2 years ago · acb766e1db
--- a/bin/v-add-web-php
+++ b/bin/v-add-web-php
@@ -50,7 +50,7 @@ fi
 
				 # Check if php version is supported
			
 
				 if [[ ! "$multiphp_v" =~ $version ]]; then
			
 
				 	echo "ERROR: Specified PHP version is not supported or does not exist."
			
 
				-	exit "$E_INVALID";
			
 
				+	exit "$E_INVALID"
			
 
				 fi
			
 
				 
			
 
				 # Perform verification if read-only mode is enabled
			
@@ -131,7 +131,7 @@ update-rc.d php$version-fpm defaults > /dev/null 2>&1
 
				 v_tpl=${version//./}
			
 
				 rm -f /etc/php/$version/fpm/pool.d/*
			
 
				 cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
			
 
				-sed -i "s/9999/99$v_tpl/g" /etc/php/$version/fpm/pool.d/dummy.conf
			
 
				+sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
			
 
				 cp -f $HESTIA_INSTALL_DIR/php-fpm/php-fpm.conf /etc/php/$version/fpm/
			
 
				 sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
			
 
				 
			
@@ -139,6 +139,17 @@ sed -i "s/fpm_v/$version/g" /etc/php/$version/fpm/php-fpm.conf
 
				 sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/$version/fpm/php.ini
			
 
				 sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/$version/fpm/php.ini
			
 
				 sed -i "s/max_execution_time = 30/max_execution_time = 60/g" /etc/php/$version/fpm/php.ini
			
 
				+sed -i "s/;max_input_vars = 1000/max_input_vars = 4000/g" /etc/php/$version/fpm/php.ini
			
 
				+
			
 
				+# Disable exec and other harmfull php functions
			
 
				+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/fpm/php.ini
			
 
				+
			
 
				+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/$version/cli/php.ini
			
 
				+
			
 
				+# Other use full changes
			
 
				+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/$version/fpm/php.ini
			
 
				+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=512/g" /etc/php/$version/fpm/php.ini
			
 
				+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/$version/fpm/php.ini
			
 
				 
			
 
				 # Install backend template
			
 
				 cp -f $HESTIA_INSTALL_DIR/php-fpm/multiphp.tpl \
			
--- a/install/deb/php-fpm/dummy.conf
+++ b/install/deb/php-fpm/dummy.conf
@@ -1,10 +1,13 @@
 
				 ; origin-src: deb/php-fpm/dummy.conf
			
 
				 
			
 
				-[www]
			
 
				-listen = 127.0.0.1:9999
			
 
				-listen.allowed_clients = 127.0.0.1
			
 
				+[wwww]
			
 
				+listen = /run/php/php%backend_version%-fpm.dummy.sock
			
 
				+listen.owner = hestiamail
			
 
				+listen.group = www-data
			
 
				+listen.mode = 0660
			
 
				 
			
 
				-user = www-data
			
 
				+;"hestiamail" user created to prevent users from abusing this config
			
 
				+user = hestiamail
			
 
				 group = www-data
			
 
				 
			
 
				 pm = ondemand
			
--- a/install/deb/php-fpm/www.conf
+++ b/install/deb/php-fpm/www.conf
@@ -4,7 +4,8 @@
 
				 listen = 127.0.0.1:9000
			
 
				 listen.allowed_clients = 127.0.0.1
			
 
				 
			
 
				-user = www-data
			
 
				+;"hestiamail" user created to prevent users from abusing this config
			
 
				+user = hestiamail
			
 
				 group = www-data
			
 
				 
			
 
				 pm = ondemand
			
--- a/install/hst-install-debian.sh
+++ b/install/hst-install-debian.sh
@@ -1127,6 +1127,9 @@ random_password=$(gen_pass '32')
 
				 # do not allow login into hestiaweb user
			
 
				 echo hestiaweb:$random_password | sudo chpasswd -e
			
 
				 
			
 
				+# Create user for php-fpm configs
			
 
				+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
			
 
				+
			
 
				 # Enable SFTP subsystem for SSH
			
 
				 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
			
 
				 if [ -n "$sftp_subsys_enabled" ]; then
			
--- a/install/hst-install-ubuntu.sh
+++ b/install/hst-install-ubuntu.sh
@@ -1095,6 +1095,9 @@ random_password=$(gen_pass '32')
 
				 # do not allow login into hestiaweb user
			
 
				 echo hestiaweb:$random_password | sudo chpasswd -e
			
 
				 
			
 
				+# Create user for php-fpm configs
			
 
				+/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
			
 
				+
			
 
				 # Enable SFTP subsystem for SSH
			
 
				 sftp_subsys_enabled=$(grep -iE "^#?.*subsystem.+(sftp )?sftp-server" /etc/ssh/sshd_config)
			
 
				 if [ -n "$sftp_subsys_enabled" ]; then
			
--- a/install/upgrade/manual/secure_php.sh
+++ b/install/upgrade/manual/secure_php.sh
@@ -0,0 +1,6 @@
 
				+#!/bin/bash
			
 
				+# info: Secure websites FPM / CLI against basic executions if you use such functions remove them form the list
			
 
				+
			
 
				+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/fpm/php.ini
			
 
				+
			
 
				+sed -i "s/disable_functions =.*/disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen/g" /etc/php/*/cli/php.ini
			
--- a/install/upgrade/versions/1.8.9.sh
+++ b/install/upgrade/versions/1.8.9.sh
@@ -33,3 +33,18 @@ if [ -f /etc/nginx/nginx.conf ]; then
 
				 	echo "[ * ] Mitigate HTTP/2 Rapid Reset Attack via Nginx CVE CVE-2023-44487"
			
 
				 	sed -i -E 's/(.*keepalive_requests\s{1,})10000;/\11000;/' /etc/nginx/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf
			
 
				 fi
			
 
				+
			
 
				+# Fix security issue wit FPM pools
			
 
				+if [ -z "$(grep ^hestiamail: /etc/passwd)" ]; then
			
 
				+	echo "[ * ] Limit permissions www.conf and dummy.conf"
			
 
				+	/usr/sbin/useradd "hestiamail" -c "$email" --no-create-home
			
 
				+
			
 
				+	sed -i "s/user = www-data/user = hestiamail/g" /etc/php/*/fpm/pool.d/www.conf
			
 
				+
			
 
				+	php_versions=$($BIN/v-list-sys-php plain)
			
 
				+	# Substitute php-fpm service name formats
			
 
				+	for version in $php_versions; do
			
 
				+		cp -f $HESTIA_INSTALL_DIR/php-fpm/dummy.conf /etc/php/$version/fpm/pool.d/
			
 
				+		sed -i "s/%backend_version%/$version/g" /etc/php/$version/fpm/pool.d/dummy.conf
			
 
				+	done
			
 
				+fi