Implemented: FS#2112 - Set u / i attributes on system web folders

tbrehm · tbrehm · commit 4b9329a0f204 · 2012-06-08T12:06:41.000Z
This option can be enabled under System &gt; Server config and is named "Web folder protection".
diff --git a/install/tpl/server.ini.master b/install/tpl/server.ini.master
@@ -76,6 +76,7 @@ set_folder_permissions_on_update=y
 add_web_users_to_sshusers_group=y
 connect_userid_to_webid=n
 connect_userid_to_webid_start=10000
+web_folder_protection=n
 
 [dns]
 bind_user=root
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
@@ -462,6 +462,12 @@
 			'default' => 'y',
 			'value' => array(0 => 'n', 1 => 'y')
 		),
+		'web_folder_protection' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
 		'add_web_users_to_sshusers_group' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'CHECKBOX',
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
@@ -165,4 +165,5 @@ $wb["awstats_settings_txt"] = 'AWStats Settings';
 $wb["firewall_txt"] = 'Firewall';
 $wb["mailbox_quota_stats_txt"] = 'Mailbox quota statistics';
 $wb["enable_ip_wildcard_txt"] = 'Enable IP wildcard (*)';
+$wb["web_folder_protection_txt"] = 'Web folder protection';
 ?>
diff --git a/interface/web/admin/templates/server_config_web_edit.htm b/interface/web/admin/templates/server_config_web_edit.htm
@@ -116,6 +116,12 @@ <h2><tmpl_var name="list_head_txt"></h2>
 						{tmpl_var name='set_folder_permissions_on_update'}
 					</div>
 			</div>
+	  <div class="ctrlHolder">
+				<p class="label">{tmpl_var name='web_folder_protection_txt'}</p>
+					<div class="multiField">
+						{tmpl_var name='web_folder_protection'}
+					</div>
+			</div>
 	  <div class="ctrlHolder">
 				<p class="label">{tmpl_var name='add_web_users_to_sshusers_group_txt'}</p>
 					<div class="multiField">
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
@@ -1281,6 +1281,22 @@ function is_installed($appname) {
 			return false;
 		}
 	}
+	
+	function web_folder_protection($document_root,$protect) {
+		global $app,$conf;
+		
+		//* load the server configuration options
+		$app->uses('getconf');
+		$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
+		
+		if($protect == true && $web_config['web_folder_protection'] == 'y') {
+			//* Add protection
+			if($document_root != '' && $document_root != '/' && strlen($document_root) > 6 && !stristr($document_root,'..')) exec('chattr +i '.escapeshellcmd($document_root));
+		} else {
+			//* Remove protection
+			if($document_root != '' && $document_root != '/' && strlen($document_root) > 6 && !stristr($document_root,'..')) exec('chattr -i '.escapeshellcmd($document_root));
+		}
+	}
 
 }
 ?>
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
@@ -366,6 +366,9 @@ function update($event_name,$data) {
 					}
 				}
 			}
+			
+			//* Remove protection of old folders
+			$app->system->web_folder_protection($data['old']['document_root'],false);
 
 			//* Move the site data
 			$tmp_docroot = explode('/',$data['new']['document_root']);
@@ -414,7 +417,7 @@ function update($event_name,$data) {
 		if(!is_dir($data['new']['document_root'].'/ssl')) exec('mkdir -p '.$data['new']['document_root'].'/ssl');
 		if(!is_dir($data['new']['document_root'].'/cgi-bin')) exec('mkdir -p '.$data['new']['document_root'].'/cgi-bin');
 		if(!is_dir($data['new']['document_root'].'/tmp')) exec('mkdir -p '.$data['new']['document_root'].'/tmp');
-
+		
 		// Remove the symlink for the site, if site is renamed
 		if($this->action == 'update' && $data['old']['domain'] != '' && $data['new']['domain'] != $data['old']['domain']) {
 			if(is_dir('/var/log/ispconfig/httpd/'.$data['old']['domain'])) exec('rm -rf /var/log/ispconfig/httpd/'.$data['old']['domain']);
@@ -593,10 +596,11 @@ function update($event_name,$data) {
 			}
 		}
 
-
-
 		//* If the security level is set to high
 		if(($this->action == 'insert' && $data['new']['type'] == 'vhost') or ($web_config['set_folder_permissions_on_update'] == 'y' && $data['new']['type'] == 'vhost')) {
+			
+			$app->system->web_folder_protection($data['new']['document_root'],false);
+			
 			if($web_config['security_level'] == 20) {
 
 				$this->_exec('chmod 751 '.escapeshellcmd($data['new']['document_root']));
@@ -673,6 +677,9 @@ function update($event_name,$data) {
 				$this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root'].'/web'));
 			}
 		}
+		
+		//* Protect web folders
+		$app->system->web_folder_protection($data['new']['document_root'],true);
 
 		// Change the ownership of the error log to the owner of the website
 		if(!@is_file($data['new']['document_root'].'/log/error.log')) exec('touch '.escapeshellcmd($data['new']['document_root']).'/log/error.log');
@@ -1217,7 +1224,9 @@ function update($event_name,$data) {
 		if(!is_file($data['new']['document_root'].'/.htpasswd_stats') || $data['new']['stats_password'] != $data['old']['stats_password']) {
 			if(trim($data['new']['stats_password']) != '') {
 				$htp_file = 'admin:'.trim($data['new']['stats_password']);
+				$app->system->web_folder_protection($data['new']['document_root'],false);
 				file_put_contents($data['new']['document_root'].'/.htpasswd_stats',$htp_file);
+				$app->system->web_folder_protection($data['new']['document_root'],true);
 				chmod($data['new']['document_root'].'/.htpasswd_stats',0755);
 				unset($htp_file);
 			}
@@ -1280,6 +1289,8 @@ function delete($event_name,$data) {
 		// load the server configuration options
 		$app->uses('getconf');
 		$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
+		
+		$app->system->web_folder_protection($data['new']['document_root'],false);
 
