From 7b0597fc417bb83f0a378454ba1a7ad34d977621 Mon Sep 17 00:00:00 2001 From: marcos Date: Sun, 14 Oct 2018 15:28:48 +0200 Subject: [PATCH 01/10] traducciones --- web/inc/i18n/es.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/web/inc/i18n/es.php b/web/inc/i18n/es.php index 1f2c36dd..8cf45ddf 100644 --- a/web/inc/i18n/es.php +++ b/web/inc/i18n/es.php @@ -193,11 +193,11 @@ $LANG['es'] = array( 'Mail Accounts' => 'Cuentas de Correo', 'Cron Jobs' => 'Tareas Programadas', 'SSH Access' => 'Acceso SSH', - 'IP Address' => 'IP Address', - 'IP Addresses' => 'Dirección IP', + 'IP Address' => 'Dirección IP', + 'IP Addresses' => 'Direcciones IP', 'Backups' => 'Respaldos', 'Backup System' => 'Sistema de Respaldo', - 'backup exclusions' => 'respaldos excluídos', + 'backup exclusions' => 'configurar exlusiones', 'template' => 'plantilla', 'SSL Support' => 'Soportar SSL', 'SSL Home Directory' => 'Directorio local del SSL', @@ -248,8 +248,8 @@ $LANG['es'] = array( 'SYS' => 'SYS', 'Domains' => 'Dominios', 'Status' => 'Estado', - 'shared' => 'compartido', - 'dedicated' => 'dedicado', + 'shared' => 'compartida', + 'dedicated' => 'dedicada', 'Owner' => 'Dueño', 'Users' => 'Usuarios', 'Load Average' => 'Promedio de carga', @@ -332,7 +332,7 @@ $LANG['es'] = array( 'Package Name' => 'Nombre del Plan', 'Netmask' => 'Máscara de Red', 'Interface' => 'Interfaz', - 'Shared' => 'Compartido', + 'Shared' => 'Compartida', 'Assigned user' => 'Usuario asignado', 'Assigned domain' => 'Dominio asignado', 'NAT IP association' => 'Asociación NAT IP', @@ -762,4 +762,5 @@ $LANG['es'] = array( 'maximum characters length, including prefix' => 'usar un máximo de %s caracteres, incluyendo prefijo', 'Email Credentials' => 'Email Credentials', + ); From 1557f9bc8cbdb349a83bce96093b1717b36cf5cd Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 17 Oct 2018 17:27:03 +0300 Subject: [PATCH 02/10] Security: separate passwords for databases --- install/vst-install-amazon.sh | 14 ++++++++------ install/vst-install-debian.sh | 12 +++++++----- install/vst-install-rhel.sh | 14 ++++++++------ install/vst-install-ubuntu.sh | 12 +++++++----- 4 files changed, 30 insertions(+), 22 deletions(-) diff --git a/install/vst-install-amazon.sh b/install/vst-install-amazon.sh index 899d4cd8..e419d019 100644 --- a/install/vst-install-amazon.sh +++ b/install/vst-install-amazon.sh @@ -1008,8 +1008,9 @@ if [ "$mysql" = 'yes' ]; then fi # Securing MySQL installation - mysqladmin -u root password $vpass - echo -e "[client]\npassword='$vpass'\n" > /root/.my.cnf + mpass=$(gen_pass) + mysqladmin -u root password $mpass + echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf chmod 600 /root/.my.cnf mysql -e "DELETE FROM mysql.user WHERE User=''" mysql -e "DROP DATABASE test" >/dev/null 2>&1 @@ -1031,9 +1032,10 @@ fi #----------------------------------------------------------# if [ "$postgresql" = 'yes' ]; then + ppass=$(gen_pass) if [ $release -eq 5 ]; then service postgresql start - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" service postgresql stop cp -f $vestacp/postgresql/pg_hba.conf /var/lib/pgsql/data/ service postgresql start @@ -1041,7 +1043,7 @@ if [ "$postgresql" = 'yes' ]; then service postgresql initdb cp -f $vestacp/postgresql/pg_hba.conf /var/lib/pgsql/data/ service postgresql start - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" fi # Configuring phpPgAdmin if [ "$apache" = 'yes' ]; then @@ -1272,13 +1274,13 @@ fi # Configuring MySQL host if [ "$mysql" = 'yes' ]; then - $VESTA/bin/v-add-database-host mysql localhost root $vpass + $VESTA/bin/v-add-database-host mysql localhost root $mpass $VESTA/bin/v-add-database admin default default $(gen_pass) mysql fi # Configuring PostgreSQL host if [ "$postgresql" = 'yes' ]; then - $VESTA/bin/v-add-database-host pgsql localhost postgres $vpass + $VESTA/bin/v-add-database-host pgsql localhost postgres $ppass $VESTA/bin/v-add-database admin db db $(gen_pass) pgsql fi diff --git a/install/vst-install-debian.sh b/install/vst-install-debian.sh index 4b5d293d..013f3160 100644 --- a/install/vst-install-debian.sh +++ b/install/vst-install-debian.sh @@ -985,8 +985,9 @@ if [ "$mysql" = 'yes' ]; then check_result $? "mysql start