Added security levels for apache.

Author: tbrehm

install/dist/lib/fedora.lib.php

@@ -444,6 +444,10 @@ public function configure_apache()
 			exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
 		}
 
+		//* add a sshusers group
+		$command = 'groupadd sshusers';
+		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
 	}
 
 	public function configure_firewall()

install/dist/lib/opensuse.lib.php

@@ -464,6 +464,10 @@ public function configure_apache()
 			exec("ln -s ".$vhost_conf_dir."/ispconfig.conf ".$vhost_conf_enabled_dir."/000-ispconfig.conf");
 		}
 
+		//* add a sshusers group
+		$command = 'groupadd sshusers';
+		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
 	}
 
 	public function configure_firewall()

install/lib/installer_base.lib.php

@@ -211,6 +211,9 @@ public function add_database_server_record() {
 		$tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
 		$tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
         $tpl_ini_array['cron']['crontab_dir'] = $conf['cron']['crontab_dir'];
+		$tpl_ini_array['web']['security_level'] = 20;
+		$tpl_ini_array['web']['user'] = $conf['web']['user'];
+		$tpl_ini_array['web']['group'] = $conf['web']['group'];
 
 		$server_ini_content = array_to_ini($tpl_ini_array);
 		$server_ini_content = mysql_real_escape_string($server_ini_content);
@@ -815,6 +818,11 @@ public function configure_apache()
 			exec('ln -s /etc/webalizer.conf /etc/webalizer/webalizer.conf');
 		}
 
+		//* add a sshusers group
+		$command = 'groupadd sshusers';
+		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+		
 
 	}
 

install/tpl/server.ini.master

@@ -34,6 +34,9 @@ website_path=/var/www/clients/client[client_id]/web[website_id]
 website_symlinks=/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/
 vhost_conf_dir=/etc/apache2/sites-available
 vhost_conf_enabled_dir=/etc/apache2/sites-enabled
+securiry_level=10
+apache_user=www-data
+apache_group=www-data
 
 [fastcgi]
 fastcgi_starter_path=/var/www/php-fcgi-scripts/[system_user]/

interface/web/admin/form/server_config.tform.php

@@ -339,6 +339,34 @@
 			'width'		=> '40',
 			'maxlength'	=> '255'
 		),
+		'security_level' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'SELECT',
+			'default'	=> '20',
+			'value'		=> array('10' => 'Medium', '20' => 'High')
+		),
+		'user' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'TEXT',
+			'default'	=> '',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'apache_user_error_empty'),
+									),
+			'value'		=> '',
+			'width'		=> '40',
+			'maxlength'	=> '255'
+		),
+		'group' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'TEXT',
+			'default'	=> '',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'apache_group_error_empty'),
+									),
+			'value'		=> '',
+			'width'		=> '40',
+			'maxlength'	=> '255'
+		),
 	##################################
 	# ENDE Datatable fields
 	##################################

interface/web/admin/lib/lang/en_server_config.lng

@@ -43,4 +43,5 @@ $wb["config_dir_txt"] = 'Config directory';
 $wb["init_script_txt"] = 'Cron init script name';
 $wb["crontab_dir_txt"] = 'Path for individual crontabs';
 $wb["wget_txt"] = 'Path to wget program';
+$wb["security_level_txt"] = 'Security level';
 ?>

interface/web/admin/templates/server_config_web_edit.htm

@@ -25,6 +25,22 @@ <h2><tmpl_var name="list_head_txt"></h2>
       	<label for="vhost_conf_enabled_dir">{tmpl_var name='vhost_conf_enabled_dir_txt'}</label>
         <input name="vhost_conf_enabled_dir" id="vhost_conf_enabled_dir" value="{tmpl_var name='vhost_conf_enabled_dir'}" size="40" maxlength="255" type="text" class="textInput" />
 			</div>
+	  <div class="ctrlHolder">
+				<p class="label">{tmpl_var name='security_level_txt'}</p>
+					<div class="multiField">
+						<select name="security_level" id="security_level" class="selectInput">
+					{tmpl_var name='security_level'}
+				</select>
+					</div>
+			</div>
+	  <div class="ctrlHolder">
+      	<label for="user">{tmpl_var name='user_txt'}</label>
+        <input name="user" id="user" value="{tmpl_var name='user'}" size="40" maxlength="255" type="text" class="textInput" />
+			</div>
+	  <div class="ctrlHolder">
+      	<label for="group">{tmpl_var name='group_txt'}</label>
+        <input name="group" id="group" value="{tmpl_var name='group'}" size="40" maxlength="255" type="text" class="textInput" />
+			</div>
     </fieldset>
 
