Merge branch '1.9.0-release'

Author: jaapmarcus

CHANGELOG.md

@@ -6,73 +6,92 @@ All notable changes to this project will be documented in this file.
 
 ### Notes
 
-- To improve security we have deciced to allow users to rename the default admin user. And use a new user "hestia-web" to become the default user to run Hestia on.
-- Dropped support Debian 10 due to EOL
+- To improve security, we now allow users to rename the default `admin` user.
+- Hestia now runs under a new `hestia-web` user.
+- In initial versions of HestiaCP, we used Jailkit to enabled Jailed SSH. It had major disadvantages, so we have decided it to replace it with [bubblewrap](https://github.com/containers/bubblewrap). Users running Jailed SSH in the past are advised to run the migration script! It can be found in `/usr/local/hestia/upgrade/manual/migrate_jailkit_to_bubblewrap.sh`. See [#4698](https://github.com/hestiacp/hestiacp/pull/4698)
+- We are aware that cgroups are currently not working as they should be. They work fine if you login with SSH as the user, but they don't work for PHP-FPM yet.
+- Dropped support for Debian 10 due to EOL.
+
+### Security
+
+- Fix issue where CIRD was not propperly validated CVE-XXXX-XXX-XXX
+- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin users. CVE-XXXX-XXX-XXX
+- Solve security issues where restart flag accepted unvalidated values. CVE-XXXX-XXX-XXX
 
 ### Features
 
-- Added support for PHP 8.4
+- Add support for PHP 8.4
 - Add support for Ubuntu 24.04 Noble release (#4411 #4451)
-- Add support for Jailed SSH (#4052 #4245) @rjd222
+- Add support for Jailed SSH (#4052 #4245, #4698 #4687)
 - Implement CLI for Quick Install Apps (#4443)
-- Add support for Directadmin / Cpanel imports ( #4177 #4415 #4426 #4252 #4241)
-- Add support for Increamental Backups via Restic
-- Add support for Triggers in v-add-mail-domain / v-add-delete-mail-domain #4416 (See Docs)
+- Add support for DirectAdmin & cPanel imports (#4177 #4415 #4426 #4252 #4241)
+- Add support for Incremental Backups via Restic
+- Add support for Triggers in `v-add-mail-domain` / `v-add-delete-mail-domain` #4416 (See Docs)
 - Add new Quick Install Apps (#4433, #4509, #4327)
 - Add support for Limit CPU and RAM for Each User Using cgroup (#4372 #4325)
 - Add Web terminal (#3859)
 - Improve email account sidebar layout (#4154)
-- Allow Chmod in Filegator #4548
+- Allow chmod in FileGator #4548
 
