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_osupdate');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/remote_user_del.php b/interface/web/admin/remote_user_del.php
index e3a3832724d684910b52ba80882c45ce27ed1d38..b23336cab30ca1ae5fc936f03e873a39862df012 100644
--- a/interface/web/admin/remote_user_del.php
+++ b/interface/web/admin/remote_user_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_remote_users');
$app->uses('tpl,tform');
$app->load('tform_actions');
diff --git a/interface/web/admin/remote_user_edit.php b/interface/web/admin/remote_user_edit.php
index 962aa575224beb2a253b78c2c1514d0aa64ebf33..efc4f72a382eea98f7799c3552892c690c2479fa 100644
--- a/interface/web/admin/remote_user_edit.php
+++ b/interface/web/admin/remote_user_edit.php
@@ -13,6 +13,9 @@ if(!stristr($_SESSION['s']['user']['modules'], 'admin')) {
die;
}
+$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_remote_users');
+
// Disable this function in demo mode
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
diff --git a/interface/web/admin/server_config_del.php b/interface/web/admin/server_config_del.php
index c50ca140f3b70584b81758abeb0cc8f04bb22b2a..3a332edd1284def09f4902a8410d6589e13d1f11 100644
--- a/interface/web/admin/server_config_del.php
+++ b/interface/web/admin/server_config_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_config');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php
index a47118114b4d70198e380edf8ad1a8cae576f8dd..e561b00ac546fd900a48c0b292e1cbd7d2fcb37d 100644
--- a/interface/web/admin/server_config_edit.php
+++ b/interface/web/admin/server_config_edit.php
@@ -43,6 +43,8 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_config');
+
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_del.php b/interface/web/admin/server_del.php
index c39b73238f6abebdf0d4bdae8258587a55994b76..f90bfa7f8674b3355fb11fb0b5e39a7a1b1694cb 100644
--- a/interface/web/admin/server_del.php
+++ b/interface/web/admin/server_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_services');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
index caf79ef0b56ed3e9bd9586a739d185219a6faa74..0adf313181a23764852fd72c63baef27b96c6e38 100644
--- a/interface/web/admin/server_edit.php
+++ b/interface/web/admin/server_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_services');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_ip_del.php b/interface/web/admin/server_ip_del.php
index e1df9348379850e088521152d6c96af696ef82e4..61252c31c0cd56c3145407dbe8ab3db53ff29356 100644
--- a/interface/web/admin/server_ip_del.php
+++ b/interface/web/admin/server_ip_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_ip');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php
index c3bf380f8515737f56cecb7b1d27d679296bd2c4..c20f752b86c86c5535fe49a9a37b727ea5c0a469 100644
--- a/interface/web/admin/server_ip_edit.php
+++ b/interface/web/admin/server_ip_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_ip');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_php_del.php b/interface/web/admin/server_php_del.php
index d9c7baf2da916bbb521cb629e4c1bdd2a695342b..6848eea8d472a0c787e011558b7429375fc7965e 100644
--- a/interface/web/admin/server_php_del.php
+++ b/interface/web/admin/server_php_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_php');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php
index ff65c700702530eb513fd82793153fda4c98c8ff..f60ae997a051a92b5d389701debc40db26b184d9 100644
--- a/interface/web/admin/server_php_edit.php
+++ b/interface/web/admin/server_php_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_server_php');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/software_package_del.php b/interface/web/admin/software_package_del.php
index ff9ab6e5b7c84b790a49521a601db4f7d3a75981..31aeb1c09b07e38492823abb41a19bcf2f5c334d 100644
--- a/interface/web/admin/software_package_del.php
+++ b/interface/web/admin/software_package_del.php
@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']);
diff --git a/interface/web/admin/software_package_edit.php b/interface/web/admin/software_package_edit.php
index 038f377e72cb2a0c7e06ec0851e4f8973251d982..65555d3a3570d12fce552171a1df350201902c75 100644
--- a/interface/web/admin/software_package_edit.php
