Merge branch 'fix/fpm-1.8' into servicing

bin/v-add-web-php

@@ -139,6 +139,17 @@ sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/$version/fpm/php.ini
 sed -i "s/max_execution_time = 30/max_execution_time = 60/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;max_input_vars = 1000/max_input_vars = 4000/g" /etc/php/$version/fpm/php.ini
+
+# Disable exec and other harmfull php functions
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/cli/php.ini
+
+# Other use full changes
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=512/g" /etc/php/$version/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/$version/fpm/php.ini
 
 # Install backend template
 cp -f $HESTIA_INSTALL_DIR/php-fpm/multiphp.tpl \

bin/v-backup-users

@@ -31,7 +31,7 @@ mysqlrepair --all-databases --check --auto-repair > /dev/null 2>&1
 if [ -z "$BACKUP_SYSTEM" ]; then
 	exit
 fi
-for user in $($BIN/v-list-sys-users plain); do
+for user in $($BIN/v-list-users list); do
 	check_suspend=$(grep "SUSPENDED='no'" $HESTIA/data/users/$user/user.conf)
 	log=$HESTIA/log/backup.log
 	if [ ! -f "$HESTIA/data/users/$user/user.conf" ]; then

bin/v-list-users

@@ -176,6 +176,17 @@ raw_list() {
 	done < <(grep '@' /etc/passwd | cut -f1 -d:)
 }
 
+# USER ONLY list function
+only_user_list() {
+	while read USER; do
+		if [ ! -f "$HESTIA/data/users/$USER/user.conf" ]; then
+			continue
+		fi
+		source_conf "$HESTIA/data/users/$USER/user.conf"
+		echo "$USER"
+	done < <(grep '@' /etc/passwd | cut -f1 -d:)
+}
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
@@ -186,6 +197,7 @@ case $format in
 	plain) plain_list ;;
 	csv) csv_list ;;
 	shell) shell_list | column -t ;;
+	list) only_user_list ;;
 esac
 
 #----------------------------------------------------------#

install/deb/php-fpm/dummy.conf

@@ -6,7 +6,8 @@ listen.owner = hestiamail
 listen.group = www-data
 listen.mode = 0660
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand

install/deb/php-fpm/www.conf

@@ -4,7 +4,8 @@
 listen = 127.0.0.1:9000
 listen.allowed_clients = 127.0.0.1
 
-user = www-data
+;"hestiamail" user created to prevent users from abusing this config
+user = hestiamail
 group = www-data
 
 pm = ondemand

install/hst-install-debian.sh

@@ -1044,6 +1044,9 @@ rm -f /usr/sbin/policy-rc.d
 
 echo "[ * ] Configuring system settings..."
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then

install/hst-install-ubuntu.sh

@@ -1025,6 +1025,9 @@ rm -f /usr/sbin/policy-rc.d
 
 echo "[ * ] Configuring system settings..."
 
+# Create user for php-fpm configs
+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
+
 # Enable SFTP subsystem for SSH
 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
 if [ -n "$sftp_subsys_enabled" ]; then

install/upgrade/manual/secure_php.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# info: Secure websites FPM / CLI against basic executions if you use such functions remove them form the list
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/fpm/php.ini
+
+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/cli/php.ini