Skip to content

Commit c2f06b0

Browse files
author
Marius Burkard
committed
Merge branch '6209-chroot-jail-not-created-for-chroot-php-fpm-mode-website' into 'develop'
Resolve "chroot jail not created for chroot php-fpm mode website" Closes #6209 See merge request ispconfig/ispconfig3!1504
2 parents 571a97c + 8e60423 commit c2f06b0

File tree

2 files changed

+24
-39
lines changed

2 files changed

+24
-39
lines changed

server/plugins-available/apache2_plugin.inc.php

Lines changed: 10 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -533,7 +533,7 @@ function update($event_name, $data) {
533533
$app->uses('getconf');
534534
$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
535535

536-
//* Check if this is a chrooted setup
536+
//* Check if apache is using a chrooted setup
537537
if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) {
538538
$apache_chrooted = true;
539539
$app->log('Info: Apache is chrooted.', LOGLEVEL_DEBUG);
@@ -547,7 +547,7 @@ function update($event_name, $data) {
547547
}
548548
if($app->system->is_allowed_user($data['new']['system_user'], $app->system->is_user($data['new']['system_user']), true) == false
549549
|| $app->system->is_allowed_group($data['new']['system_group'], $app->system->is_group($data['new']['system_group']), true) == false) {
550-
$app->log('Websites cannot be owned by the root user or group. User: '.$data['new']['system_user'].' Group: '.$data['new']['system_group'], LOGLEVEL_WARN);
550+
$app->log('Problem with website user or group. Websites cannot be owned by root or an existing user/group. User: '.$data['new']['system_user'].' Group: '.$data['new']['system_group'], LOGLEVEL_WARN);
551551
return 0;
552552
}
553553
if(trim($data['new']['domain']) == '') {
@@ -641,7 +641,7 @@ function update($event_name, $data) {
641641
$tmp_symlink = str_replace('[website_domain]', $data['old']['domain'], $tmp_symlink);
642642
// Remove trailing slash
643643
if(substr($tmp_symlink, -1, 1) == '/') $tmp_symlink = substr($tmp_symlink, 0, -1);
644-
// create the symlinks, if not exist
644+
// remove the old symlinks if they exist
645645
if(is_link($tmp_symlink)) {
646646
$app->system->exec_safe('rm -f ?', $tmp_symlink);
647647
$app->log('Removed symlink: rm -f '.$tmp_symlink, LOGLEVEL_DEBUG);
@@ -674,9 +674,7 @@ function update($event_name, $data) {
674674

675675
//* Create new base directory, if it does not exist yet
676676
if(!is_dir($new_dir)) $app->system->mkdirpath($new_dir);
677-
$app->system->web_folder_protection($data['old']['document_root'], false);
678677
$app->system->exec_safe('mv ? ?', $data['old']['document_root'], $new_dir);
679-
//$app->system->rename($data['old']['document_root'],$new_dir);
680678
$app->log('Moving site to new document root: mv '.$data['old']['document_root'].' '.$new_dir, LOGLEVEL_DEBUG);
681679

682680
// Handle the change in php_open_basedir
@@ -696,15 +694,6 @@ function update($event_name, $data) {
696694
if($apache_chrooted) $app->system->exec_safe('chroot ? ?', $web_config['website_basedir'], $command);
697695

698696
//* Change the log mount
699-
/*
700-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
701-
$app->system->removeLine('/etc/fstab', $fstab_line);
702-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind,nobootwait';
703-
$app->system->removeLine('/etc/fstab', $fstab_line);
704-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind,nobootwait';
705-
$app->system->removeLine('/etc/fstab', $fstab_line);
706-
*/
707-
708697
$fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
709698

710699
if($web_config['network_filesystem'] == 'y') {
@@ -719,8 +708,6 @@ function update($event_name, $data) {
719708

720709
}
721710

722-
//print_r($data);
723-
724711
// Check if the directories are there and create them if necessary.
725712
$app->system->web_folder_protection($data['new']['document_root'], false);
726713

@@ -772,8 +759,12 @@ function update($event_name, $data) {
772759
$update_hash = hash('md5', implode(' ', $last_updated));
773760
$check_for_jailkit_updates=false;
774761

775-
// Create jailkit chroot when enabling php_fpm_chroot
776-
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
762+
$create_jail_conditions= ($data['old']['php_fpm_chroot'] != 'y' ||
763+
! is_dir($data['new']['document_root'].'/etc/jailkit') ||
764+
($data['old']['php'] != $data['new']['php'] && $data['new']['php'] != 'no'));
765+
766+
// Create jailkit chroot if needed and when enabling php_fpm_chroot
767+
if($data['new']['php_fpm_chroot'] == 'y' && $create_jail_conditions && $data['new']['php'] != 'no') {
777768
$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
778769
$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
779770
$this->jailkit_config = $jailkit_config;
@@ -875,7 +866,7 @@ function update($event_name, $data) {
875866
$tmp_symlink = str_replace('[website_domain]', $data['old']['domain'], $tmp_symlink);
876867
// Remove trailing slash
877868
if(substr($tmp_symlink, -1, 1) == '/') $tmp_symlink = substr($tmp_symlink, 0, -1);
878-
// remove the symlinks, if not exist
869+
// remove the old symlinks if they exist
879870
if(is_link($tmp_symlink)) {
880871
$app->system->exec_safe('rm -f ?', $tmp_symlink);
881872
$app->log('Removed symlink: rm -f '.$tmp_symlink, LOGLEVEL_DEBUG);

server/plugins-available/nginx_plugin.inc.php

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -364,7 +364,7 @@ function update($event_name, $data) {
364364
$app->uses('getconf');
365365
$web_config = $app->getconf->get_server_config($conf['server_id'], 'web');
366366