+++ b/interface/web/admin/software_package_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php
index e45f47ac07e593e168a8113e1ae57dd2ec17854c..0fd58816a0e3056e2593c53ca8ff5d7af35bf95b 100644
--- a/interface/web/admin/software_package_install.php
+++ b/interface/web/admin/software_package_install.php
@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/software_repo_del.php b/interface/web/admin/software_repo_del.php
index b8effc1d5716bf7bf4c8389f3885b7a3d6955289..630993717ce6dd20e3e77804bbf4497e6b6c0f2e 100644
--- a/interface/web/admin/software_repo_del.php
+++ b/interface/web/admin/software_repo_del.php
@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/software_repo_edit.php b/interface/web/admin/software_repo_edit.php
index 2a6a4f42280d9e58c24d44189ccbbb3555cf7aa8..6d52da2b56799f0274239b42bba857bd4388ec8b 100644
--- a/interface/web/admin/software_repo_edit.php
+++ b/interface/web/admin/software_repo_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php
index a709e0cff43cb4375674872f57ed6d05d4ac7dd0..8bc8b79a410613f21d3c1d018b29fc142ce4df95 100644
--- a/interface/web/admin/software_update_list.php
+++ b/interface/web/admin/software_update_list.php
@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php
index 3c54fc209576d75079d067f4a49b620050c03be4..7d872fa45651e723b67ea7b113edaec40e8f2134 100644
--- a/interface/web/admin/system_config_edit.php
+++ b/interface/web/admin/system_config_edit.php
@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_system_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/tpl_default.php b/interface/web/admin/tpl_default.php
index b9477f1e39da58875d3ee46ac8c28396ec035eb7..57395cfb285436e69945474389d9be203545db90 100644
--- a/interface/web/admin/tpl_default.php
+++ b/interface/web/admin/tpl_default.php
@@ -1,4 +1,5 @@
auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_del_cpuser');
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
index 2b1be7f0fc7df0c6622db8e12b797d2a0476ca76..a405db4aed31429825a7f5e6dede2c360e0a0175 100644
--- a/interface/web/admin/users_edit.php
+++ b/interface/web/admin/users_edit.php
@@ -52,16 +52,29 @@ class page_action extends tform_actions {
function onBeforeInsert() {
global $app, $conf;
+
+ //* Security settings check
+ if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+ }
if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
}
+
+
+
}
function onBeforeUpdate() {
global $app, $conf;
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
+
+ //* Security settings check
+ if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+ }
if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
diff --git a/interface/web/remote/index.php b/interface/web/remote/index.php
index d60a1c95b58efcc1cb5645308cd808cca935ed08..c7ad8a90110ddf3c5e37c566b727b074161bb8b6 100644
--- a/interface/web/remote/index.php
+++ b/interface/web/remote/index.php
@@ -6,7 +6,11 @@ require_once '../../lib/app.inc.php';
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
-$app->load('remoting');
+$app->load('remoting,getconf');
+
+$security_config = $app->getconf->get_security_config('permissions');
+if($security_config['remote_api_allowed'] != 'yes') die('Remote API is disabled in security settings.');
+
$server = new SoapServer(null, array('uri' => $_SERVER['REQUEST_URI']));
$server->setClass('remoting');
diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php
index db4efe34e9e116caf09523256cc3360a16dd2b08..4268fc08ecd8a6a8f6ef1f9c5634c517e1bc174d 100644
--- a/interface/web/sites/form/shell_user.tform.php
+++ b/interface/web/sites/form/shell_user.tform.php
@@ -237,6 +237,10 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/',
'errmsg'=> 'directory_error_regex'),
+ 2 => array ( 'type' => 'CUSTOM',
+ 'class' => 'validate_systemuser',
+ 'function' => 'shelluser_dir',
+ 'errmsg' => 'directory_error_notinweb'),
),
'default' => '',
'value' => '',
diff --git a/interface/web/sites/lib/lang/en_shell_user.lng b/interface/web/sites/lib/lang/en_shell_user.lng
index c3f21d52d73152c68cb288d2d4b568bc7fe48540..66d33678fbd6e218bc14102c8a6ec6cd94db2a91 100644
--- a/interface/web/sites/lib/lang/en_shell_user.lng
+++ b/interface/web/sites/lib/lang/en_shell_user.lng
@@ -32,4 +32,5 @@ $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
