Merge branch 'servicing' into release

hestiacp · Oct 24, 2023 · 8e56b9b · 8e56b9b
2 parents 67e9f57 + 819bba0
commit 8e56b9b
Show file tree

Hide file tree

Showing 11 changed files with 53 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,11 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.8.10] - Service release
+
+### Bug fixes
+
+- Include missed changes
+- Include https://github.com/hestiacp/hestiacp/blob/main/install/upgrade/manual/secure_php.sh
+
 ## [1.8.9] - Service release
 
 ### Security
 
-- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users
+- Restrict PHP-FPM permissions to a new user to prevent permission escalation to admin or other users [CVE-xxxx-xxxxx](https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0/)
 - Reduce Nginx keepalive_requests to 1000 ([Nginx default](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/#http2_max_concurrent_streams)) to limit risks of [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487)
 
 ### Bug fixes

diff --git a/bin/v-add-web-php b/bin/v-add-web-php
@@ -139,6 +139,17 @@ sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/max_execution_time = 30/max_execution_time = 60/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;max_input_vars = 1000/max_input_vars = 4000/g" /etc/php/$version/fpm/php.ini
+
+# Disable exec and other harmfull php functions
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/cli/php.ini
+
+# Other use full changes
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=512/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/$version/fpm/php.ini
 
 # Install backend template
 cp -f $HESTIA_INSTALL_DIR/php-fpm/multiphp.tpl \

diff --git a/bin/v-backup-users b/bin/v-backup-users
@@ -31,7 +31,7 @@ mysqlrepair --all-databases --check --auto-repair > /dev/null 2>&1
 if [ -z "$BACKUP_SYSTEM" ]; then
 	exit
 fi
-for user in $($BIN/v-list-sys-users plain); do
+for user in $($BIN/v-list-users list); do
 	check_suspend=$(grep "SUSPENDED='no'" $HESTIA/data/users/$user/user.conf)
 	log=$HESTIA/log/backup.log
 	if [ ! -f "$HESTIA/data/users/$user/user.conf" ]; then

diff --git a/bin/v-list-users b/bin/v-list-users
@@ -176,6 +176,17 @@ raw_list() {
 	done < <(grep '@' /etc/passwd | cut -f1 -d:)
 }
 
+# USER ONLY list function
+only_user_list() {
+	while read USER; do
+		if [ ! -f "$HESTIA/data/users/$USER/user.conf" ]; then
+			continue
+		fi
+		source_conf "$HESTIA/data/users/$USER/user.conf"
+		echo "$USER"
+	done < <(grep '@' /etc/passwd | cut -f1 -d:)
+}
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
@@ -186,6 +197,7 @@ case $format in
 	plain) plain_list ;;
 	csv) csv_list ;;
 	shell) shell_list | column -t ;;
+	list) only_user_list ;;
 esac
 
 #----------------------------------------------------------#

diff --git a/install/deb/php-fpm/dummy.conf b/install/deb/php-fpm/dummy.conf
@@ -1,12 +1,13 @@
 ; origin-src: deb/php-fpm/dummy.conf
 
-[wwww]
+[www]
 listen = /run/php/php%backend_version%-fpm.dummy.sock
 listen.owner = hestiamail
 listen.group = www-data
 listen.mode = 0660
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand

diff --git a/install/deb/php-fpm/www.conf b/install/deb/php-fpm/www.conf
@@ -4,7 +4,8 @@
 listen = 127.0.0.1:9000
 listen.allowed_clients = 127.0.0.1
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand

diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.9'
+HESTIA_INSTALL_VER='1.8.10'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"
@@ -1044,6 +1044,9 @@ rm -f /usr/sbin/policy-rc.d
 
 echo "[ * ] Configuring system settings..."
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then

diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -31,7 +31,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.8.9'
+HESTIA_INSTALL_VER='1.8.10'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.2"
@@ -1025,6 +1025,9 @@ rm -f /usr/sbin/policy-rc.d
 
 echo "[ * ] Configuring system settings..."
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then

diff --git a/install/upgrade/manual/secure_php.sh b/install/upgrade/manual/secure_php.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# info: Secure websites FPM / CLI against basic executions if you use such functions remove them form the list
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/cli/php.ini
diff --git a/src/deb/hestia/control b/src/deb/hestia/control
@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.8.9
+Version: 1.8.10
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

diff --git a/src/rpm/hestia/hestia.spec b/src/rpm/hestia/hestia.spec
@@ -2,7 +2,7 @@
 %global _hardened_build 1
 
 Name:           hestia
-Version:        1.8.9
+Version:        1.8.10
 Release:        1%{dist}
 Summary:        Hestia Control Panel
 Group:          System Environment/Base