From 359a6b03d0a266d59c31a20f84798c49654df271 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Tue, 18 Jun 2013 09:00:58 -0400
Subject: [PATCH] Fixed: FS#3008 - Insecure permissions on SSL Key Files when key is created outside of ispconfig

---
 server/plugins-available/nginx_plugin.inc.php |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 3286117..44159ae 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -243,6 +243,7 @@
 			if(trim($data["new"]["ssl_cert"]) != '') $app->system->file_put_contents($crt_file,$data["new"]["ssl_cert"]);
 			//if(trim($data["new"]["ssl_bundle"]) != '') $app->system->file_put_contents($bundle_file,$data["new"]["ssl_bundle"]);
 			if(trim($data["new"]["ssl_key"]) != '') $app->system->file_put_contents($key_file2,$data["new"]["ssl_key"]);
+			$app->system->chmod($key_file2,0400);
 			
 			// for nginx, bundle files have to be appended to the certificate file
 			if(trim($data["new"]["ssl_bundle"]) != ''){				
@@ -678,6 +679,9 @@
 			}
 		}
 
+		//* add the nginx user to the client group if this is a vhost and security level is set to high, no matter if this is an insert or update and regardless of set_folder_permissions_on_update
+		if($data['new']['type'] == 'vhost' && $web_config['security_level'] == 20) $app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
+		
 		//* If the security level is set to high
 		if(($this->action == 'insert' && $data['new']['type'] == 'vhost') or ($web_config['set_folder_permissions_on_update'] == 'y' && $data['new']['type'] == 'vhost')) {
 		
@@ -716,13 +720,10 @@
 					//* add the nginx user to the client group in the chroot environment
 					$tmp_groupfile = $app->system->server_conf['group_datei'];
 					$app->system->server_conf['group_datei'] = $web_config['website_basedir'].'/etc/group';
-					$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
+					$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
 					$app->system->server_conf['group_datei'] = $tmp_groupfile;
 					unset($tmp_groupfile);
 				}
-
-				//* add the nginx user to the client group
-				$app->system->add_user_to_group($groupname, escapeshellcmd($web_config['nginx_user']));
 				
 				//* Chown all default directories
 				$app->system->chown($data['new']['document_root'],'root');
@@ -2526,8 +2527,10 @@
 				$app->log('Removed client directory: '.$client_dir,LOGLEVEL_DEBUG);
 			}
 			
-			$this->_exec('groupdel client'.$client_id);
-			$app->log('Removed group client'.$client_id,LOGLEVEL_DEBUG);
+			if($app->system->is_group('client'.$client_id)){
+				$this->_exec('groupdel client'.$client_id);
+				$app->log('Removed group client'.$client_id,LOGLEVEL_DEBUG);
+			}
 		}
 		
 	}

--
Gitblit v1.9.1