Merge branch 'staging/fixes' into staging/release/v1.3.0

Author: Kristan Kenney

bin/v-change-user-rkey

@@ -1,8 +1,8 @@
 #!/bin/bash
-# info: change user password
-# options: USER
+# info: change user random key
+# options: USER [HASH]
 #
-# The function changes user's password and updates RKEY value.
+# The function changes user's RKEY value thats has been used for security value to be used forgot password function only.
 
 
 #----------------------------------------------------------#
@@ -11,8 +11,9 @@
 
 # Argument definition
 user=$1
+hash=$2
 
-
+echo $rkeyhash;
 # Importing system enviroment  as we run this script
 # mostly by cron wich not read it by itself
 source /etc/profile
@@ -25,14 +26,21 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'USER'
+check_args '1' "$#" 'USER [HASH]'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
+if [ ! -z "$hash" ]; then
+    password=$hash
+    is_password_valid
+    hash=$password;
+else
+    hash=$(generate_password)
+fi
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
@@ -44,7 +52,7 @@ d=$(date +%s)
 #----------------------------------------------------------#
 
 # Changing RKEY value
-update_user_value "$user" '$RKEY' "$(generate_password)"
+update_user_value "$user" '$RKEY' "$hash"
 
 #check if RKEYEXP exists
 if [ -z "$(grep RKEYEXP $USER_DATA/user.conf)" ]; then

install/hst-install-debian.sh

@@ -931,8 +931,13 @@ fi
 
 # Restrict access to /proc fs
 # - Prevent unpriv users from seeing each other running processes
-mount -o remount,defaults,hidepid=2 /proc
-echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+mount -o remount,defaults,hidepid=2 /proc > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "Info: Cannot remount /proc (LXC containers require additional perm added to host apparmor profile)"
+else
+    echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+fi
+
 
 #----------------------------------------------------------#
 #                     Configure Hestia                     #

install/hst-install-ubuntu.sh

@@ -988,8 +988,12 @@ fi
 
 # Restrict access to /proc fs
 # - Prevent unpriv users from seeing each other running processes
-mount -o remount,defaults,hidepid=2 /proc
-echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+mount -o remount,defaults,hidepid=2 /proc > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "Info: Cannot remount /proc (LXC containers require additional perm added to host apparmor profile)"
+else
+    echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+fi
 
 
 #----------------------------------------------------------#

install/upgrade/versions/1.3.0.sh

@@ -65,6 +65,10 @@ fi
 # Restrict access to /proc fs
 if [ ! -e "/etc/cron.d/hestia-proc" ]; then
     echo "[ * ] Restrict access to /proc fs"
-    echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
-    mount -o remount,defaults,hidepid=2 /proc
+    mount -o remount,defaults,hidepid=2 /proc > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo "Info: Cannot remount /proc (LXC containers require additional perm added to host apparmor profile)"
+    else
+        echo "@reboot root sleep 5 && mount -o remount,defaults,hidepid=2 /proc" > /etc/cron.d/hestia-proc
+    fi
 fi

web/reset/index.php

@@ -20,11 +20,16 @@
         $data = json_decode(implode('', $output), true);
         if($email == $data[$user]['CONTACT']){
             //genrate new rkey
-            exec ("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user."", $output, $return_var);
+            $rkey = substr( password_hash( 'hestiacp', PASSWORD_DEFAULT ), 5, 12 );
+            $hash = password_hash($rkey, PASSWORD_DEFAULT);
+            $v_rkey = tempnam("/tmp","vst");
+            $fp = fopen($v_rkey, "w");
+            fwrite($fp, $hash."\n");
+            fclose($fp);
+            exec ("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
             unset($output);
             exec ($cmd." ".$v_user." json", $output, $return_var);
             $data = json_decode(implode('', $output), true);
-            $rkey = $data[$user]['RKEY'];
             $name = $data[$user]['NAME'];
             $contact = $data[$user]['CONTACT'];
             $to = $data[$user]['CONTACT'];
@@ -58,7 +63,7 @@
         if ( $return_var == 0 ) {
             $data = json_decode(implode('', $output), true);
             $rkey = $data[$user]['RKEY'];
-            if (hash_equals($rkey, $_POST['code'])) {
+            if (password_verify($_POST['code'], $rkey)) {
                 unset($output);
                 exec("/usr/bin/sudo /usr/local/hestia/bin/v-get-user-value ".$v_user." RKEYEXP", $output,$return_var);
                 if($output[0] > time() - 900){