failed" # Securing MySQL installation - mysqladmin -u root password $vpass - echo -e "[client]\npassword='$vpass'\n" > /root/.my.cnf + mpass=$(gen_pass) + mysqladmin -u root password $mpass + echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf chmod 600 /root/.my.cnf mysql -e "DELETE FROM mysql.user WHERE User=''" mysql -e "DROP DATABASE test" >/dev/null 2>&1 @@ -1008,9 +1009,10 @@ fi #----------------------------------------------------------# if [ "$postgresql" = 'yes' ]; then + ppass=$(gen_pass) wget $vestacp/postgresql/pg_hba.conf -O /etc/postgresql/*/main/pg_hba.conf service postgresql restart - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" # Configuring phpPgAdmin if [ "$apache" = 'yes' ]; then @@ -1298,13 +1300,13 @@ fi # Configuring mysql host if [ "$mysql" = 'yes' ]; then - $VESTA/bin/v-add-database-host mysql localhost root $vpass + $VESTA/bin/v-add-database-host mysql localhost root $mpass $VESTA/bin/v-add-database admin default default $(gen_pass) mysql fi # Configuring pgsql host if [ "$postgresql" = 'yes' ]; then - $VESTA/bin/v-add-database-host pgsql localhost postgres $vpass + $VESTA/bin/v-add-database-host pgsql localhost postgres $ppass $VESTA/bin/v-add-database admin db db $(gen_pass) pgsql fi diff --git a/install/vst-install-rhel.sh b/install/vst-install-rhel.sh index 1ecd2235..4a863464 100755 --- a/install/vst-install-rhel.sh +++ b/install/vst-install-rhel.sh @@ -1024,8 +1024,9 @@ if [ "$mysql" = 'yes' ]; then fi # Securing MySQL installation - mysqladmin -u root password $vpass - echo -e "[client]\npassword='$vpass'\n" > /root/.my.cnf + mpass=$(gen_pass) + mysqladmin -u root password $mpass + echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf chmod 600 /root/.my.cnf mysql -e "DELETE FROM mysql.user WHERE User=''" mysql -e "DROP DATABASE test" >/dev/null 2>&1 @@ -1047,9 +1048,10 @@ fi #----------------------------------------------------------# if [ "$postgresql" = 'yes' ]; then + ppass=$(gen_pass) if [ $release -eq 5 ]; then service postgresql start - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" service postgresql stop cp -f $vestacp/postgresql/pg_hba.conf /var/lib/pgsql/data/ service postgresql start @@ -1057,7 +1059,7 @@ if [ "$postgresql" = 'yes' ]; then service postgresql initdb cp -f $vestacp/postgresql/pg_hba.conf /var/lib/pgsql/data/ service postgresql start - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" fi # Configuring phpPgAdmin if [ "$apache" = 'yes' ]; then @@ -1289,13 +1291,13 @@ fi # Configuring MySQL/MariaDB host if [ "$mysql" = 'yes' ]; then - $VESTA/bin/v-add-database-host mysql localhost root $vpass + $VESTA/bin/v-add-database-host mysql localhost root $mpass $VESTA/bin/v-add-database admin default default $(gen_pass) mysql fi # Configuring PostgreSQL host if [ "$postgresql" = 'yes' ]; then - $VESTA/bin/v-add-database-host pgsql localhost postgres $vpass + $VESTA/bin/v-add-database-host pgsql localhost postgres $ppass $VESTA/bin/v-add-database admin db db $(gen_pass) pgsql fi diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index c0655bb2..bfcf8919 100755 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -977,8 +977,9 @@ if [ "$mysql" = 'yes' ]; then check_result $? "mysql start failed" # Securing MySQL/MariaDB installation - mysqladmin -u root password $vpass - echo -e "[client]\npassword='$vpass'\n" > /root/.my.cnf + mpass=$(gen_pass) + mysqladmin -u root password $mpass + echo -e "[client]\npassword='$mpass'\n" > /root/.my.cnf chmod 600 /root/.my.cnf mysql -e "DELETE FROM mysql.user WHERE User=''" mysql -e "DROP DATABASE test" >/dev/null 2>&1 @@ -1000,9 +1001,10 @@ fi #----------------------------------------------------------# if [ "$postgresql" = 'yes' ]; then + ppass=$(gen_pass) cp -f $vestacp/postgresql/pg_hba.conf /etc/postgresql/*/main/ service postgresql restart - sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$vpass'" + sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD '$ppass'" # Configuring phpPgAdmin if [ "$apache" = 'yes' ]; then @@ -1235,13 +1237,13 @@ fi # Configuring MySQL/MariaDB host if [ "$mysql" = 'yes' ]; then - $VESTA/bin/v-add-database-host mysql localhost root $vpass + $VESTA/bin/v-add-database-host