 ### Bug fixes
 
-- Allow filegator to be translated (#4382 #4275)
+- Allow FileGator to be translated (#4382 #4275)
 - Fix bug caused by new release robthree/twofactorauth (#4410)
-- Create .wp-cli folder on create new user (#4403)
+- Create `.wp-cli` folder on create new user (#4403)
 - Fix SMTP Relay routing issue (#4389)
 - Fix Roundcube permissions (#4387)
-- Fix v-add-dns-record when adding TLSA records (#4376)
-- Fix handling of Snappymail (#4349)
-- Added creation of dovecot.log and permission setup to dovecot installation step (#4352)
-- Fix to the Localpart Mail validator so it can accept aliases starting and ending with (#4351)
-- Apache2: Enable mod_headers by default. (#4350)
+- Fix `v-add-dns-record` when adding TLSA records (#4376)
+- Fix handling of SnappyMail (#4349)
+- Added creation of `dovecot.log` and permission setup to the dovecot installation step (#4352)
+- Fix to the Localpart Mail validator so it can accept aliases starting and ending with `-` (#4351)
+- Apache2: Enable `mod_headers` by default. (#4350)
 - Update MediaWiki to 1.41.1 (#4344)
 - Add support for compressing via GZ or ZSTD (#4300 #4322)
 - Simplify spinner styles (#4319)
 - Animate deletion of notifications (#4316)
-- Update v-run-cli-cmd (#4310)
+- Update `v-run-cli-cmd` (#4310)
 - Show database server port in notification email (#4301)
-- Fixes permissions issue related with Issue #4248 (#4268)
-- remove PHP code, and fix installer warning (#4279)
+- Fix permissions issue related with Issue #4248 (#4268)
+- Remove PHP code, and fix installer warning (#4279)
 - Prevent \* from expanding in command (#4085)
 - Drop v-generate-debug-report (#4266)
 - Fix missing dot file backups
-- vsftpd use_localtime No #4261
-- Fix broken mysql v8 install on Debian (#4259)
+- Disable `use_localtime` for vsftpd (#4261)
+- Fix broken MySQL v8 install on Debian (#4259)
 - Use standard y/N format in installer to indicate default (#4251)
 - Fix broken HTML on login/reset pages (#4247)
-- Checks for usernames starting with a alphabetic character. (#4195 #4181)
+- Add checks for usernames starting with an alphabetic character. (#4195 #4181)
 - Correct formatting of user dir (#4098)
-- Add mjs as a file to serve statically (#4240)
+- Add `.mjs` as a file to serve statically (#4240)
 - Display system time on cron pages (#4236)
 - Patch Dokuwiki installer for issue #3889 (#4229)
-- Corrected path to ssl certs (#4202)
+- Corrected path to SSL certs (#4202)
 - Add value to input type text (#4193)
 - Correctly get the session cookie for web terminal (#3969)
 - Fix Bug with 403 errors Letsencrypt (#4622)
-- Update phpmyadmin.inc to improve loading static files
+- Update `phpmyadmin.inc` to improve loading static files
 - Fix issues with mapping ipv4 to ipv6 setups when server is behind proxies with login (#4606)
-- Fix issue with v-change-sys-ip-nat with VSFTPD and systems behind NAT (#4591)
+- Fix issue with `v-change-sys-ip-nat` with VSFTPD and systems behind NAT (#4591)
 - Fix issues with IDN domains and Apache2 and PHP (#4583)
-- Improve Owncloud templates (#4572)
-- Improve security Quick Install Apps (#457 #4569 #4568 #4567 #4566 #4565 #4564 #4563)
-- Add hestia-mail to hestia-users group and create hestia-users group on new install #4540 #4531
+- Improve OwnCloud templates (#4572)
+- Improve security for Quick Install Apps (#457 #4569 #4568 #4567 #4566 #4565 #4564 #4563)
+- Add `hestia-mail` to `hestia-users` group and create `hestia-users` group on new install #4540 #4531
+- Fix translations MariaDB / PHPMyadmin (#4725)
+- Remove some left overs from the old admin user (#4721)
+- Disallow `` ` `` character in cronjobs to avoid errors in cron list #4708
+- Drop Maxmind `high-risk-ip-sample-list` (#4692)
+- Hardening of installer security and improving usability (#4690)
+- White label for file manager (#4681) @MaxiZamorano
+- Fixed with cronjob `v-add-letsencrypt-domain` created new cronjob under "admin" user that didn't have sudo permissions
+- Customization of the file manager with interface improvements (#4678) @MaxiZamorano
+- Fix: Proftpd FTP Usage is showing incorrect information (#4672)
+- Add template for using webasyst with nginx+php-fpm (#4660)
 
-### Depencies
+### Dependencies
 
-- Update hestia-nginx to 1.27.0
-- Update hestia-php to 8.3.9
-- Update Roundcube, Filegator, Snappy mail to the latest version
+- Update hestia-nginx to 1.27.3
+- Update hestia-php to 8.3.16
+- Update Roundcube, FileGator and SnappyMail to the latest version
 - Update Quick Installer apps to latest version (#4594)
 