367-
//* Check if this is a chrooted setup
367+
//* Check if nginx is using a chrooted setup
368368
if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) {
369369
$nginx_chrooted = true;
370370
$app->log('Info: nginx is chrooted.', LOGLEVEL_DEBUG);
@@ -378,7 +378,7 @@ function update($event_name, $data) {
378378
}
379379
if($app->system->is_allowed_user($data['new']['system_user'], $app->system->is_user($data['new']['system_user']), true) == false
380380
|| $app->system->is_allowed_group($data['new']['system_group'], $app->system->is_group($data['new']['system_group']), true) == false) {
381-
$app->log('Websites cannot be owned by the root user or group. User: '.$data['new']['system_user'].' Group: '.$data['new']['system_group'], LOGLEVEL_WARN);
381+
$app->log('Problem with website user or group. Websites cannot be owned by root or an existing user/group. User: '.$data['new']['system_user'].' Group: '.$data['new']['system_group'], LOGLEVEL_WARN);
382382
return 0;
383383
}
384384
if(trim($data['new']['domain']) == '') {
@@ -485,14 +485,17 @@ function update($event_name, $data) {
485485
$tmp_symlink = str_replace('[website_domain]', $data['old']['domain'], $tmp_symlink);
486486
// Remove trailing slash
487487
if(substr($tmp_symlink, -1, 1) == '/') $tmp_symlink = substr($tmp_symlink, 0, -1);
488-
// create the symlinks, if not exist
488+
// remove the old symlinks if they exist
489489
if(is_link($tmp_symlink)) {
490490
$app->system->exec_safe('rm -f ?', $tmp_symlink);
491491
$app->log('Removed symlink: rm -f '.$tmp_symlink, LOGLEVEL_DEBUG);
492492
}
493493
}
494494
}
495495

496+
//* Remove protection of old folders
497+
$app->system->web_folder_protection($data['old']['document_root'], false);
498+
496499
if($data["new"]["type"] != "vhostsubdomain" && $data["new"]["type"] != "vhostalias") {
497500
//* Move the site data
498501
$tmp_docroot = explode('/', $data['new']['document_root']);
@@ -515,9 +518,7 @@ function update($event_name, $data) {
515518

516519
//* Create new base directory, if it does not exist yet
517520
if(!is_dir($new_dir)) $app->system->mkdirpath($new_dir);
518-
$app->system->web_folder_protection($data['old']['document_root'], false);
519521
$app->system->exec_safe('mv ? ?', $data['old']['document_root'], $new_dir);
520-
//$app->system->rename($data['old']['document_root'],$new_dir);
521522
$app->log('Moving site to new document root: mv '.$data['old']['document_root'].' '.$new_dir, LOGLEVEL_DEBUG);
522523

523524
// Handle the change in php_open_basedir
@@ -537,15 +538,6 @@ function update($event_name, $data) {
537538
if($nginx_chrooted) $app->system->exec_safe('chroot ? ?', $web_config['website_basedir'], $command);
538539

539540
//* Change the log mount
540-
/*
541-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
542-
$app->system->removeLine('/etc/fstab', $fstab_line);
543-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind,nobootwait';
544-
$app->system->removeLine('/etc/fstab', $fstab_line);
545-
$fstab_line = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind,nobootwait';
546-
$app->system->removeLine('/etc/fstab', $fstab_line);
547-
*/
548-
549541
$fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
550542

551543
if($web_config['network_filesystem'] == 'y') {
@@ -560,8 +552,6 @@ function update($event_name, $data) {
560552

561553
}
562554

563-
//print_r($data);
564-
565555
// Check if the directories are there and create them if necessary.
566556
$app->system->web_folder_protection($data['new']['document_root'], false);
567557

@@ -613,8 +603,12 @@ function update($event_name, $data) {
613603
$update_hash = hash('md5', implode(' ', $last_updated));
614604
$check_for_jailkit_updates=false;
615605

616-
// Create jailkit chroot when enabling php_fpm_chroot
617-
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
606+
$create_jail_conditions= ($data['old']['php_fpm_chroot'] != 'y' ||
607+
! is_dir($data['new']['document_root'].'/etc/jailkit') ||
608+
($data['old']['php'] != $data['new']['php'] && $data['new']['php'] != 'no'));
609+
610+
// Create jailkit chroot if needed and when enabling php_fpm_chroot
611+
if($data['new']['php_fpm_chroot'] == 'y' && $create_jail_conditions && $data['new']['php'] != 'no') {
618612
$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
619613
$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
620614
$this->jailkit_config = $jailkit_config;
@@ -716,7 +710,7 @@ function update($event_name, $data) {
716710
$tmp_symlink = str_replace('[website_domain]', $data['old']['domain'], $tmp_symlink);
717711
// Remove trailing slash
718712
if(substr($tmp_symlink, -1, 1) == '/') $tmp_symlink = substr($tmp_symlink, 0, -1);
719-
// remove the symlinks, if not exist
713+
// remove the old symlinks if they exist
720714
if(is_link($tmp_symlink)) {
721715
$app->system->exec_safe('rm -f ?', $tmp_symlink);
722716
$app->log('Removed symlink: rm -f '.$tmp_symlink, LOGLEVEL_DEBUG);
@@ -2120,7 +2114,7 @@ function delete($event_name, $data) {
21202114

21212115
if($data['old']['type'] == 'vhost' || $data['old']['type'] == 'vhostsubdomain' || $data['old']['type'] == 'vhostalias') $app->system->web_folder_protection($data['old']['document_root'], false);
21222116

2123-
//* Check if this is a chrooted setup
2117+
//* Check if nginx is using a chrooted setup
21242118
if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) {
21252119
$nginx_chrooted = true;
21262120
} else {

0 commit comments

Comments
 (0)