Merge pull request hestiacp#1142 from hestiacp/staging/fixes

ScIT-Raphael · web-flow · commit 1a924f1d7f84 · 2020-09-05T10:21:25.000+02:00
Staging/fixes
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,8 +9,29 @@ All notable changes to this project will be documented in this file.
     - `UPGRADE_SEND_EMAIL` = Sends an email notification to admin email address
     - `UPGRADE_SEND_EMAIL_LOG` = Sends installation log output to admin email address
 - Upgrade process will now save logs to the `hst_backups` directory.
+- Support for removing backup remote location (#1083)
+- Add support Proftpd TLS Support
+- Add the possibility to assign user "Administrators" rights on login. Replaces "root" login. Notifications are only send towards the "admin" account email
+
+## Buggfixes
+- Removed root login (root / root password )
+- Update apache2.conf replace Include with IncludeOptional (#1072)
+- Add ca-certificates, software-properties-common to the dependencies (#1073 + [Forum](https://forum.hestiacp.com/t/hestiscp-fails-on-new-debian-9-vps/1623/8) ) @daniel-eder
+- Fixed issues with database port during backup when port was missing (#1068)
+- Postqresql: forbid the use of upper case (#1084) causing issues with backup / creating database or user
+- Fixed permissions email account during restore (#1114)
+- Create .npm on creating new user (#1113) @hahagu 
+- Fixed Access to a website without a ssl certificate on https shows the content of the first, valid ssl website (#1103)
+- Fixed an issue when installing --with-debs and version check (#1110)
+- Improved Translations Chinese @myrevery
+- File manager create directory with proper permissions 
+- Removed loop ad v-rebuild-all (#1096)
+- Add $restart flag to v-add-web-domain-backend call (#1094) (#797) @bright-soft
+- Fixed an issue with Restore Failed on Domains with Mail Setups using SSL (#1069)
+- Fixed an issue with PHPMyAdmin button (#1078)
+- Changed WordPress name in Webapp installer (#1074)
+- Add a free disk space validation during backup routine (#1115)
 
-## Bugfixes
 
 ## [1.2.3] - Service Release
 ### Features
diff --git a/bin/v-add-user b/bin/v-add-user
@@ -188,6 +188,7 @@ RKEY='$(generate_password)'
 TWOFA=''
 QRCODE=''
 PHPCLI=''
+ROLE='user'
 SUSPENDED='no'
 SUSPENDED_USERS='0'
 SUSPENDED_WEB='0'
diff --git a/bin/v-backup-user b/bin/v-backup-user
@@ -55,6 +55,15 @@ start_time=$(date '+%s')
 subj="$user → backup failed"
 email=$(grep CONTACT $HESTIA/data/users/admin/user.conf |cut -f 2 -d \')
 
+# Validate available disk space (take usage * 2, due to the backup handling)
+let u_disk=$(grep "U_DISK=" $HESTIA/data/users/$user/user.conf |cut -f 2 -d \')*2
+let v_disk=$(($(stat -f --format="%a*%S" $BACKUP)))/1024/1024
+
+if [ "$u_disk" -gt "$v_disk" ]; then
+    echo "not enough diskspace available to perform the backup." |$SENDMAIL -s "$subj" $email $notify
+    check_result $E_LIMIT "not enough diskspace available to perform the backup."
+fi
+
 if [ -z "$BACKUP_TEMP" ]; then
     BACKUP_TEMP=$BACKUP
 fi
diff --git a/bin/v-change-user-package b/bin/v-change-user-package
@@ -104,6 +104,7 @@ RKEY='$RKEY'
 TWOFA='$TWOFA'
 QRCODE='$QRCODE'
 PHPCLI='$PHPCLI'
+ROLE='$ROLE'
 SUSPENDED='$SUSPENDED'
 SUSPENDED_USERS='$SUSPENDED_USERS'
 SUSPENDED_WEB='$SUSPENDED_WEB'
diff --git a/bin/v-change-user-role b/bin/v-change-user-role
@@ -0,0 +1,42 @@
+#!/bin/bash
+# info: updates user role
+# options: USER ROLE
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+role=$2
+
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Reading user values
+source $USER_DATA/user.conf
+
+is_format_valid 'user' 'role'
+is_object_valid 'user' 'USER' "$user"
+
+is_object_unsuspended 'user' 'USER' "$user"
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+update_user_value "$user" '$ROLE' "$role"
+
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit
diff --git a/bin/v-get-user-salt b/bin/v-get-user-salt
@@ -61,7 +61,7 @@ check_args '1' "$#" 'USER [IP] [SALT]'
 is_format_valid 'user'
 
