- Added warning in the interface when a path for a shelluser is set that is outside of the website docroot.

- Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons.

Author: Till Brehm

interface/lib/classes/auth.inc.php

@@ -46,7 +46,7 @@ public function is_admin() {
 	}
 
 	public function is_superadmin() {
-		if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) {
+		if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) {
 			return true;
 		} else {
 			return false;
@@ -136,6 +136,22 @@ public function check_module_permissions($module) {
 			exit;
 		}
 	}
+	
+	public function check_security_permissions($permission) {
+		
+		global $app;
+		
+		$app->uses('getconf');
+		$security_config = $app->getconf->get_security_config('permissions');
+
+		$security_check = false;
+		if($security_config[$permission] == 'yes') $security_check = true;
+		if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true;
+		if($security_check !== true) {
+			$app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt'));
+		}
+		
+	}
 
 	public function get_random_password($length = 8) {
 		$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';

interface/lib/classes/getconf.inc.php

@@ -54,6 +54,15 @@ public function get_global_config($section = '') {
 		}
 		return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
 	}
+	
+	public function get_security_config($section = '') {
+		global $app;
+
+		$app->uses('ini_parser');
+		$security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+
+		return ($section == '') ? $security_config : $security_config[$section];
+	}
 
 }
 

interface/lib/classes/validate_systemuser.inc.php

@@ -58,7 +58,63 @@ function check_sysgroup($field_name, $field_value, $validator) {
 		}
 	}
 
+	/*
+		Validator function to check if a given dir is ok.
+	*/
+	function shelluser_dir($field_name, $field_value, $validator) {
+		global $app;
+
+		if($app->tform->primary_id == 0) {
+			$errmsg = $validator['errmsg'];
+			if(isset($app->tform->wordbook[$errmsg])) {
+				return $app->tform->wordbook[$errmsg]."<br>\r\n";
+			} else {
+				return $errmsg."<br>\r\n";
+			}
+		}
+
+
+		$shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'");
+		if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) {
+			$errmsg = $validator['errmsg'];
+			if(isset($app->tform->wordbook[$errmsg])) {
+				return $app->tform->wordbook[$errmsg]."<br>\r\n";
+			} else {
+				return $errmsg."<br>\r\n";
+			}
+		}
 
+		$domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'");
+		if(!is_array($domain_data) || $domain_data["domain_id"] < 1) {
+			$errmsg = $validator['errmsg'];
+			if(isset($app->tform->wordbook[$errmsg])) {
+				return $app->tform->wordbook[$errmsg]."<br>\r\n";
+			} else {
+				return $errmsg."<br>\r\n";
+			}
+		}
+
+		$doc_root = $domain_data["document_root"];
+		$is_ok = false;
+		if($doc_root == $field_value) $is_ok = true;
+
+		$doc_root .= "/";
+		if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true;
+
+		if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false;
+
+		//* Final check if docroot path of website is >= 5 chars
+		if(strlen($doc_root) < 5) $is_ok = false;
+
+		if($is_ok == false) {
+			$errmsg = $validator['errmsg'];
+			if(isset($app->tform->wordbook[$errmsg])) {
+				return $app->tform->wordbook[$errmsg]."<br>\r\n";
+			} else {
+				return $errmsg."<br>\r\n";
+			}
+		}
+	}
 
 
 }

interface/lib/lang/ar.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
 $wb['strength_5'] = 'Very Strong';
 $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
 $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
 ?>

interface/lib/lang/bg.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
 $wb['strength_5'] = 'Very Strong';
 $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
 $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
 ?>

interface/lib/lang/br.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
 $wb['strength_5'] = 'Very Strong';
 $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
 $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
 ?>

interface/lib/lang/cz.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Silná';
 $wb['strength_5'] = 'Velmi silná';
 $wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".';
 $wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
 ?>

interface/lib/lang/de.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Stark';
 $wb['strength_5'] = 'Sehr stark';
 $wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.';
 $wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.';
+$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:';
+$wb['security_check2_txt'] = 'fehlgeschlagen.';
 ?>

interface/lib/lang/el.lng

@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
 $wb['strength_5'] = 'Very Strong';
 $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
 $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
 ?>

interface/lib/lang/en.lng

@@ -131,7 +131,6 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
 $wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
 $wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
 $wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
-
 $wb['login_as_txt'] = 'Log in as';
 $wb["no_domain_perm"] = 'You have no permission for this domain.';
 $wb["no_destination_perm"] = 'You have no permission for this destination.';
@@ -149,5 +148,6 @@ $wb['strength_4'] = 'Strong';
 $wb['strength_5'] = 'Very Strong';
 $wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".';
 $wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
-
-?>
+$wb['security_check1_txt'] = 'Check for security permission:';
+$wb['security_check2_txt'] = 'failed.';
+?>