Fix for jailkit permissions in high security website mode.

Author: tbrehm

server/plugins-available/apache2_plugin.inc.php

@@ -463,13 +463,17 @@ function update($event_name,$data) {
 			// Chown and chmod the directories below the document root
 			exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
 
-			// The document root itself has to be owned by root
-			exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
+			// The document root itself has to be owned by root in normal level and by the web owner in security level 20
+			if($web_config['security_level'] == 20) {
+				exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
+			} else {
+				exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
+			}
 		}
 
 
 
-		// If the security level is set to high
+		//* If the security level is set to high
 		if($web_config['security_level'] == 20) {
 
 			exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"]."/"));
@@ -487,11 +491,25 @@ function update($event_name,$data) {
 			//* add the apache user to the client group
 			$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
 
+			/*
+			* Workaround for jailkit: If jailkit is enabled for the site, the 
+			* website root has to be owned by the root user and we have to chmod it to 755 then
+			*/
+			
+			//* Check if there is a jailkit user for this site
+			$tmp = $app->db->queryOneRecord("SELECT count(shell_user_id) as number FROM shell_user WHERE parent_domain_id = ".$data["new"]["domain_id"]." AND chroot = 'jailkit'");
+			if($tmp['number'] > 0) {
+				exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+				exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
+			}
+			unset($tmp);
+			
 		// If the security Level is set to medium
 		} else {
 
 			exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
 			exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+			exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
 
 			// make temp direcory writable for the apache user and the website user
 			exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));

server/plugins-available/shelluser_jailkit_plugin.inc.php

@@ -84,6 +84,8 @@ function insert($event_name,$data) {
 				$this->data = $data;
 				$this->app = $app;
 				$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
+				
+				$this->_update_website_security_level();
 
 				$this->_setup_jailkit_chroot();
 
@@ -119,6 +121,8 @@ function update($event_name,$data) {
 				$this->data = $data;
 				$this->app = $app;
 				$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
+				
+				$this->_update_website_security_level();
 
 				$this->_setup_jailkit_chroot();
 				$this->_add_jailkit_user();
@@ -263,6 +267,25 @@ function _add_jailkit_user()
 			$this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG);
 	}
 
+	//* Update the website root directory permissions depending on the security level
+	function _update_website_security_level() {
+		global $app,$conf;
+		
+		// load the server configuration options
+		$app->uses("getconf");
+		$web_config = $app->getconf->get_server_config($conf["server_id"], 'web');
+		
+		// Get the parent website of this shell user
+		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$this->data['new']['parent_domain_id']);
+		
+		//* If the security level is set to high
+		if($web_config['security_level'] == 20) {
+			exec("chmod 755 ".escapeshellcmd($web["document_root"]."/"));
+			exec("chown root:root ".escapeshellcmd($web["document_root"]."/"));
+		}
+		
+	}
+	
 
 
 } // end class