mysql localhost root $mpass $VESTA/bin/v-add-database admin default default $(gen_pass) mysql fi # Configuring PostgreSQL host if [ "$postgresql" = 'yes' ]; then - $VESTA/bin/v-add-database-host pgsql localhost postgres $vpass + $VESTA/bin/v-add-database-host pgsql localhost postgres $ppass $VESTA/bin/v-add-database admin db db $(gen_pass) pgsql fi From a1b3aa3a8432b72842fe13ee77a892d2bba2b022 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 17 Oct 2018 22:06:17 +0300 Subject: [PATCH 03/10] No stats with distro name anymore --- install/vst-install-amazon.sh | 3 --- install/vst-install-debian.sh | 3 --- install/vst-install-rhel.sh | 3 --- install/vst-install-ubuntu.sh | 3 --- 4 files changed, 12 deletions(-) diff --git a/install/vst-install-amazon.sh b/install/vst-install-amazon.sh index e419d019..8dbdaa14 100644 --- a/install/vst-install-amazon.sh +++ b/install/vst-install-amazon.sh @@ -1334,9 +1334,6 @@ $VESTA/bin/v-add-cron-vesta-autoupdate # Vesta Access Info # #----------------------------------------------------------# -# Sending install notification to vestacp.com -wget vestacp.com/notify/?$codename -O /dev/null -q - # Comparing hostname and IP host_ip=$(host $servername |head -n 1 |awk '{print $NF}') if [ "$host_ip" = "$ip" ]; then diff --git a/install/vst-install-debian.sh b/install/vst-install-debian.sh index 013f3160..47f36142 100644 --- a/install/vst-install-debian.sh +++ b/install/vst-install-debian.sh @@ -1361,9 +1361,6 @@ $VESTA/bin/v-add-cron-vesta-autoupdate # Vesta Access Info # #----------------------------------------------------------# -# Sending install notification to vestacp.com -wget vestacp.com/notify/?$codename -O /dev/null -q - # Comparing hostname and ip host_ip=$(host $servername| head -n 1 | awk '{print $NF}') if [ "$host_ip" = "$ip" ]; then diff --git a/install/vst-install-rhel.sh b/install/vst-install-rhel.sh index 4a863464..3aaad808 100755 --- a/install/vst-install-rhel.sh +++ b/install/vst-install-rhel.sh @@ -1351,9 +1351,6 @@ $VESTA/bin/v-add-cron-vesta-autoupdate # Vesta Access Info # #----------------------------------------------------------# -# Sending install notification to vestacp.com -wget vestacp.com/notify/?$codename -O /dev/null -q - # Comparing hostname and IP host_ip=$(host $servername |head -n 1 |awk '{print $NF}') if [ "$host_ip" = "$ip" ]; then diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index bfcf8919..4cc5ee86 100755 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -1297,9 +1297,6 @@ $VESTA/bin/v-add-cron-vesta-autoupdate # Vesta Access Info # #----------------------------------------------------------# -# Sending install notification to vestacp.com -wget vestacp.com/notify/?$codename -O /dev/null -q - # Comparing hostname and IP host_ip=$(host $servername| head -n 1 |awk '{print $NF}') if [ "$host_ip" = "$ip" ]; then From 67a0e8d1086eb271df7e12fc67f1db482be8cb46 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 17 Oct 2018 22:27:06 +0300 Subject: [PATCH 04/10] limit config visibility to /etc and /var/lib --- bin/v-open-fs-config | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/v-open-fs-config b/bin/v-open-fs-config index 6a4f54fd..720df86a 100755 --- a/bin/v-open-fs-config +++ b/bin/v-open-fs-config @@ -35,6 +35,11 @@ if [ ! -z "$src_file" ]; then echo "Error: invalid source path $src_file" exit 2 fi + spath=$(echo "$rpath" |egrep "/etc|/var/lib") + if [ -z "$spath" ]; then + echo "Error: invalid source path $src_file" + exit 2 + fi fi # Reading conf From 5f68c1b634abec2d5a4f83156bfd223d3a792f77 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 17 Oct 2018 23:28:37 +0300 Subject: [PATCH 05/10] Timing attack fix from security experts https://arcturussecurity.com --- web/reset/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/reset/index.php b/web/reset/index.php index abde3c14..0d90d15d 100644 --- a/web/reset/index.php +++ b/web/reset/index.php @@ -48,7 +48,7 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass if ( $return_var == 0 ) { $data = json_decode(implode('', $output), true); $rkey = $data[$user]['RKEY']; - if ($rkey == $_POST['code']) { + if (hash_equals($rkey, $POST[‘code’])) { $v_password = tempnam("/tmp","vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST['password']."