From 9fb2f915d3c7610635c481247235a5d5fb95cf65 Mon Sep 17 00:00:00 2001 From: Bozhidar Date: Mon, 22 Apr 2024 16:56:29 +0300 Subject: [PATCH] fix user home permissions --- web/app/Actions/CreateLinuxWebUser.php | 12 ++++++------ web/app/Models/Domain.php | 8 ++++---- web/tests/Unit/SecurityTest.php | 8 ++++++-- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/web/app/Actions/CreateLinuxWebUser.php b/web/app/Actions/CreateLinuxWebUser.php index 113893f8..1f5667cd 100644 --- a/web/app/Actions/CreateLinuxWebUser.php +++ b/web/app/Actions/CreateLinuxWebUser.php @@ -30,16 +30,16 @@ public function handle() $password = $this->password; $command = 'adduser --disabled-password --gecos "" "'.$username.'"'; - $output .= ShellApi::exec($command); - -// $command = 'groupadd '.$username; -// $output .= ShellApi::exec($command); + $output .= shell_exec($command); $command = 'usermod -a -G www-data '.$username; - $output .= ShellApi::exec($command); + $output .= shell_exec($command); $command = 'echo '.$username.':'.$password.' | chpasswd -e'; - $output .= ShellApi::exec($command); + $output .= shell_exec($command); + + $command = 'chmod 711 /home/'.$username; + $output .= shell_exec($command); return $output; } diff --git a/web/app/Models/Domain.php b/web/app/Models/Domain.php index 1fdaa2e9..43ee95bd 100644 --- a/web/app/Models/Domain.php +++ b/web/app/Models/Domain.php @@ -108,13 +108,13 @@ public function configureVirtualHost() } if (!is_dir($this->domain_root)) { - mkdir($this->domain_root, 0755, true); + mkdir($this->domain_root, 0711, true); } if (!is_dir($this->domain_public)) { mkdir($this->domain_public, 0755, true); } if (!is_dir($this->home_root)) { - mkdir($this->home_root, 0755, true); + mkdir($this->home_root, 0711, true); } if ($this->is_installed_default_app_template == null) { @@ -174,8 +174,8 @@ public function configureVirtualHost() shell_exec('chown -R '.$findHostingSubscription->system_username.':'.$webUserGroup.' '.$this->domain_root); shell_exec('chown -R '.$findHostingSubscription->system_username.':'.$webUserGroup.' '.$this->domain_public); - shell_exec('chmod -R 775 '.$this->home_root); - shell_exec('chmod -R 775 '.$this->domain_root); + shell_exec('chmod -R 0711 '.$this->home_root); + shell_exec('chmod -R 0711 '.$this->domain_root); shell_exec('chmod -R 775 '.$this->domain_public); $appType = 'php'; diff --git a/web/tests/Unit/SecurityTest.php b/web/tests/Unit/SecurityTest.php index 50052323..308687a9 100644 --- a/web/tests/Unit/SecurityTest.php +++ b/web/tests/Unit/SecurityTest.php @@ -80,7 +80,8 @@ public function testSecurity() $userHomeDir = '/home/' . $hostingSubscription['system_username']; $this->assertDirectoryExists($userHomeDir); $getUserHomeDirPermission = substr(sprintf('%o', fileperms($userHomeDir)), -4); - $this->assertSame('0775', $getUserHomeDirPermission); + $this->assertSame('0711', $getUserHomeDirPermission); + // 0711 - is the correct permission for /home/$user directory, because it is a home directory and it should be accessible only by the user and root. // Check domain dir permissions $domainDir = '/home/' . $hostingSubscription['system_username'] . '/public_html'; @@ -117,7 +118,10 @@ public function testSecurity() $this->assertTrue(str_contains($output, 'public_html')); $this->assertTrue(str_contains($output, $hostingSubscription['system_username'])); - + // Try to open /home/$user directory with another linux user + $output = shell_exec("sudo -H -u ".$secondHostingSubscription['system_username']." bash -c 'ls -la /home/".$hostingSubscription['system_username']."'"); + $this->assertSame($output, null); + } }