From 9edea9976bd605071e0694a90d704266c0b7e0f9 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Thu, 14 Aug 2014 17:30:03 +0200 Subject: [PATCH] - Added warning in the interface when a path for a shelluser is set that is outside of the website docroot. - Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons. --- interface/lib/classes/auth.inc.php | 18 +++++- interface/lib/classes/getconf.inc.php | 9 +++ .../lib/classes/validate_systemuser.inc.php | 56 +++++++++++++++++++ interface/lib/lang/ar.lng | 2 + interface/lib/lang/bg.lng | 2 + interface/lib/lang/br.lng | 2 + interface/lib/lang/cz.lng | 2 + interface/lib/lang/de.lng | 2 + interface/lib/lang/el.lng | 2 + interface/lib/lang/en.lng | 6 +- interface/lib/lang/es.lng | 2 + interface/lib/lang/fi.lng | 2 + interface/lib/lang/fr.lng | 2 + interface/lib/lang/hr.lng | 4 +- interface/lib/lang/hu.lng | 4 +- interface/lib/lang/id.lng | 4 +- interface/lib/lang/it.lng | 4 +- interface/lib/lang/ja.lng | 4 +- interface/lib/lang/nl.lng | 4 +- interface/lib/lang/pl.lng | 4 +- interface/lib/lang/pt.lng | 4 +- interface/lib/lang/ro.lng | 4 +- interface/lib/lang/ru.lng | 4 +- interface/lib/lang/se.lng | 4 +- interface/lib/lang/sk.lng | 4 +- interface/lib/lang/tr.lng | 4 +- interface/web/admin/firewall_del.php | 1 + interface/web/admin/firewall_edit.php | 1 + interface/web/admin/groups_del.php | 1 + interface/web/admin/groups_edit.php | 1 + interface/web/admin/iptables_del.php | 1 + interface/web/admin/iptables_edit.php | 1 + interface/web/admin/iptables_list.php | 2 + interface/web/admin/language_add.php | 1 + interface/web/admin/language_complete.php | 1 + interface/web/admin/language_edit.php | 1 + interface/web/admin/language_export.php | 1 + interface/web/admin/language_import.php | 1 + .../web/admin/remote_action_osupdate.php | 1 + interface/web/admin/remote_user_del.php | 1 + interface/web/admin/remote_user_edit.php | 3 + interface/web/admin/server_config_del.php | 1 + interface/web/admin/server_config_edit.php | 2 + interface/web/admin/server_del.php | 1 + interface/web/admin/server_edit.php | 1 + interface/web/admin/server_ip_del.php | 1 + interface/web/admin/server_ip_edit.php | 1 + interface/web/admin/server_php_del.php | 1 + interface/web/admin/server_php_edit.php | 1 + interface/web/admin/software_package_del.php | 1 + interface/web/admin/software_package_edit.php | 1 + .../web/admin/software_package_install.php | 1 + interface/web/admin/software_repo_del.php | 1 + interface/web/admin/software_repo_edit.php | 1 + interface/web/admin/software_update_list.php | 1 + interface/web/admin/system_config_edit.php | 1 + interface/web/admin/tpl_default.php | 1 + interface/web/admin/users_del.php | 1 + interface/web/admin/users_edit.php | 13 +++++ interface/web/remote/index.php | 6 +- interface/web/sites/form/shell_user.tform.php | 4 ++ .../web/sites/lib/lang/en_shell_user.lng | 1 + interface/web/tools/user_settings.php | 4 ++ security/security_settings.ini | 25 +++++++++ server/lib/classes/getconf.inc.php | 9 +++ .../shelluser_base_plugin.inc.php | 30 ++++++++-- .../shelluser_jailkit_plugin.inc.php | 31 ++++++++-- 67 files changed, 289 insertions(+), 29 deletions(-) create mode 100644 security/security_settings.ini diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php index 5be11cb7b..70c1722ae 100644 --- a/interface/lib/classes/auth.inc.php +++ b/interface/lib/classes/auth.inc.php @@ -46,7 +46,7 @@ class auth { } public function is_superadmin() { - if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) { + if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) { return true; } else { return false; @@ -136,6 +136,22 @@ class auth { exit; } } + + public function check_security_permissions($permission) { + + global $app; + + $app->uses('getconf'); + $security_config = $app->getconf->get_security_config('permissions'); + + $security_check = false; + if($security_config[$permission] == 'yes') $security_check = true; + if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true; + if($security_check !