From b51c22aecea55a2edb0e5fa712b297465a444b28 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 14:06:39 -0400
Subject: [PATCH] Fixed: FS#3624 - SSL cert for postfix not created on OpenSuSE Linux during install
---
server/plugins-available/shelluser_base_plugin.inc.php | 46 +++++++++++++++++++++++++++++++++++++++-------
1 files changed, 39 insertions(+), 7 deletions(-)
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 0ceced9..3cb9d36 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -58,19 +58,25 @@
/*
Register for the events
*/
-
+
$app->plugins->registerEvent('shell_user_insert', $this->plugin_name, 'insert');
$app->plugins->registerEvent('shell_user_update', $this->plugin_name, 'update');
$app->plugins->registerEvent('shell_user_delete', $this->plugin_name, 'delete');
-
+
}
function insert($event_name, $data) {
global $app, $conf;
-
- $app->uses('system');
+
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -80,6 +86,13 @@
}
if(strpos($data['new']['dir'], '/../') !== false || substr($data['new']['dir'],-3) == '/..') {
$app->log('Directory of the shell user is not valid.',LOGLEVEL_WARN);
+ return false;
+ }
+
+ if(!$app->system->is_allowed_user($data['new']['username'], false, false)
+ || !$app->system->is_allowed_user($data['new']['puser'], true, true)
+ || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {
+ $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);
return false;
}
@@ -137,7 +150,13 @@
function update($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
@@ -151,6 +170,13 @@
return false;
}
+ if(!$app->system->is_allowed_user($data['new']['username'], false, false)
+ || !$app->system->is_allowed_user($data['new']['puser'], true, true)
+ || !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {
+ $app->log('Shell user must not be root or in group root.',LOGLEVEL_WARN);
+ return false;
+ }
+
if($app->system->is_user($data['new']['puser'])) {
// Get the UID of the parent user
$uid = intval($app->system->getuid($data['new']['puser']));
@@ -209,7 +235,13 @@
function delete($event_name, $data) {
global $app, $conf;
- $app->uses('system');
+ $app->uses('system,getconf');
+
+ $security_config = $app->getconf->get_security_config('permissions');
+ if($security_config['allow_shell_user'] != 'yes') {
+ $app->log('Shell user plugin disabled by security settings.',LOGLEVEL_WARN);
+ return false;
+ }
if($app->system->is_user($data['old']['username'])) {
// Get the UID of the user
@@ -217,7 +249,7 @@
if($userid > $this->min_uid) {
// We delete only non jailkit users, jailkit users will be deleted by the jailkit plugin.
if ($data['old']['chroot'] != "jailkit") {
- $command = 'userdel -f';
+ $command = 'killall -u '.escapeshellcmd($data['old']['username']).' ; userdel -f';
$command .= ' '.escapeshellcmd($data['old']['username']).' &> /dev/null';
exec($command);
$app->log("Deleted shelluser: ".$data['old']['username'], LOGLEVEL_DEBUG);
--
Gitblit v1.9.1