From 1c40af89512efe74f2a5dbb56a523ee2a7c3f64b Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Mon, 24 Aug 2009 11:37:53 -0400
Subject: [PATCH] Added a fix to adjust website permissions in high security level.
---
server/plugins-available/apache2_plugin.inc.php | 52 +++++++++++++++++++++++++++++++++++++++-------------
1 files changed, 39 insertions(+), 13 deletions(-)
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 1a962ec..087b5c4 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -461,40 +461,59 @@
if($this->action == 'insert') {
// Chown and chmod the directories below the document root
- exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
-
- // The document root itself has to be owned by root
- exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
+ $this->_exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
+ // The document root itself has to be owned by root in normal level and by the web owner in security level 20
+ if($web_config['security_level'] == 20) {
+ $this->_exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
+ } else {
+ $this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
+ }
}
- // If the security level is set to high
+ //* If the security level is set to high
if($web_config['security_level'] == 20) {
- exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
- exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"])."/*");
- exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
+ $this->_exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ $this->_exec("chmod 751 ".escapeshellcmd($data["new"]["document_root"])."/*");
+ $this->_exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
// make temp direcory writable for the apache user and the website user
- exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ $this->_exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
$command = 'usermod';
$command .= ' --groups sshusers';
$command .= ' '.escapeshellcmd($data["new"]["system_user"]);
- exec($command);
+ $this->_exec($command);
//* add the apache user to the client group
$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
+ $this->_exec("chown $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
+
+ /*
+ * Workaround for jailkit: If jailkit is enabled for the site, the
+ * website root has to be owned by the root user and we have to chmod it to 755 then
+ */
+
+ //* Check if there is a jailkit user for this site
+ $tmp = $app->db->queryOneRecord("SELECT count(shell_user_id) as number FROM shell_user WHERE parent_domain_id = ".$data["new"]["domain_id"]." AND chroot = 'jailkit'");
+ if($tmp['number'] > 0) {
+ $this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ $this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
+ }
+ unset($tmp);
+
// If the security Level is set to medium
} else {
- exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
- exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+ $this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ $this->_exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+ $this->_exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]."/"));
// make temp direcory writable for the apache user and the website user
- exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ $this->_exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
}
@@ -898,6 +917,13 @@
}
+ //* Wrapper for exec function for easier debugging
+ private function _exec($command) {
+ global $app;
+ $app->log("exec: ".$command,LOGLEVEL_DEBUG);
+ exec($command);
+ }
+
} // end class
--
Gitblit v1.9.1