== true) { + $app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt')); + } + + } public function get_random_password($length = 8) { $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; diff --git a/interface/lib/classes/getconf.inc.php b/interface/lib/classes/getconf.inc.php index 45fefa601..7a29dbf42 100644 --- a/interface/lib/classes/getconf.inc.php +++ b/interface/lib/classes/getconf.inc.php @@ -54,6 +54,15 @@ class getconf { } return ($section == '') ? $this->config['global'] : $this->config['global'][$section]; } + + public function get_security_config($section = '') { + global $app; + + $app->uses('ini_parser'); + $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini')); + + return ($section == '') ? $security_config : $security_config[$section]; + } } diff --git a/interface/lib/classes/validate_systemuser.inc.php b/interface/lib/classes/validate_systemuser.inc.php index f1bbd2bb3..6df3a4589 100644 --- a/interface/lib/classes/validate_systemuser.inc.php +++ b/interface/lib/classes/validate_systemuser.inc.php @@ -58,7 +58,63 @@ class validate_systemuser { } } + /* + Validator function to check if a given dir is ok. + */ + function shelluser_dir($field_name, $field_value, $validator) { + global $app; + + if($app->tform->primary_id == 0) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."
\r\n"; + } else { + return $errmsg."
\r\n"; + } + } + + + $shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'"); + if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."
\r\n"; + } else { + return $errmsg."
\r\n"; + } + } + $domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'"); + if(!is_array($domain_data) || $domain_data["domain_id"] < 1) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."
\r\n"; + } else { + return $errmsg."
\r\n"; + } + } + + $doc_root = $domain_data["document_root"]; + $is_ok = false; + if($doc_root == $field_value) $is_ok = true; + + $doc_root .= "/"; + if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true; + + if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false; + + //* Final check if docroot path of website is >= 5 chars + if(strlen($doc_root) < 5) $is_ok = false; + + if($is_ok == false) { + $errmsg = $validator['errmsg']; + if(isset($app->tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."
\r\n"; + } else { + return $errmsg."
\r\n"; + } + } + } } diff --git a/interface/lib/lang/ar.lng b/interface/lib/lang/ar.lng index 2bef4b0d6..ed4bb29c0 100644 --- a/interface/lib/lang/ar.lng +++ b/interface/lib/lang/ar.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/bg.lng b/interface/lib/lang/bg.lng index 09b399ad5..04380173a 100644 --- a/interface/lib/lang/bg.lng +++ b/interface/lib/lang/bg.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/br.lng b/interface/lib/lang/br.lng index 7007f7dec..275be4d1b 100644 --- a/interface/lib/lang/br.lng +++ b/interface/lib/lang/br.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/cz.lng b/interface/lib/lang/cz.lng index a48a835bb..27fa49431 100644 --- a/interface/lib/lang/cz.lng +++ b/interface/lib/lang/cz.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Silná'; $wb['strength_5'] = 'Velmi silná'; $wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/de.lng b/interface/lib/lang/de.lng index dfd1c9b77..735b1da09 100644 --- a/interface/lib/lang/de.lng +++ b/interface/lib/lang/de.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Stark'; $wb['strength_5'] = 'Sehr stark'; $wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.'; $wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.'; +$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:'; +$wb['security_check2_txt'] = 'fehlgeschlagen.'; ?> diff --git a/interface/lib/lang/el.lng b/interface/lib/lang/el.lng index 20f26a448..d8a271590 100644 --- a/interface/lib/lang/el.lng +++ b/interface/lib/lang/el.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/en.lng b/interface/lib/lang/en.lng index ec309d9f8..c89c97a7c 100644 --- a/interface/lib/lang/en.lng +++ b/interface/lib/lang/en.lng @@ -131,7 +131,6 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection'; $wb['datalog_status_i_web_folder_user'] = 'Create folder protection user'; $wb['datalog_status_u_web_folder_user'] = 'Update folder protection user'; $wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user'; - $wb['login_as_txt'] = 'Log in as'; $wb["no_domain_perm"] = 'You have no permission for this domain.'; $wb["no_destination_perm"] = 'You have no permission for this destination.'; @@ -149,5 +148,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; - -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/es.lng b/interface/lib/lang/es.lng index 63b62451b..ae21baf04 100644 --- a/interface/lib/lang/es.lng +++ b/interface/lib/lang/es.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/fi.lng b/interface/lib/lang/fi.lng index 3cdfa12d8..059c9b2de 100755 --- a/interface/lib/lang/fi.lng +++ b/interface/lib/lang/fi.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/fr.lng b/interface/lib/lang/fr.lng index 613f2a342..c59aac41a 100644 --- a/interface/lib/lang/fr.lng +++ b/interface/lib/lang/fr.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; ?