 ## [1.8.12] - Service release
@@ -114,7 +133,7 @@ All notable changes to this project will be documented in this file.
 
 ### Security
 
-- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users [CVE-xxxx-xxxxx](https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0/)
+- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users [CVE-2023-5839](https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0/)
 - Reduce Nginx keepalive_requests to 1000 ([Nginx default](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/#http2_max_concurrent_streams)) to limit risks of [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
 
 ### Bug fixes

bin/v-add-dns-domain

@@ -55,6 +55,7 @@ is_format_valid 'user' 'domain' 'ip'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
+is_format_valid 'restart'
 
 if [ "$($BIN/v-list-dns-domain $user $domain_utf plain | cut -f 1) " != "$domain" ]; then
 	is_domain_new 'dns' "$domain_utf"

bin/v-add-dns-on-web-alias

@@ -35,6 +35,7 @@ is_format_valid 'user' 'alias' 'ip' 'restart'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
+
 if [ -e "$USER_DATA/dns/$alias.conf" ]; then
 	exit
 fi

bin/v-add-dns-record

@@ -105,9 +105,7 @@ is_object_new "dns/$domain" 'ID' "$id"
 is_dns_fqnd "$rtype" "$dvalue"
 is_dns_nameserver_valid "$domain" "$rtype" "$dvalue"
 is_format_valid 'ttl'
-if [ -n "$restart" ]; then
-	is_format_valid 'restart'
-fi
+is_format_valid 'restart'
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode

bin/v-add-firewall-ban

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add firewall blocking rule
-# options: IP CHAIN
+# options: IPV4_CIDR CHAIN
 #
 # example: v-add-firewall-ban 37.120.129.20 MAIL
 #
@@ -11,7 +11,7 @@
 #----------------------------------------------------------#
 
 # Argument definition
-ip=$1
+ipv4_cidr=$1
 chain=$(echo $2 | tr '[:lower:]' '[:upper:]')
 
 # Defining absolute path for iptables and modprobe
@@ -31,8 +31,8 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '2' "$#" 'IP CHAIN'
-is_format_valid 'ip' 'chain'
+check_args '2' "$#" 'IPV4_CIDR CHAIN'
+is_format_valid 'ipv4_cidr' 'chain'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 
 # Perform verification if read-only mode is enabled
@@ -46,20 +46,20 @@ check_hestia_demo_mode
 heal_iptables_links
 
 # Checking server ip
-if [ -e "$HESTIA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
+if [ -e "$HESTIA/data/ips/$ipv4_cidr" ] || [ "$ipv4_cidr" = '127.0.0.1' ]; then
 	exit
 fi
 
 # Checking ip exclusions
 excludes="$HESTIA/data/firewall/excludes.conf"
-check_excludes=$(grep "^$ip$" $excludes 2> /dev/null)
+check_excludes=$(grep "^$ipv4_cidr$" $excludes 2> /dev/null)
 if [ -n "$check_excludes" ]; then
 	exit
 fi
 
 # Checking ip in banlist
 conf="$HESTIA/data/firewall/banlist.conf"
-check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
+check_ip=$(grep "IP='$ipv4_cidr' CHAIN='$chain'" $conf 2> /dev/null)
 if [ -n "$check_ip" ]; then
 	exit
 fi
@@ -73,8 +73,8 @@ time=$(echo "$time_n_date" | cut -f 1 -d \ )
 date=$(echo "$time_n_date" | cut -f 2 -d \ )
 
 # Adding ip to banlist
-echo "IP='$ip' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
-$iptables -I fail2ban-$chain 1 -s $ip \
+echo "IP='$ipv4_cidr' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
+$iptables -I fail2ban-$chain 1 -s $ipv4_cidr \
 	-j REJECT --reject-with icmp-port-unreachable 2> /dev/null
 
