Skip to content

Commit 1c40af8

Browse files
tbrehmtbrehm
committed
Added a fix to adjust website permissions in high security level.
1 parent 8db8f3a commit 1c40af8

File tree

1 file changed

+23
-15
lines changed

1 file changed

+23
-15
lines changed

server/plugins-available/apache2_plugin.inc.php

Lines changed: 23 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -461,13 +461,12 @@ function update($event_name,$data) {
461461

462462
if($this->action == 'insert') {
463463
// Chown and chmod the directories below the document root
464-
exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
465-
464+
$this->_exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
466465
// The document root itself has to be owned by root in normal level and by the web owner in security level 20
467466
if($web_config['security_level'] == 20) {
468-
exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
467+
$this->_exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
469468
} else {
470-
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
469+
$this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
471470
}
472471
}
473472

@@ -476,21 +475,23 @@ function update($event_name,$data) {
476475
//* If the security level is set to high
477476
if($web_config['security_level'] == 20) {
478477

479-
exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"]."/"));
480-
exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"])."/*");
481-
exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
478+
$this->_exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"]."/"));
479+
$this->_exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"])."/*");
480+
$this->_exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
482481

483482
// make temp direcory writable for the apache user and the website user
484-
exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
483+
$this->_exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
485484

486485
$command = 'usermod';
487486
$command .= ' --groups sshusers';
488487
$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
489-
exec($command);
488+
$this->_exec($command);
490489

491490
//* add the apache user to the client group
492491
$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
493492

493+
$this->_exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
494+
494495
/*
495496
* Workaround for jailkit: If jailkit is enabled for the site, the
496497
* website root has to be owned by the root user and we have to chmod it to 755 then
@@ -499,20 +500,20 @@ function update($event_name,$data) {
499500
//* Check if there is a jailkit user for this site
500501
$tmp = $app->db->queryOneRecord("SELECT count(shell_user_id) as number FROM shell_user WHERE parent_domain_id = ".$data["new"]["domain_id"]." AND chroot = 'jailkit'");
501502
if($tmp['number'] > 0) {
502-
exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
503-
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
503+
$this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
504+
$this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
504505
}
505506
unset($tmp);
506507

507508
// If the security Level is set to medium
508509
} else {
509510

510-
exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
511-
exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
512-
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
511+
$this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
512+
$this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
513+
$this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
513514

514515
// make temp direcory writable for the apache user and the website user
515-
exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
516+
$this->_exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
516517
}
517518

518519

@@ -916,6 +917,13 @@ function server_ip($event_name,$data) {
916917

917918
}
918919

920+
//* Wrapper for exec function for easier debugging
921+
private function _exec($command) {
922+
global $app;
923+
$app->log("exec: ".$command,LOGLEVEL_DEBUG);
924+
exec($command);
925+
}
926+
919927

920928
} // end class
921929

0 commit comments

Comments
 (0)