Use unix sockets for dummy.conf

bin/v-add-web-php

@@ -50,7 +50,7 @@ fi
 # Check if php version is supported
 if [[ ! "$multiphp_v" =~ $version ]]; then
 	echo "ERROR: Specified PHP version is not supported or does not exist."
-	exit "$E_INVALID";
+	exit "$E_INVALID"
 fi
 
 # Perform verification if read-only mode is enabled
@@ -131,7 +131,7 @@ update-rc.d php$version-fpm defaults > /dev/null 2>&1
 v_tpl=${version//./}
 rm -f /etc/php/$version/fpm/pool.d/*
 cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
-sed -i "s/9999/99$v_tpl/g" /etc/php/$version/fpm/pool.d/dummy.conf
+sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
 cp -f $HESTIA_INSTALL_DIR/php-fpm/php-fpm.conf /etc/php/$version/fpm/
 sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 

install/deb/php-fpm/dummy.conf

@@ -1,8 +1,10 @@
 ; origin-src: deb/php-fpm/dummy.conf
 
-[www]
-listen = 127.0.0.1:9999
-listen.allowed_clients = 127.0.0.1
+[wwww]
+listen = /run/php/php%backend_version%-fpm.dummy.sock
+listen.owner = hestiamail
+listen.group = www-data
+listen.mode = 0660
 
 user = www-data
 group = www-data

install/upgrade/versions/1.8.9.sh

@@ -33,3 +33,18 @@ if [ -f /etc/nginx/nginx.conf ]; then
 	echo "[ * ] Mitigate HTTP/2 Rapid Reset Attack via Nginx CVE CVE-2023-44487"
 	sed -i -E 's/(.*keepalive_requests\s{1,})10000;/\11000;/' /etc/nginx/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf
 fi
+
+# Fix security issue wit FPM pools
+if [ -z "$(grep ^hestiamail: /etc/passwd)" ]; then
+	echo "[ * ] Limit permissions www.conf and dummy.conf"
+	/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
+	sed -i "s/user = www-data/user = hestiamail/g" /etc/php/*/fpm/pool.d/www.conf
+
+	php_versions=$($BIN/v-list-sys-php plain)
+	# Substitute php-fpm service name formats
+	for version in $php_versions; do
+		cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
+		sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
+	done
+fi