$wb['directory_error_regex'] = 'Invalid directory';
$wb['shell_error_regex'] = 'Invalid shell';
$wb['invalid_username_txt'] = 'Invalid Username';
+$wb['directory_error_notinweb'] = 'The directory has to be inside the web root.';
?>
diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php
index 95018ac07cba968a0dd67bf4b60cbb33023c10f1..7065888dd71af44a76d935dfc452796b971c19d1 100644
--- a/interface/web/tools/user_settings.php
+++ b/interface/web/tools/user_settings.php
@@ -44,6 +44,10 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('tools');
+if($_SESSION['s']['user']['typ'] == 'admin') {
+ $app->auth->check_security_permissions('admin_allow_new_admin');
+}
+
// Loading classes
$app->uses('tpl,tform,tform_actions');
$app->load('tform_actions');
diff --git a/security/security_settings.ini b/security/security_settings.ini
new file mode 100644
index 0000000000000000000000000000000000000000..0ea46f2d96c706727b46513c6d55b7c08d04eff6
--- /dev/null
+++ b/security/security_settings.ini
@@ -0,0 +1,25 @@
+[permissions]
+allow_shell_user=yes
+admin_allow_server_config=superadmin
+admin_allow_server_services=superadmin
+admin_allow_server_ip=superadmin
+admin_allow_remote_users=superadmin
+admin_allow_system_config=superadmin
+admin_allow_server_php=superadmin
+admin_allow_langedit=superadmin
+admin_allow_new_admin=superadmin
+admin_allow_del_cpuser=superadmin
+admin_allow_cpuser_group=superadmin
+admin_allow_firewall_config=superadmin
+admin_allow_osupdate=superadmin
+admin_allow_software_packages=superadmin
+admin_allow_software_repo=superadmin
+remote_api_allowed=yes
+
+[systemcheck]
+security_admin_email=root@localhost
+warn_new_admin=yes
+warn_passwd_change=no
+warn_shadow_change=no
+check_groups_in_passwd=yes
+check_ispconfig_md5=yes
\ No newline at end of file
diff --git a/server/lib/classes/getconf.inc.php b/server/lib/classes/getconf.inc.php
index c5ca6c696a9b3ba993f168f5dd51b0a89cc2af0b..768ea2cabded44ab9ee56039d28ccc8fdaff7a89 100644
--- a/server/lib/classes/getconf.inc.php
+++ b/server/lib/classes/getconf.inc.php
@@ -59,6 +59,15 @@ class getconf {
}
return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
}
+
+ public function get_security_config($section = '') {
+ global $app;
+
+ $app->uses('ini_parser');
+ $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+
+ return ($section == '') ? $security_config : $security_config[$section];
+ }
}
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 67cbee02c5aa82884c86275ef9c9d6ccfada7b64..3cb9d36ca55726ca13ce0be8b542dba0e79e7f61 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -58,19 +58,25 @@ class shelluser_base_plugin {
/*
Register for the events
*/
-
+
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');
-
+
}
function insert($event_name, $data) {
global $app, $conf;
-
- $app->uses('system');
+
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -144,7 +150,13 @@ class shelluser_base_plugin {
function update($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -223,7 +235,13 @@ class shelluser_base_plugin {
function delete($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
if($app->system->is_user($data['old']['username'])) {
// Get the UID of the user
diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php
index f0fb2799eadff42981331ff95b51233e69706c12..cb222fdc476e7091c9342c8e6af41a09d2b49577 100755
--- a/server/plugins-available/shelluser_jailkit_plugin.inc.php
+++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -59,11 +59,11 @@ class shelluser_jailkit_plugin {
/*
Register for the events
*/
-
+
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');
-
+
}
@@ -71,7 +71,15 @@ class shelluser_jailkit_plugin {
function insert($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
+
+
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
if(!$app->system->is_allowed_user($data['new']['username'], false, false)
@@ -143,7 +151,14 @@ class shelluser_jailkit_plugin {
function update($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
+
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']);
if(!$app->system->is_allowed_user($data['new']['username'], false, false)
@@ -209,7 +224,13 @@ class shelluser_jailkit_plugin {
function delete($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']);