 # Checking user
-if [ ! -d "$HESTIA/data/users/$user" ] && [ "$user" != 'root' ]; then
+if [ ! -d "$HESTIA/data/users/$user" ]; then
     echo "Error: password missmatch"
     echo "$date $time $user $ip failed to login" >> $HESTIA/log/auth.log
     exit 9
diff --git a/bin/v-list-user b/bin/v-list-user
@@ -45,6 +45,7 @@ json_list() {
         "RKEY": "'$RKEY'",
         "TWOFA": "'$TWOFA'",
         "QRCODE": "'$QRCODE'",
+        "ROLE": "'$ROLE'",
         "SUSPENDED": "'$SUSPENDED'",
         "SUSPENDED_USERS": "'$SUSPENDED_USERS'",
         "SUSPENDED_WEB": "'$SUSPENDED_WEB'",
diff --git a/func/main.sh b/func/main.sh
@@ -900,6 +900,13 @@ is_object_format_valid() {
     fi
 }
 
+# Role validator 
+is_role_valid (){
+    if ! [[ "$1" =~ ^admin|user$ ]]; then
+        check_result $E_INVALID "invalid $2 format :: $1"
+    fi
+}
+
 # Password validator
 is_password_format_valid() {
     if [ "${#1}" -lt '6' ]; then
@@ -989,6 +996,7 @@ is_format_valid() {
                 quota)          is_int_format_valid "$arg" 'quota' ;;
                 record)         is_common_format_valid "$arg" 'record';;
                 restart)        is_boolean_format_valid "$arg" 'restart' ;;
+                role)           is_role_valid "$arg" 'role' ;;
                 rtype)          is_dns_type_format_valid "$arg" ;;
                 rule)           is_int_format_valid "$arg" "rule id" ;;
                 service)        is_service_format_valid "$arg" "$arg_name" ;;
diff --git a/func/rebuild.sh b/func/rebuild.sh
@@ -31,6 +31,9 @@ rebuild_user_conf() {
     if [ -z "${PHPCLI+x}" ]; then 
         sed -i "/QRCODE/a PHPCLI=''" $USER_DATA/user.conf 
     fi
+    if [ -z "${ROLE+x}" ]; then 
+        sed -i "/PHPCLI/a ROLE='user'" $USER_DATA/user.conf 
+    fi
     # Run template trigger
     if [ -x "$HESTIA/data/packages/$PACKAGE.sh" ]; then
         $HESTIA/data/packages/$PACKAGE.sh "$user" "$CONTACT" "$NAME"
diff --git a/install/deb/apache2/apache2.conf b/install/deb/apache2/apache2.conf
@@ -80,7 +80,7 @@ LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent
 LogFormat "%b" bytes
 
-Include conf.d/*.conf
+IncludeOptional conf.d/*.conf
 IncludeOptional conf.d/domains/*.conf
 
 # Include the virtual host configurations:
diff --git a/install/deb/proftpd/proftpd.conf b/install/deb/proftpd/proftpd.conf
@@ -4,6 +4,8 @@ ServerAdmin                     root@localhost
 DefaultServer                   on
 DefaultRoot                  ~ !adm
 