     <input type="hidden" name="id" value="{tmpl_var name='id'}">

interface/web/dns/lib/module.conf.php

@@ -6,6 +6,26 @@
 $module["startpage"] 	= "dns/dns_soa_list.php";
 $module["tab_width"]    = '';
 
+
+$items[] = array( 'title' 	=> "Add DNS Zone",
+				  'target' 	=> 'content',
+				  'link'	=> 'dns/dns_wizard.php');
+
+if($_SESSION["s"]["user"]["typ"] == 'admin') {
+				  
+	$items[] = array( 	'title' 	=> "Templates",
+				  		'target' 	=> 'content',
+				  		'link'		=> 'dns/dns_template_list.php');
+}
+
+
+$module["nav"][] = array(	'title'	=> 'DNS Wizard',
+							'open' 	=> 1,
+							'items'	=> $items);
+
+							
+unset($items);
+
 /*
 	Email accounts menu
 */
@@ -28,26 +48,6 @@
 unset($items);
 
 
-$items[] = array( 'title' 	=> "Add DNS Zone",
-				  'target' 	=> 'content',
-				  'link'	=> 'dns/dns_wizard.php');
-
-if($_SESSION["s"]["user"]["typ"] == 'admin') {
-				  
-	$items[] = array( 	'title' 	=> "Templates",
-				  		'target' 	=> 'content',
-				  		'link'		=> 'dns/dns_template_list.php');
-}
-
-
-$module["nav"][] = array(	'title'	=> 'DNS Wizard',
-							'open' 	=> 1,
-							'items'	=> $items);
-
-
-
-
-
 
 
 

server/conf/vhost.conf.master

@@ -95,7 +95,9 @@
 	php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"	
     php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
     php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
-    #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+	<tmpl_if name='security_level' op='==' value='20'>
+    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+	</tmpl_if>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='suphp'>
     # suphp enabled
@@ -249,7 +251,9 @@
 	php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"	
     php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
     php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
-    #php_admin_value open_basedir <tmpl_var name='document_root'>:/usr/share/php5
+    <tmpl_if name='security_level' op='==' value='20'>
+    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5
+	</tmpl_if>
 </tmpl_if>
 <tmpl_if name='php' op='==' value='suphp'>
     suPHP_Engine on

server/plugins-available/apache2_plugin.inc.php

@@ -443,7 +443,7 @@ function update($event_name,$data) {
 
 		$username = escapeshellcmd($data["new"]["system_user"]);
 		if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
-			exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
+			exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
 			$app->log("Adding the user: $username",LOGLEVEL_DEBUG);
 		}
 
@@ -459,7 +459,6 @@ function update($event_name,$data) {
 			exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
 		}
 
-		
 		if($this->action == 'insert') {
 			// Chown and chmod the directories below the document root
 			exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
@@ -468,8 +467,40 @@ function update($event_name,$data) {
 			exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
 		}
 
-		// make temp direcory writable for the apache user and the website user
-		exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+		
+		
+		// If the security level is set to high
+		if($web_config['security_level'] == 20) {
+			
+			exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
+			exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+			exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
+			
+			//* Change the home directory and group of the website user
+			$command = 'usermod';
+			$command .= ' --groups sshusers,'.escapeshellcmd($web_config['group']);
+			$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+			exec($command);
+			$app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+		
+			// make temp direcory writable for the apache user and the website user
+			// exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+		// If the security Level is set to medium
+		} else {
+		
+			exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+			exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+			
+			//* Change the home directory and group of the website user
+			$command = 'usermod';
+			$command .= ' --groups sshusers ';
+			$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
+			exec($command);
+			$app->log("Modifying user: $command",LOGLEVEL_DEBUG);
+		
+			// make temp direcory writable for the apache user and the website user
+			exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+		}
 
 
 		// Create the vhost config file
@@ -482,6 +513,7 @@ function update($event_name,$data) {
 		$vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
 		$vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
 		$vhost_data["web_basedir"] = $web_config["website_basedir"];
+		$vhost_data["security_level"] = $web_config["security_level"];
 
 		// Check if a SSL cert exists
 		$ssl_dir = $data["new"]["document_root"]."/ssl";