 		//* Check if this is a chrooted setup
 		if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) {
diff --git a/server/plugins-available/cron_jailkit_plugin.inc.php b/server/plugins-available/cron_jailkit_plugin.inc.php
@@ -116,6 +116,8 @@ function insert($event_name,$data) {
 				$this->app = $app;
 				$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
 				
+				$app->system->web_folder_protection($parent_domain['document_root'],false);
+				
 				$this->_update_website_security_level();
 			
 				$this->_setup_jailkit_chroot();
@@ -126,6 +128,8 @@ function insert($event_name,$data) {
 				exec($command);
 				
 				$this->_update_website_security_level();
+				
+				$app->system->web_folder_protection($parent_domain['document_root'],true);
 			}
 		
 			$app->log("Jailkit Plugin (Cron) -> insert username:".$parent_domain['system_user'],LOGLEVEL_DEBUG);
@@ -182,12 +186,14 @@ function update($event_name,$data) {
 				$this->app = $app;
 				$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
 				
+				$app->system->web_folder_protection($parent_domain['document_root'],false);
 				$this->_update_website_security_level();
 			
 				$this->_setup_jailkit_chroot();
 				$this->_add_jailkit_user();
 				
 				$this->_update_website_security_level();
+				$app->system->web_folder_protection($parent_domain['document_root'],true);
 			}
 		
 			$app->log("Jailkit Plugin (Cron) -> update username:".$parent_domain['system_user'],LOGLEVEL_DEBUG);
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -80,6 +80,10 @@ function insert($event_name,$data) {
 		}
 		
 		if($app->system->is_user($data['new']['puser'])) {
+			
+			//* Remove webfolder protection
+			$app->system->web_folder_protection($web['document_root'],false);
+			
 			// Get the UID of the parent user
 			$uid = intval($app->system->getuid($data['new']['puser']));
 			if($uid > $this->min_uid) {
@@ -114,6 +118,9 @@ function insert($event_name,$data) {
 					exec($command);
 					$app->log("Disabling shelluser temporarily: ".$command,LOGLEVEL_DEBUG);
 				}
+				
+				//* Add webfolder protection again
+				$app->system->web_folder_protection($web['document_root'],true);
 			
 			} else {
 				$app->log("UID = $uid for shelluser:".$data['new']['username']." not allowed.",LOGLEVEL_ERROR);
diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -71,6 +71,7 @@ function insert($event_name,$data) {
 		global $app, $conf;
 		
 		$app->uses('system');
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']);
 		
 		if($app->system->is_user($data['new']['username'])) {
 		
@@ -79,6 +80,8 @@ function insert($event_name,$data) {
 		 	*/
 			if ($data['new']['chroot'] == "jailkit")
 			{
+				$app->system->web_folder_protection($web['document_root'],false);
+				
 				// load the server configuration options
 				$app->uses("getconf");
 				$this->data = $data;
@@ -98,6 +101,7 @@ function insert($event_name,$data) {
 				exec($command);
 				
 				$this->_update_website_security_level();
+				$app->system->web_folder_protection($web['document_root'],true);
 			}
 		
 			$app->log("Jailkit Plugin -> insert username:".$data['new']['username'],LOGLEVEL_DEBUG);
@@ -113,6 +117,7 @@ function update($event_name,$data) {
 		global $app, $conf;
 		
 		$app->uses('system');
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']);
 		
 		if($app->system->is_user($data['new']['username'])) {
 		
@@ -121,6 +126,8 @@ function update($event_name,$data) {
 		 	*/
 			if ($data['new']['chroot'] == "jailkit")
 			{
+				$app->system->web_folder_protection($web['document_root'],false);
+				
 				// load the server configuration options
 				$app->uses("getconf");
 				$this->data = $data;
@@ -136,6 +143,8 @@ function update($event_name,$data) {
 				$this->_setup_ssh_rsa();
 				
 				$this->_update_website_security_level();
+				
+				$app->system->web_folder_protection($web['document_root'],true);
 			}
 		
 			$app->log("Jailkit Plugin -> update username:".$data['new']['username'],LOGLEVEL_DEBUG);
@@ -155,6 +164,8 @@ function delete($event_name,$data) {
 		
 		$app->uses('system');
 		
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['old']['parent_domain_id']);
+		
 		if ($data['old']['chroot'] == "jailkit")
 		{
 			$app->uses("getconf");
@@ -165,13 +176,17 @@ function delete($event_name,$data) {
 			//commented out proved to be dangerous on config errors
 			//exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
 			
+			$app->system->web_folder_protection($web['document_root'],false);
+			
 			if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) {
 				$command = 'userdel -f';
 				$command .= ' '.escapeshellcmd($data['old']['username']);
 				exec($command);
 				$app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
 			}
 			
+			$app->system->web_folder_protection($web['document_root'],true);
+			
 		}
 		
 		$app->log("Jailkit Plugin -> delete username:".$data['old']['username'],LOGLEVEL_DEBUG);
