From 7536c8e4a052bc889e434da3f6df8ae47faedd3d Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Mon, 25 Aug 2014 11:10:10 -0400
Subject: [PATCH] Updated security README.txt
---
install/dist/lib/opensuse.lib.php | 63 +++++++++++++++++++++++++++++--
1 files changed, 58 insertions(+), 5 deletions(-)
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index caef540..ea13cd2 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -130,7 +130,7 @@
function configure_postfix($options = '')
{
- global $conf;
+ global $conf,$autoinstall;
$cf = $conf['postfix'];
$config_dir = $cf['config_dir'];
@@ -264,6 +264,7 @@
$command = 'cd '.$config_dir.'; '
.'openssl req -new -outform PEM -out smtpd.cert -newkey rsa:4096 -nodes -keyout smtpd.key -keyform PEM -days 3650 -x509';
}
+ exec($command);
$command = 'chmod o= '.$config_dir.'/smtpd.key';
caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
@@ -499,6 +500,7 @@
$content = str_replace('{mysql_server_ispconfig_password}', $conf['mysql']['ispconfig_password'], $content);
$content = str_replace('{mysql_server_database}', $conf['mysql']['database'], $content);
$content = str_replace('{mysql_server_host}', $conf['mysql']['host'], $content);
+ $content = str_replace('{server_id}', $conf['server_id'], $content);
wf("$config_dir/$configfile", $content);
exec("chmod 600 $config_dir/$configfile");
@@ -902,6 +904,31 @@
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* Make a backup of the security settings
+ if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
+
+ //* copy the ISPConfig security part
+ $command = 'cp -rf ../security '.$install_dir;
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* Apply changed security_settings.ini values to new security_settings.ini file
+ if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
+ $security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
+ $security_settings_new = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
+ if(is_array($security_settings_new) && is_array($security_settings_old)) {
+ foreach($security_settings_new as $section => $sval) {
+ if(is_array($sval)) {
+ foreach($sval as $key => $val) {
+ if(isset($security_settings_old[$section]) && isset($security_settings_old[$section][$key])) {
+ $security_settings_new[$section][$key] = $security_settings_old[$section][$key];
+ }
+ }
+ }
+ }
+ file_put_contents('/usr/local/ispconfig/security/security_settings.ini',array_to_ini($security_settings_new));
+ }
+ }
//* Create a symlink, so ISPConfig is accessible via web
// Replaced by a separate vhost definition for port 8080
@@ -1027,12 +1054,38 @@
$this->db->query($sql);
}
- //* Chmod the files
- $command = "chmod -R 750 $install_dir";
+ // chown install dir to root and chmod 755
+ $command = 'chown root:root '.$install_dir;
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+ $command = 'chmod 755 '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
- //* chown the files to the ispconfig user and group
- $command = "chown -R ispconfig:ispconfig $install_dir";
+ //* Chmod the files and directories in the install dir
+ $command = 'chmod -R 750 '.$install_dir.'/*';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* chown the interface files to the ispconfig user and group
+ $command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* chown the server files to the root user and group
+ $command = 'chown -R root:root '.$install_dir.'/server';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* chown the security files to the root user and group
+ $command = 'chown -R root:root '.$install_dir.'/security';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+ //* chown the security directory and security_settings.ini to root:ispconfig
+ $command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+ $command = 'chown root:ispconfig '.$install_dir.'/security';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+ $command = 'chown root:ispconfig '.$install_dir.'/security/ids.whitelist';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+ $command = 'chown root:ispconfig '.$install_dir.'/security/ids.htmlfield';
+ caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+ $command = 'chown root:ispconfig '.$install_dir.'/security/apache_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
--
Gitblit v1.9.1