Limit permissions dummy.conf and www.conf prevent permission escalation (hestiacp#4095)

jaapmarcus · web-flow · commit acb766e1db53 · 2023-10-24T10:32:56.000+02:00
* Apply changes to default config

If users want less stricter system they can undo it

* Make changes for new install

* Fix few sed commands

* And CLI as well

* Update script


* Replace dummy.conf with unix socket 

Use correct file

Add comment on changes
diff --git a/bin/v-add-web-php b/bin/v-add-web-php
@@ -50,7 +50,7 @@ fi
 # Check if php version is supported
 if [[ ! "$multiphp_v" =~ $version ]]; then
 	echo "ERROR: Specified PHP version is not supported or does not exist."
-	exit "$E_INVALID";
+	exit "$E_INVALID"
 fi
 
 # Perform verification if read-only mode is enabled
@@ -131,14 +131,25 @@ update-rc.d php$version-fpm defaults > /dev/null 2>&1
 v_tpl=${version//./}
 rm -f /etc/php/$version/fpm/pool.d/*
 cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
-sed -i "s/9999/99$v_tpl/g" /etc/php/$version/fpm/pool.d/dummy.conf
+sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
 cp -f $HESTIA_INSTALL_DIR/php-fpm/php-fpm.conf /etc/php/$version/fpm/
 sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 
 # Increase max upload and max post size
 sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/max_execution_time = 30/max_execution_time = 60/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;max_input_vars = 1000/max_input_vars = 4000/g" /etc/php/$version/fpm/php.ini
+
+# Disable exec and other harmfull php functions
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/cli/php.ini
+
+# Other use full changes
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=512/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/$version/fpm/php.ini
 
 # Install backend template
 cp -f $HESTIA_INSTALL_DIR/php-fpm/multiphp.tpl \
diff --git a/install/deb/php-fpm/dummy.conf b/install/deb/php-fpm/dummy.conf
@@ -1,10 +1,13 @@
 ; origin-src: deb/php-fpm/dummy.conf
 
-[www]
-listen = 127.0.0.1:9999
-listen.allowed_clients = 127.0.0.1
+[wwww]
+listen = /run/php/php%backend_version%-fpm.dummy.sock
+listen.owner = hestiamail
+listen.group = www-data
+listen.mode = 0660
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand
diff --git a/install/deb/php-fpm/www.conf b/install/deb/php-fpm/www.conf
@@ -4,7 +4,8 @@
 listen = 127.0.0.1:9000
 listen.allowed_clients = 127.0.0.1
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1127,6 +1127,9 @@ random_password=$(gen_pass '32')
 # do not allow login into hestiaweb user
 echo hestiaweb:$random_password | sudo chpasswd -e
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1095,6 +1095,9 @@ random_password=$(gen_pass '32')
 # do not allow login into hestiaweb user
 echo hestiaweb:$random_password | sudo chpasswd -e
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then
diff --git a/install/upgrade/manual/secure_php.sh b/install/upgrade/manual/secure_php.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# info: Secure websites FPM / CLI against basic executions if you use such functions remove them form the list
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/cli/php.ini
diff --git a/install/upgrade/versions/1.8.9.sh b/install/upgrade/versions/1.8.9.sh
@@ -33,3 +33,18 @@ if [ -f /etc/nginx/nginx.conf ]; then
 	echo "[ * ] Mitigate HTTP/2 Rapid Reset Attack via Nginx CVE CVE-2023-44487"
 	sed -i -E 's/(.*keepalive_requests\s{1,})10000;/\11000;/' /etc/nginx/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf
 fi
+
+# Fix security issue wit FPM pools
+if [ -z "$(grep ^hestiamail: /etc/passwd)" ]; then
+	echo "[ * ] Limit permissions www.conf and dummy.conf"
+	/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
+	sed -i "s/user = www-data/user = hestiamail/g" /etc/php/*/fpm/pool.d/www.conf
+
+	php_versions=$($BIN/v-list-sys-php plain)
+	# Substitute php-fpm service name formats
+	for version in $php_versions; do
+		cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
+		sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
+	done
+fi