 # Changing permissions
@@ -85,7 +85,7 @@ chmod 660 $conf
 #----------------------------------------------------------#
 
 # Logging
-$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ip."
+$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ipv4_cidr."
 log_event "$OK" "$ARGUMENTS"
 
 exit

bin/v-add-firewall-rule

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add firewall rule
-# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]
+# options: ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT] [RULE]
 #
 # example: v-add-firewall-rule DROP 185.137.111.77 25
 #
@@ -12,7 +12,7 @@
 
 # Argument definition
 action=$(echo $1 | tr '[:lower:]' '[:upper:]')
-ip=$2
+ipv4_cidr=$2
 port_ext=$3
 protocol=${4-TCP}
 protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
@@ -47,7 +47,7 @@ sort_fw_rules() {
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
+check_args '3' "$#" 'ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT] [RULE]'
 is_format_valid 'action' 'protocol' 'port_ext'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 get_next_fw_rule
@@ -56,12 +56,12 @@ is_object_new '../../../data/firewall/rules' 'RULE' "$rule"
 if [ -n "$comment" ]; then
 	is_format_valid 'comment'
 fi
-if [[ "$ip" =~ ^ipset: ]]; then
-	ipset_name="${ip#ipset:}"
+if [[ "$ipv4_cidr" =~ ^ipset: ]]; then
+	ipset_name="${ipv4_cidr#ipset:}"
 	$BIN/v-list-firewall-ipset plain | grep "^$ipset_name\s" > /dev/null
 	check_result $? 'ipset object not found' "$E_NOTEXIST"
 else
-	is_format_valid 'ip'
+	is_format_valid 'ipv4_cidr'
 fi
 
 # Perform verification if read-only mode is enabled
@@ -78,7 +78,7 @@ date=$(echo "$time_n_date" | cut -f 2 -d \ )
 
 # Concatenating rule
 str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
-str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
+str="$str IP='$ipv4_cidr' COMMENT='$comment' SUSPENDED='no'"
 str="$str TIME='$time' DATE='$date'"
 
 # Adding to config

bin/v-add-mail-domain-ssl

@@ -51,13 +51,18 @@ format_domain_idn
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'USER DOMAIN SSL_DIR [RESTART]'
-is_format_valid 'user' 'domain' 'ssl_dir'
+is_format_valid 'user' 'domain' 'ssl_dir' 'restart'
+format_no_quotes "$ssl_dir"
 is_system_enabled "$MAIL_SYSTEM" 'MAIL_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'mail' 'DOMAIN' "$domain"
 is_object_unsuspended 'mail' 'DOMAIN' "$domain"
 is_object_value_empty 'mail' 'DOMAIN' "$domain" '$SSL'
+if [ -n "$restart" ]; then
+	is_restart_valid 'restart' "$restart"
+fi
+
 is_web_domain_cert_valid
 
 # Perform verification if read-only mode is enabled

bin/v-add-sys-ssh-jail

@@ -1,8 +1,8 @@
 #!/bin/bash
 # info: add system ssh jail
-# options: [RESTART]
+# options: NONE
 #
-# example: v-add-sys-ssh-jail yes
+# example: v-add-sys-ssh-jail
 #
 # This function enables ssh jailed environment.
 

bin/v-add-web-domain

@@ -50,7 +50,7 @@ domain_utf=$(idn2 --quiet -d "$domain_idn")
 
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 check_args '2' "$#" 'USER DOMAIN [IP] [RESTART] [ALIASES] [PROXY_EXTENSIONS]'
-is_format_valid 'user' 'domain' 'aliases' 'ip' 'proxy_ext'
+is_format_valid 'user' 'domain' 'aliases' 'ip' 'proxy_ext' 'restart'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_package_full 'WEB_DOMAINS'

bin/v-add-web-domain-alias

@@ -45,7 +45,7 @@ if [ -z "$aliases" ]; then
 fi
 
 check_args '3' "$#" 'USER DOMAIN ALIASES [RESTART]'
-is_format_valid 'user' 'domain' 'aliases'
+is_format_valid 'user' 'domain' 'aliases' 'restart'
 is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"