fix user home permissions

PhyreApps · Apr 22, 2024 · 9fb2f91 · 9fb2f91
1 parent 6fa04fd
commit 9fb2f91
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/web/app/Actions/CreateLinuxWebUser.php b/web/app/Actions/CreateLinuxWebUser.php
@@ -30,16 +30,16 @@ public function handle()
         $password = $this->password;
 
         $command = 'adduser --disabled-password --gecos "" "'.$username.'"';
-        $output .= ShellApi::exec($command);
-
-//        $command = 'groupadd '.$username;
-//        $output .= ShellApi::exec($command);
+        $output .= shell_exec($command);
 
         $command = 'usermod -a -G www-data '.$username;
-        $output .= ShellApi::exec($command);
+        $output .= shell_exec($command);
 
         $command = 'echo '.$username.':'.$password.' | chpasswd -e';
-        $output .= ShellApi::exec($command);
+        $output .= shell_exec($command);
+
+        $command = 'chmod 711 /home/'.$username;
+        $output .= shell_exec($command);
 
         return $output;
     }

diff --git a/web/app/Models/Domain.php b/web/app/Models/Domain.php
@@ -108,13 +108,13 @@ public function configureVirtualHost()
         }
 
         if (!is_dir($this->domain_root)) {
-            mkdir($this->domain_root, 0755, true);
+            mkdir($this->domain_root, 0711, true);
         }
         if (!is_dir($this->domain_public)) {
             mkdir($this->domain_public, 0755, true);
         }
         if (!is_dir($this->home_root)) {
-            mkdir($this->home_root, 0755, true);
+            mkdir($this->home_root, 0711, true);
         }
 
         if ($this->is_installed_default_app_template == null) {
@@ -174,8 +174,8 @@ public function configureVirtualHost()
         shell_exec('chown -R '.$findHostingSubscription->system_username.':'.$webUserGroup.' '.$this->domain_root);
         shell_exec('chown -R '.$findHostingSubscription->system_username.':'.$webUserGroup.' '.$this->domain_public);
 
-        shell_exec('chmod -R 775 '.$this->home_root);
-        shell_exec('chmod -R 775 '.$this->domain_root);
+        shell_exec('chmod -R 0711 '.$this->home_root);
+        shell_exec('chmod -R 0711 '.$this->domain_root);
         shell_exec('chmod -R 775 '.$this->domain_public);
 
         $appType = 'php';

diff --git a/web/tests/Unit/SecurityTest.php b/web/tests/Unit/SecurityTest.php
@@ -80,7 +80,8 @@ public function testSecurity()
         $userHomeDir = '/home/' . $hostingSubscription['system_username'];
         $this->assertDirectoryExists($userHomeDir);
         $getUserHomeDirPermission = substr(sprintf('%o', fileperms($userHomeDir)), -4);
-        $this->assertSame('0775', $getUserHomeDirPermission);
+        $this->assertSame('0711', $getUserHomeDirPermission);
+        // 0711 - is the correct permission for /home/$user directory, because it is a home directory and it should be accessible only by the user and root.
 
         // Check domain dir permissions
         $domainDir = '/home/' . $hostingSubscription['system_username'] . '/public_html';
@@ -117,7 +118,10 @@ public function testSecurity()
         $this->assertTrue(str_contains($output, 'public_html'));
         $this->assertTrue(str_contains($output, $hostingSubscription['system_username']));
 
-
+        // Try to open /home/$user directory with another linux user
+        $output = shell_exec("sudo -H -u ".$secondHostingSubscription['system_username']." bash -c 'ls -la /home/".$hostingSubscription['system_username']."'");
+        $this->assertSame($output, null);
+
 
     }
 }