enable validate_root in php.ini

Author: jnorell

server/plugins-available/apache2_plugin.inc.php

@@ -1178,7 +1178,7 @@ function update($event_name, $data) {
 			$app->system->chgrp('/var/log/ispconfig/httpd/'.$data['new']['domain'].'/error.log', 'root');
 		}
 
-		//* Write the custom php.ini file, if custom_php_ini fieled is not empty
+		//* Write the custom php.ini file, if custom_php_ini field is not empty
 		$custom_php_ini_dir = $web_config['website_basedir'].'/conf/'.$data['new']['system_user'];
 		if($data['new']['type'] == 'vhostsubdomain' || $data['new']['type'] == 'vhostalias') $custom_php_ini_dir .= '_' . $web_folder;
 		if(!is_dir($web_config['website_basedir'].'/conf')) $app->system->mkdir($web_config['website_basedir'].'/conf');

server/plugins-available/webserver_plugin.inc.php

@@ -37,8 +37,6 @@ class webserver_plugin {
 	 * This function is called during ispconfig installation to determine
 	 * if a symlink shall be created for this plugin.
 	 */
-
-
 	public function onInstall() {
 		global $conf;
 
@@ -92,10 +90,6 @@ public function check_phpini_changes() {
 			'mode' => 'mod',
 			'php_version' => 0); // default;
 
-		$check_files[] = array('file' => $web_config['php_ini_path_cgi'],
-			'mode' => '', // all but 'mod' and 'fast-cgi'
-			'php_version' => 0); // default;
-
 		if($fastcgi_config["fastcgi_phpini_path"] && $fastcgi_config["fastcgi_phpini_path"] != $web_config['php_ini_path_cgi']) {
 			$check_files[] = array('file' => $fastcgi_config["fastcgi_phpini_path"],
 				'mode' => 'fast-cgi',
@@ -106,6 +100,16 @@ public function check_phpini_changes() {
 				'php_version' => 0); // default;
 		}
 
+		$check_files[] = array('file' => $web_config['php_fpm_ini_path'],
+			'mode' => 'php-fpm',
+			'php_version' => 0); // default;
+
+		if(!array_search($web_config['php_ini_path_cgi'], array_column($check_files, 'file'))) {
+			$check_files[] = array('file' => $web_config['php_ini_path_cgi'],
+				'mode' => '', // all but 'mod' and 'fast-cgi'
+				'php_version' => 0); // default;
+		}
+
 
 		//** read additional php versions of this server
 		$php_versions = $app->db->queryAllRecords('SELECT server_php_id, php_fastcgi_ini_dir, php_fpm_ini_dir FROM server_php WHERE server_id = ?', $conf['server_id']);
@@ -114,7 +118,8 @@ public function check_phpini_changes() {
 				$check_files[] = array('file' => $php['php_fastcgi_ini_dir'] . '/php.ini',
 					'mode' => 'fast-cgi',
 					'php_version' => $php['server_php_id']);
-			} elseif($php['php_fpm_ini_dir'] && $php['php_fpm_ini_dir'] . '/php.ini' != $web_config['php_ini_path_cgi']) {
+			}
+			if($php['php_fpm_ini_dir'] && $php['php_fpm_ini_dir'] . '/php.ini' != $web_config['php_fpm_ini_path']) {
 				$check_files[] = array('file' => $php['php_fpm_ini_dir'] . '/php.ini',
 					'mode' => 'php-fpm',
 					'php_version' => $php['server_php_id']);
@@ -134,6 +139,13 @@ public function check_phpini_changes() {
 		}
 		if(!is_array($php_ini_md5)) $php_ini_md5 = array();
 
+		// verify needed php file settings if that hasn't been done since 15 minutes
+		$now = time();
+		$verify_php_ini=false;
+		if(!isset($php_ini_md5['last_verify_php_ini']) || ($now - intval($php_ini_md5['last_verify_php_ini']) > 15*60)) {
+			$verify_php_ini=true;
+		}
+
 		$processed = array();
 		foreach($check_files as $file) {
 			$file_path = $file['file'];
@@ -145,6 +157,11 @@ public function check_phpini_changes() {
 			if(in_array($ident, $processed) == true) continue;
 			$processed[] = $ident;
 
+			//** check that needed php.ini settings/changes are made
+			if($verify_php_ini) {
+				$this->verify_php_ini($file);
+			}
+
 			//** check if md5sum of file changed
 			$file_md5 = md5_file($file_path);
 			if(array_key_exists($file_path, $php_ini_md5) == false || $php_ini_md5[$file_path] != $file_md5) {
@@ -158,13 +175,32 @@ public function check_phpini_changes() {
 			$new_php_ini_md5[$file_path] = $file_md5;
 		}
 
+		$new_php_ini_md5['last_verify_php_ini'] = time();
+
 		//** write new md5 sums if something changed
-		if($php_ini_changed == true) $app->system->file_put_contents(SCRIPT_PATH . '/temp/php.ini.md5sum', base64_encode(serialize($new_php_ini_md5)));
+		if($php_ini_changed == true || $verify_php_ini == true) $app->system->file_put_contents(SCRIPT_PATH . '/temp/php.ini.md5sum', base64_encode(serialize($new_php_ini_md5)));
 		unset($new_php_ini_md5);
 		unset($php_ini_md5);
 		unset($processed);
 	}
 
+	/**
+	 * The method checks/sets needed php.ini settings
+	 */
+	public function verify_php_ini($file) {
+		global $app;
+
+		if(isset($file['file']) && is_file($file['file'])) {
+			$php_ini = $file['file'];
+			// ensure opcache.validate_root = 1
+			$app->system->exec_safe('grep ^opcache.validate_root ?', $php_ini);
+			if($app->system->last_exec_retcode() != 0) {
+				$app->log('verify_php_ini(): php.ini '.$php_ini.' is missing validate_root', LOGLEVEL_DEBUG);
+				$sed_script='s/; *opcache\.validate_root *= *.+$/opcache.validate_root = 1/g';
+				$app->system->exec_safe('sed -E -i ? ?', $sed_script, $php_ini);
+			}
+		}
+	}
 
 	/*
 	 * Checks for changes to jailkit settings in server config and schedules affected jails to be updated.