+Include /etc/proftpd/tls.conf
+
 <IfModule mod_vroot.c>
     VRootEngine                 on
     VRootAlias                  /etc/security/pam_env.conf etc/security/pam_env.conf
diff --git a/install/deb/proftpd/tls.conf b/install/deb/proftpd/tls.conf
@@ -0,0 +1,63 @@
+#
+# Proftpd sample configuration for FTPS connections.
+#
+# Note that FTPS impose some limitations in NAT traversing.
+# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
+# for more information.
+#
+<IfModule mod_dso.c>
+    # If mod_tls was built as a shared/DSO module, load it
+    LoadModule mod_tls.c
+</IfModule>
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
+TLSProtocol                             TLSv1.1 TLSv1.2
+#
+# Server SSL certificate. You can generate a self-signed certificate using
+# a command like:
+#
+# openssl req -x509 -newkey rsa:1024 \
+#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
+#          -nodes -days 365
+#
+# The proftpd.key file must be readable by root only. The other file can be
+# readable by anyone.
+#
+# chmod 0600 /etc/ssl/private/proftpd.key
+# chmod 0640 /etc/ssl/private/proftpd.key
+#
+TLSRSACertificateFile                   /usr/local/hestia/ssl/certificate.crt
+TLSRSACertificateKeyFile                /usr/local/hestia/ssl/certificate.key
+#
+# CA the server trusts...
+#TLSCACertificateFile                    /etc/ssl/certs/CA.pem
+# ...or avoid CA cert and be verbose
+#TLSOptions                      NoCertRequest EnableDiags
+# ... or the same with relaxed session use for some clients (e.g. FireFtp)
+#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
+#
+#
+# Per default drop connection if client tries to start a renegotiate
+# This is a fix for CVE-2009-3555 but could break some clients.
+#
+#TLSOptions                                                     AllowClientRenegotiations
+#
+TLSOptions                       NoSessionReuseRequired AllowClientRenegotiations
+# Authenticate clients that want to use FTP over TLS?
+#
+#TLSVerifyClient                         off
+#
+# Are clients required to use FTP over TLS when talking to this server?
+#
+TLSRequired                             off
+#
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+TLSRenegotiate                          required off
+</IfModule>
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -681,7 +681,7 @@ cp /etc/vsftpd.conf $hst_backups/vsftpd > /dev/null 2>&1
 
 # Backup ProFTPD configuration
 systemctl stop proftpd > /dev/null 2>&1
-cp /etc/proftpd.conf $hst_backups/proftpd > /dev/null 2>&1
+cp /etc/proftpd/* $hst_backups/proftpd > /dev/null 2>&1
 
 # Backup Exim configuration
 systemctl stop exim4 > /dev/null 2>&1
@@ -1298,6 +1298,8 @@ if [ "$proftpd" = 'yes' ]; then
     echo "[ * ] Configuring ProFTPD server..."
     echo "127.0.0.1 $servername" >> /etc/hosts
     cp -f $HESTIA_INSTALL_DIR/proftpd/proftpd.conf /etc/proftpd/
+    cp -f $HESTIA_INSTALL_DIR/proftpd/tls.conf /etc/proftpd/
+    
     update-rc.d proftpd defaults > /dev/null 2>&1
     systemctl start proftpd >> $LOG
     check_result $? "proftpd start failed"
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -654,7 +654,7 @@ cp /etc/vsftpd.conf $hst_backups/vsftpd > /dev/null 2>&1
 
 # Backup ProFTPD configuration
 systemctl stop proftpd > /dev/null 2>&1
-cp /etc/proftpd.conf $hst_backups/proftpd > /dev/null 2>&1
+cp /etc/proftpd/* $hst_backups/proftpd > /dev/null 2>&1
 
 # Backup Exim configuration
 systemctl stop exim4 > /dev/null 2>&1
@@ -1339,6 +1339,7 @@ if [ "$proftpd" = 'yes' ]; then
     echo "[ * ] Configuring ProFTPD server..."
     echo "127.0.0.1 $servername" >> /etc/hosts
     cp -f $HESTIA_INSTALL_DIR/proftpd/proftpd.conf /etc/proftpd/
+    cp -f $HESTIA_INSTALL_DIR/proftpd/tls.conf /etc/proftpd/
     update-rc.d proftpd defaults > /dev/null 2>&1
     systemctl start proftpd >> $LOG
     check_result $? "proftpd start failed"
diff --git a/install/upgrade/versions/1.3.0.sh b/install/upgrade/versions/1.3.0.sh
@@ -29,3 +29,16 @@ if [ "$PROXY_SYSTEM" = "nginx" ]; then
         > /etc/$PROXY_SYSTEM/conf.d/$IP.conf
     done < <(ls $HESTIA/data/ips/)
 fi
+
+if [ "$FTP_SYSTEM" == "proftpd" ]; then
+    if [ -e  /etc/proftpd/proftpd.conf ]; then
+        rm /etc/proftpd/proftpd.conf
+    fi
+    if [ -e  /etc/proftpd/tls.conf ]; then
+        rm /etc/proftpd/tls.conf
+    fi
+    
+    cp -f $HESTIA_INSTALL_DIR/proftpd/proftpd.conf /etc/proftpd/
+    cp -f $HESTIA_INSTALL_DIR/proftpd/tls.conf /etc/proftpd/
+    
+fi
diff --git a/web/add/user/index.php b/web/add/user/index.php
@@ -77,6 +77,14 @@
         unset($output);
     }
 
