From abd9b232ad25496f8eeee6b133f27e44e068a7c5 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Sun, 05 Jul 2009 09:09:38 -0400
Subject: [PATCH] Added openbasedir restriction to fcgi starter script.
---
server/plugins-available/apache2_plugin.inc.php | 32 ++++++++++++++++++++++++++++----
1 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 18e0a75..70df9f0 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -443,7 +443,7 @@
$username = escapeshellcmd($data["new"]["system_user"]);
if($data["new"]["system_user"] != '' && !$app->system->is_user($data["new"]["system_user"])) {
- exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname $username -s /bin/false");
+ exec("useradd -d ".escapeshellcmd($data["new"]["document_root"])." -g $groupname -G sshusers $username -s /bin/false");
$app->log("Adding the user: $username",LOGLEVEL_DEBUG);
}
@@ -459,7 +459,6 @@
exec("setquota -T -u $username 604800 604800 -a &> /dev/null");
}
-
if($this->action == 'insert') {
// Chown and chmod the directories below the document root
exec("chown -R $username:$groupname ".escapeshellcmd($data["new"]["document_root"]));
@@ -468,8 +467,27 @@
exec("chown root:root ".escapeshellcmd($data["new"]["document_root"]));
}
- // make temp direcory writable for the apache user and the website user
- exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+
+
+ // If the security level is set to high
+ if($web_config['security_level'] == 20) {
+
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 711 ".escapeshellcmd($data["new"]["document_root"])."/*");
+ exec("chmod 710 ".escapeshellcmd($data["new"]["document_root"]."/web"));
+
+ //* add the apache user to the client group
+ $app->system->add_user_to_group($groupname, escapeshellcmd($web_config['user']));
+
+ // If the security Level is set to medium
+ } else {
+
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/"));
+ exec("chmod 755 ".escapeshellcmd($data["new"]["document_root"]."/*"));
+
+ // make temp direcory writable for the apache user and the website user
+ exec("chmod 777 ".escapeshellcmd($data["new"]["document_root"]."/tmp"));
+ }
// Create the vhost config file
@@ -482,6 +500,7 @@
$vhost_data["web_document_root"] = $data["new"]["document_root"]."/web";
$vhost_data["web_document_root_www"] = $web_config["website_basedir"]."/".$data["new"]["domain"]."/web";
$vhost_data["web_basedir"] = $web_config["website_basedir"];
+ $vhost_data["security_level"] = $web_config["security_level"];
// Check if a SSL cert exists
$ssl_dir = $data["new"]["document_root"]."/ssl";
@@ -506,6 +525,7 @@
// Rewrite rules
$rewrite_rules = array();
if($data["new"]["redirect_type"] != '') {
+ if(substr($data["new"]["redirect_path"],-1) != '/') $data["new"]["redirect_path"] .= '/';
$rewrite_rules[] = array( 'rewrite_domain' => $data["new"]["domain"],
'rewrite_type' => ($data["new"]["redirect_type"] == 'no')?'':'['.$data["new"]["redirect_type"].']',
'rewrite_target' => $data["new"]["redirect_path"]);
@@ -552,6 +572,7 @@
$app->log("Add server alias: $alias[domain]",LOGLEVEL_DEBUG);
// Rewriting
if($alias["redirect_type"] != '') {
+ if(substr($data["new"]["redirect_path"],-1) != '/') $data["new"]["redirect_path"] .= '/';
$rewrite_rules[] = array( 'rewrite_domain' => $alias["domain"],
'rewrite_type' => ($alias["redirect_type"] == 'no')?'':'['.$alias["redirect_type"].']',
'rewrite_target' => $alias["redirect_path"]);
@@ -747,6 +768,9 @@
// request a httpd reload when all records have been processed
$app->services->restartServiceDelayed('httpd','reload');
+ //* Unset action to clean it for next processed vhost.
+ $this->action = '';
+
}
function delete($event_name,$data) {
--
Gitblit v1.9.1