Hardening the system without breaking ISPConfig

[meemu]

Thanks Till. I hadn't checked the file's permissions. It's true.

Can I bother you with one more problem? I promise I'll write a howto for debian etch with fastcgi in the next couple of days.

I have a web application with a shared code base. It is used via Alias and shtml includes. The solution I came up with is is to add the sharing respective ispconfig user to the shared application's user group.
The weird thing is that ispconfig keeps overwriting my group file. In there I have:

sharedwebappgroup:x:9001:sharedwebappuser,www-data,web1_user

On changes in the ispconfig web interface it removes the web1_user

I thought it might use some sort of minimum gid but doesn't look like.

Is there a way of "protecting" this from overwrites by ispconfig?


Thanks in advance and for all your help

[falko]

Quote:

Originally Posted by meemu

sharedwebappgroup:x:9001:sharedwebappuser,www-data,web1_user

On changes in the ispconfig web interface it removes the web1_user

I thought it might use some sort of minimum gid but doesn't look like.

Is there a way of "protecting" this from overwrites by ispconfig?


Thanks in advance and for all your help

Are you talking about the /etc/group file? You'd have to modify the ISPConfig sources to change that behaviour.

[meemu]

Yes that's what I had in mind. Any starting points?

[falko]

The interesting functions are in /root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php.

[meemu]

Does not look like an easy hack to me. I am not sure I understand what is happening here. In general, does it parse the whole group file, the parse it line by line and write it back? Or does it skip something under certain circumstances?
After a quick glance I have the feeling it parses it line by line, looks for any entries containing ispconfig groups/users and does an integrity check on those. Is that how it works?
What approach would you recommend for what I'm trying to do?
Something like a minimum gid and below that it won't touch the entry?

Thanks for all your help. I promise I'll convert the walkthrough into a howto as soon as I have gone live with this machine.

[meemu]

What I've found is this:

Code:

    foreach($group_file_lines as $group_file_line){
      if(trim($group_file_line) != ""){
        list($f1, $f2, $f3, $f4) = explode(":", $group_file_line);
        $group_users = explode(",", str_replace(" ", "", $f4));
        if(in_array($user_username, $group_users)){
          $g_users = array();
          foreach($group_users as $group_user){
            if($group_user != $user_username) $g_users[] = $group_user;
          }
          $f4 = implode(",", $g_users);
        }
        $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
      }
    }

As far as I understand, this means the update script runs for each ispconf user. Checks each line of group and amends it according to what is in the ispconfig db (isp_isp_user, isp_dep tables).

I'd like to think something like this could solve my problem:

Code:

...
define (GID_MIN_PROTECTED,9000);
define (GID_MAX_PROTECTED,9999);
...
    foreach($group_file_lines as $group_file_line){
      if(trim($group_file_line) != ""){
        list($f1, $f2, $f3, $f4) = explode(":", $group_file_line);
        $group_users = explode(",", str_replace(" ", "", $f4));
        if(  ($f3 >= GID_MIN_PROTECTED) && ($f3 <= GID_MAX_PROTECTED) ) { 
          $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
          continue;
        }
        if(in_array($user_username, $group_users)){
          $g_users = array();
          foreach($group_users as $group_user){
            if($group_user != $user_username) $g_users[] = $group_user;
          }
          $f4 = implode(",", $g_users);
        }
        $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
      }
    }

Would this break something?


Thanks

[meemu]

turning this into my blog...

actually I think this might be more elegant:

Code:

        if($f3 < $this->server_conf["groupid_von"]) {
          $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
          continue;
        }

This way the admispconfig user could be broken. But it doesn't need to get changed after the install install.

[meemu]

I have tried this but it doesn't work oddly enough. The update still removes the user, though it does not seem to be happening at this point.

Any other pointers?

[meemu]

Finally figured it out. This patch protects groups with a gid lower than what is configured in the ispconfig server config as "gid_von" from being changed on updates.

/root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php

Code:

172a173,177
>         // hack to prevent ispconfig from overwriting other groups that contain that user
>         if( intval($f3) < intval($this->server_conf["groupid_von"])) {
>         $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
>         continue;
>       }
174c179
<         if(in_array($user_username, $group_users)){
---
>               if(in_array($user_username, $group_users)){
176c181
<           foreach($group_users as $group_user){
---
>                 foreach($group_users as $group_user){
178c183
<           }
---
>                 }
545a551,555
>       // hack to prevent ispconfig from overwriting other groups that contain that user
>       if(intval($f3) < intval($this->server_conf["groupid_von"])) {
>         $new_group_file[] = $f1.":".$f2.":".$f3.":".$f4;
>         continue;
>       }
976c986
< ?>
\ No newline at end of file
---
> ?>

[till]

Thanks for the patch. I added it to the bugtracker for integration in ISPConfig.