+    // Set Role
+    if (empty($_SESSION['error_msg'])) {
+        $v_role = escapeshellarg($_POST['v_role']);
+        exec (HESTIA_CMD."v-change-user-role ".$v_username." ".$v_role, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
+    }
+
     // Send email to the new user
     if ((empty($_SESSION['error_msg'])) && (!empty($v_notify))) {
         $to = $_POST['v_notify'];
diff --git a/web/edit/server/index.php b/web/edit/server/index.php
@@ -257,18 +257,16 @@
    // Set File Manager support
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_filemanager'])) && ($_SESSION['FILE_MANAGER'] != $_POST['v_filemanager'])) {
-            if ($_POST['v_filemanager'] == 'yes') {
-                $_POST['v_filemanager'] == 'true';
+            if ($_POST['v_filemanager'] == 'true') {
                 exec (HESTIA_CMD."v-add-sys-filemanager", $output, $return_var);
                 check_return_code($return_var,$output);
                 unset($output);
-                if (empty($_SESSION['error_msg'])) $_SESSION['FILE_MANAGER'] = 'yes';
+                if (empty($_SESSION['error_msg'])) $_SESSION['FILE_MANAGER'] = 'true';
             } else {
-                $_POST['v_filemanager'] == 'false';
                 exec (HESTIA_CMD."v-delete-sys-filemanager", $output, $return_var);
                 check_return_code($return_var,$output);
                 unset($output);
-                if (empty($_SESSION['error_msg'])) $_SESSION['FILE_MANAGER'] = 'no';
+                if (empty($_SESSION['error_msg'])) $_SESSION['FILE_MANAGER'] = 'false';
             }
         }
     }
diff --git a/web/edit/user/index.php b/web/edit/user/index.php
@@ -38,6 +38,7 @@
 $v_twofa = $data[$v_username]['TWOFA'];
 $v_qrcode = $data[$v_username]['QRCODE'];
 $v_phpcli = $data[$v_username]['PHPCLI'];
+$v_role = $data[$v_username]['ROLE'];
 $v_ns = $data[$v_username]['NS'];
 $nameservers = explode(",", $v_ns);
 $v_ns1 = $nameservers[0];
@@ -157,7 +158,14 @@
         check_return_code($return_var,$output);
         unset($output);
     }
-
+    // Change Role (admin only)
+    if (($v_role != $_POST['$v_role']) && ($_SESSION['user'] == 'admin') && (empty($_SESSION['error_msg']))) {
+        $v_role = escapeshellarg($_POST['v_role']);
+        exec (HESTIA_CMD."v-change-user-role ".escapeshellarg($v_username)." ".$v_role, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
+        $v_role = $_POST['v_role'];
+    }
     // Change language
     if (($v_language != $_POST['v_language']) && (empty($_SESSION['error_msg']))) {
         $v_language = escapeshellarg($_POST['v_language']);
diff --git a/web/inc/i18n/en.php b/web/inc/i18n/en.php
@@ -228,7 +228,7 @@
     'STARTTLS'  => 'STARTTLS',
     'Normal password'  => 'Normal Password',
     'database'  => 'Database',
-    'User'  => 'Username',
+    'User'  => 'User',
     'Host'  => 'Hostname',
     'Charset'  => 'Charset',
     'Min'  => 'Minute',
diff --git a/web/login/index.php b/web/login/index.php
diff --git a/web/templates/admin/add_user.html b/web/templates/admin/add_user.html
diff --git a/web/templates/admin/edit_server.html b/web/templates/admin/edit_server.html
diff --git a/web/templates/admin/edit_user.html b/web/templates/admin/edit_user.html