> diff --git a/interface/lib/lang/hr.lng b/interface/lib/lang/hr.lng index 26a98bfc1..634a39648 100644 --- a/interface/lib/lang/hr.lng +++ b/interface/lib/lang/hr.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/hu.lng b/interface/lib/lang/hu.lng index ce9a10259..9aa46b488 100644 --- a/interface/lib/lang/hu.lng +++ b/interface/lib/lang/hu.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/id.lng b/interface/lib/lang/id.lng index a781fb597..bc0a5f950 100644 --- a/interface/lib/lang/id.lng +++ b/interface/lib/lang/id.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/it.lng b/interface/lib/lang/it.lng index 8b2b810c3..1f46893fe 100644 --- a/interface/lib/lang/it.lng +++ b/interface/lib/lang/it.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ja.lng b/interface/lib/lang/ja.lng index 04fef3d96..41cd638f8 100644 --- a/interface/lib/lang/ja.lng +++ b/interface/lib/lang/ja.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/nl.lng b/interface/lib/lang/nl.lng index 458b53fa3..b359dee1c 100644 --- a/interface/lib/lang/nl.lng +++ b/interface/lib/lang/nl.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/pl.lng b/interface/lib/lang/pl.lng index 87973f64b..058680c47 100644 --- a/interface/lib/lang/pl.lng +++ b/interface/lib/lang/pl.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/pt.lng b/interface/lib/lang/pt.lng index 84cd748af..48beea8dd 100644 --- a/interface/lib/lang/pt.lng +++ b/interface/lib/lang/pt.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ro.lng b/interface/lib/lang/ro.lng index 6431e1180..c5234fb83 100644 --- a/interface/lib/lang/ro.lng +++ b/interface/lib/lang/ro.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/ru.lng b/interface/lib/lang/ru.lng index 566f8d83a..7fb0ac863 100644 --- a/interface/lib/lang/ru.lng +++ b/interface/lib/lang/ru.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/se.lng b/interface/lib/lang/se.lng index 41a972f5c..a7813bc0b 100644 --- a/interface/lib/lang/se.lng +++ b/interface/lib/lang/se.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Starkt'; $wb['strength_5'] = 'Väldigt starkt'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \"{strength}\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/sk.lng b/interface/lib/lang/sk.lng index 4abcf0ca9..63a16ce29 100644 --- a/interface/lib/lang/sk.lng +++ b/interface/lib/lang/sk.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/lib/lang/tr.lng b/interface/lib/lang/tr.lng index 0257a68b8..e7d9e037f 100644 --- a/interface/lib/lang/tr.lng +++ b/interface/lib/lang/tr.lng @@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong'; $wb['strength_5'] = 'Very Strong'; $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".'; $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.'; -?> +$wb['security_check1_txt'] = 'Check for security permission:'; +$wb['security_check2_txt'] = 'failed.'; +?> \ No newline at end of file diff --git a/interface/web/admin/firewall_del.php b/interface/web/admin/firewall_del.php index c4ea5605c..3fc23fe70 100644 --- a/interface/web/admin/firewall_del.php +++ b/interface/web/admin/firewall_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_firewall_config'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index d0c35db8e..6c29f766d 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_firewall_config'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/groups_del.php b/interface/web/admin/groups_del.php index 57b47d9f4..42eed9507 100644 --- a/interface/web/admin/groups_del.php +++ b/interface/web/admin/groups_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_cpuser_group'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/groups_edit.php b/interface/web/admin/groups_edit.php index 5ecf75fdf..000000361 100644 --- a/interface/web/admin/groups_edit.php +++ b/interface/web/admin/groups_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_cpuser_group'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/iptables_del.php b/interface/web/admin/iptables_del.php index 2497768c1..55371d6cb 100644 --- a/interface/web/admin/iptables_del.php +++ b/interface/web/admin/iptables_del.php @@ -1,4 +1,5 @@ auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php index 67cfb86ed..d8f4bbda8 100644 --- a/interface/web/admin/language_complete.php +++ b/interface/web/admin/language_complete.php @@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); //* This is only allowed for administrators diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php index 819924492..7d83b9bb7 100644 --- a/interface/web/admin/language_edit.php +++ b/interface/web/admin/language_edit.php @@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_export.php b/interface/web/admin/language_export.php index a4c75f3df..44bc787bd 100644 --- a/interface/web/admin/language_export.php +++ b/interface/web/admin/language_export.php @@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php index 1dfaa1846..d53575ba2 100644 --- a/interface/web/admin/language_import.php +++ b/interface/web/admin/language_import.php @@ -112,6 +112,7 @@ function validate_line($line) { //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_langedit'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php index 4000d7f26..61c6c2382 100644 --- a/interface/web/admin/remote_action_osupdate.php +++ b/interface/web/admin/remote_action_osupdate.php @@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_osupdate'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/remote_user_del.php b/interface/web/admin/remote_user_del.php index e3a383272..b23336cab 100644 --- a/interface/web/admin/remote_user_del.php +++ b/interface/web/admin/remote_user_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_remote_users'); $app->uses('tpl,tform'); $app->load('tform_actions'); diff --git a/interface/web/admin/remote_user_edit.php b/interface/web/admin/remote_user_edit.php index 962aa5752..efc4f72a3 100644 --- a/interface/web/admin/remote_user_edit.php +++ b/interface/web/admin/remote_user_edit.php @@ -13,6 +13,9 @@ if(!stristr($_SESSION['s']['user']['modules'], 'admin')) { die; } +$app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_remote_users'); + // Disable this function in demo mode if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); diff --git a/interface/web/admin/server_config_del.php b/interface/web/admin/server_config_del.php index c50ca140f..3a332edd1 100644 --- a/interface/web/admin/server_config_del.php +++ b/interface/web/admin/server_config_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_config'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php index a47118114..e561b00ac 100644 --- a/interface/web/admin/server_config_edit.php +++ b/interface/web/admin/server_config_edit.php @@ -43,6 +43,8 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_config'); + // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_del.php b/interface/web/admin/server_del.php index c39b73238..f90bfa7f8 100644 --- a/interface/web/admin/server_del.php +++ b/interface/web/admin/server_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_services'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php index caf79ef0b..0adf31318 100644 --- a/interface/web/admin/server_edit.php +++ b/interface/web/admin/server_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_services'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_ip_del.php b/interface/web/admin/server_ip_del.php index e1df93483..61252c31c 100644 --- a/interface/web/admin/server_ip_del.php +++ b/interface/web/admin/server_ip_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_ip'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php index c3bf380f8..c20f752b8 100644 --- a/interface/web/admin/server_ip_edit.php +++ b/interface/web/admin/server_ip_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_ip'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/server_php_del.php b/interface/web/admin/server_php_del.php index d9c7baf2d..6848eea8d 100644 --- a/interface/web/admin/server_php_del.php +++ b/interface/web/admin/server_php_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_php'); $app->uses("tform_actions"); $app->tform_actions->onDelete(); diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php index ff65c7007..f60ae997a 100644 --- a/interface/web/admin/server_php_edit.php +++ b/interface/web/admin/server_php_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_server_php'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/software_package_del.php b/interface/web/admin/software_package_del.php index ff9ab6e5b..31aeb1c09 100644 --- a/interface/web/admin/software_package_del.php +++ b/interface/web/admin/software_package_del.php @@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']); diff --git a/interface/web/admin/software_package_edit.php b/interface/web/admin/software_package_edit.php index 038f377e7..65555d3a3 100644 --- a/interface/web/admin/software_package_edit.php +++ b/interface/web/admin/software_package_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); // Loading classes diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php index e45f47ac0..0fd58816a 100644 --- a/interface/web/admin/software_package_install.php +++ b/interface/web/admin/software_package_install.php @@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/software_repo_del.php b/interface/web/admin/software_repo_del.php index b8effc1d5..630993717 100644 --- a/interface/web/admin/software_repo_del.php +++ b/interface/web/admin/software_repo_del.php @@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_repo'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/software_repo_edit.php b/interface/web/admin/software_repo_edit.php index 2a6a4f422..6d52da2b5 100644 --- a/interface/web/admin/software_repo_edit.php +++ b/interface/web/admin/software_repo_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_repo'); if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); // Loading classes diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php index a709e0cff..8bc8b79a4 100644 --- a/interface/web/admin/software_update_list.php +++ b/interface/web/admin/software_update_list.php @@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_software_packages'); //* This is only allowed for administrators if(!$app->auth->is_admin()) die('only allowed for administrators.'); diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php index 3c54fc209..7d872fa45 100644 --- a/interface/web/admin/system_config_edit.php +++ b/interface/web/admin/system_config_edit.php @@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_system_config'); // Loading classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/admin/tpl_default.php b/interface/web/admin/tpl_default.php index b9477f1e3..57395cfb2 100644 --- a/interface/web/admin/tpl_default.php +++ b/interface/web/admin/tpl_default.php @@ -1,4 +1,5 @@ auth->check_module_permissions('admin'); +$app->auth->check_security_permissions('admin_allow_del_cpuser'); if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.'); $app->uses("tform_actions"); diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php index 2b1be7f0f..a405db4ae 100644 --- a/interface/web/admin/users_edit.php +++ b/interface/web/admin/users_edit.php @@ -52,16 +52,29 @@ class page_action extends tform_actions { function onBeforeInsert() { global $app, $conf; + + //* Security settings check + if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); + } if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) { $app->tform->errorMessage .= $app->tform->wordbook['startmodule_err']; } + + + } function onBeforeUpdate() { global $app, $conf; if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.'); + + //* Security settings check + if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); + } if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) { $app->tform->errorMessage .= $app->tform->wordbook['startmodule_err']; diff --git a/interface/web/remote/index.php b/interface/web/remote/index.php index d60a1c95b..c7ad8a901 100644 --- a/interface/web/remote/index.php +++ b/interface/web/remote/index.php @@ -6,7 +6,11 @@ require_once '../../lib/app.inc.php'; if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.'); -$app->load('remoting'); +$app->load('remoting,getconf'); + +$security_config = $app->getconf->get_security_config('permissions'); +if($security_config['remote_api_allowed'] != 'yes') die('Remote API is disabled in security settings.'); + $server = new SoapServer(null, array('uri' => $_SERVER['REQUEST_URI'])); $server->setClass('remoting'); diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php index db4efe34e..4268fc08e 100644 --- a/interface/web/sites/form/shell_user.tform.php +++ b/interface/web/sites/form/shell_user.tform.php @@ -237,6 +237,10 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') { 1 => array ( 'type' => 'REGEX', 'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/', 'errmsg'=> 'directory_error_regex'), + 2 => array ( 'type' => 'CUSTOM', + 'class' => 'validate_systemuser', + 'function' => 'shelluser_dir', + 'errmsg' => 'directory_error_notinweb'), ), 'default' => '', 'value' => '', diff --git a/interface/web/sites/lib/lang/en_shell_user.lng b/interface/web/sites/lib/lang/en_shell_user.lng index c3f21d52d..66d33678f 100644 --- a/interface/web/sites/lib/lang/en_shell_user.lng +++ b/interface/web/sites/lib/lang/en_shell_user.lng @@ -32,4 +32,5 @@ $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group'; $wb['directory_error_regex'] = 'Invalid directory'; $wb['shell_error_regex'] = 'Invalid shell'; $wb['invalid_username_txt'] = 'Invalid Username'; +$wb['directory_error_notinweb'] = 'The directory has to be inside the web root.'; ?> diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php index 95018ac07..7065888dd 100644 --- a/interface/web/tools/user_settings.php +++ b/interface/web/tools/user_settings.php @@ -44,6 +44,10 @@ require_once '../../lib/app.inc.php'; //* Check permissions for module $app->auth->check_module_permissions('tools'); +if($_SESSION['s']['user']['typ'] == 'admin') { + $app->auth->check_security_permissions('admin_allow_new_admin'); +} + // Loading classes $app->uses('tpl,tform,tform_actions'); $app->load('tform_actions'); diff --git a/security/security_settings.ini b/security/security_settings.ini new file mode 100644 index 000000000..0ea46f2d9 --- /dev/null +++ b/security/security_settings.ini @@ -0,0 +1,25 @@ +[permissions] +allow_shell_user=yes +admin_allow_server_config=superadmin +admin_allow_server_services=superadmin +admin_allow_server_ip=superadmin +admin_allow_remote_users=superadmin +admin_allow_system_config=superadmin +admin_allow_server_php=superadmin +admin_allow_langedit=superadmin +admin_allow_new_admin=superadmin +admin_allow_del_cpuser=superadmin +admin_allow_cpuser_group=superadmin +admin_allow_firewall_config=superadmin +admin_allow_osupdate=superadmin +admin_allow_software_packages=superadmin +admin_allow_software_repo=superadmin +remote_api_allowed=yes + +[systemcheck] +security_admin_email=root@localhost +warn_new_admin=yes +warn_passwd_change=no +warn_shadow_change=no +check_groups_in_passwd=yes +check_ispconfig_md5=yes \ No newline at end of file diff --git a/server/lib/classes/getconf.inc.php b/server/lib/classes/getconf.inc.php index c5ca6c696..768ea2cab 100644 --- a/server/lib/classes/getconf.inc.php +++ b/server/lib/classes/getconf.inc.php @@ -59,6 +59,15 @@ class getconf { } return ($section == '') ? $this->config['global'] : $this->config['global'][$section]; } + + public function get_security_config($section = '') { + global $app; + + $app->uses('ini_parser'); + $security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini')); + + return ($section == '') ? $security_config : $security_config[$section]; + } } diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php index 67cbee02c..3cb9d36ca 100755 --- a/server/plugins-available/shelluser_base_plugin.inc.php +++ b/server/plugins-available/shelluser_base_plugin.inc.php @@ -58,19 +58,25 @@ class shelluser_base_plugin { /* Register for the events */ - + $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert'); $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update'); $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete'); - + } function insert($event_name, $data) { global $app, $conf; - - $app->uses('system'); + + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } //* Check if the resulting path is inside the docroot $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); @@ -144,7 +150,13 @@ class shelluser_base_plugin { function update($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } //* Check if the resulting path is inside the docroot $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id'])); @@ -223,7 +235,13 @@ class shelluser_base_plugin { function delete($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } if($app->system->is_user($data['old']['username'])) { // Get the UID of the user diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index f0fb2799e..cb222fdc4 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -59,11 +59,11 @@ class shelluser_jailkit_plugin { /* Register for the events */ - + $app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert'); $app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update'); $app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete'); - + } @@ -71,7 +71,15 @@ class shelluser_jailkit_plugin { function insert($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } + + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) @@ -143,7 +151,14 @@ class shelluser_jailkit_plugin { function update($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } + $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['new']['parent_domain_id']); if(!$app->system->is_allowed_user($data['new']['username'], false, false) @@ -209,7 +224,13 @@ class shelluser_jailkit_plugin { function delete($event_name, $data) { global $app, $conf; - $app->uses('system'); + $app->uses('system,getconf'); + + $security_config = $app->getconf->get_security_config('permissions'); + if($security_config['allow_shell_user'] != 'yes') { + $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN); + return false; + } $web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$data['old']['parent_domain_id']); -- GitLab