\n"); From d880b5b4254ed3d89303227d7de4a79e8e0579a7 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Wed, 17 Oct 2018 23:58:27 +0300 Subject: [PATCH 06/10] limit sudo for admin to vesta scripts only --- install/debian/7/sudo/admin | 2 +- install/debian/8/sudo/admin | 2 +- install/debian/9/sudo/admin | 2 +- install/rhel/5/sudo/admin | 2 +- install/rhel/6/sudo/admin | 2 +- install/rhel/7/sudo/admin | 2 +- install/ubuntu/12.04/sudo/admin | 2 +- install/ubuntu/12.10/sudo/admin | 2 +- install/ubuntu/13.04/sudo/admin | 2 +- install/ubuntu/13.10/sudo/admin | 2 +- install/ubuntu/14.04/sudo/admin | 2 +- install/ubuntu/14.10/sudo/admin | 2 +- install/ubuntu/15.04/sudo/admin | 2 +- install/ubuntu/15.10/sudo/admin | 2 +- install/ubuntu/16.04/sudo/admin | 2 +- install/ubuntu/16.10/sudo/admin | 2 +- install/ubuntu/17.04/sudo/admin | 2 +- install/ubuntu/17.10/sudo/admin | 2 +- install/ubuntu/18.04/sudo/admin | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/install/debian/7/sudo/admin b/install/debian/7/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/debian/7/sudo/admin +++ b/install/debian/7/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/debian/8/sudo/admin b/install/debian/8/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/debian/8/sudo/admin +++ b/install/debian/8/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/debian/9/sudo/admin b/install/debian/9/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/debian/9/sudo/admin +++ b/install/debian/9/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/rhel/5/sudo/admin b/install/rhel/5/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/rhel/5/sudo/admin +++ b/install/rhel/5/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/rhel/6/sudo/admin b/install/rhel/6/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/rhel/6/sudo/admin +++ b/install/rhel/6/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/rhel/7/sudo/admin b/install/rhel/7/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/rhel/7/sudo/admin +++ b/install/rhel/7/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/12.04/sudo/admin b/install/ubuntu/12.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/12.04/sudo/admin +++ b/install/ubuntu/12.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/12.10/sudo/admin b/install/ubuntu/12.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/12.10/sudo/admin +++ b/install/ubuntu/12.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/13.04/sudo/admin b/install/ubuntu/13.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/13.04/sudo/admin +++ b/install/ubuntu/13.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/13.10/sudo/admin b/install/ubuntu/13.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/13.10/sudo/admin +++ b/install/ubuntu/13.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/14.04/sudo/admin b/install/ubuntu/14.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/14.04/sudo/admin +++ b/install/ubuntu/14.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/14.10/sudo/admin b/install/ubuntu/14.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/14.10/sudo/admin +++ b/install/ubuntu/14.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/15.04/sudo/admin b/install/ubuntu/15.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/15.04/sudo/admin +++ b/install/ubuntu/15.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/15.10/sudo/admin b/install/ubuntu/15.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/15.10/sudo/admin +++ b/install/ubuntu/15.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/16.04/sudo/admin b/install/ubuntu/16.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/16.04/sudo/admin +++ b/install/ubuntu/16.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/16.10/sudo/admin b/install/ubuntu/16.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/16.10/sudo/admin +++ b/install/ubuntu/16.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/17.04/sudo/admin b/install/ubuntu/17.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/17.04/sudo/admin +++ b/install/ubuntu/17.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/17.10/sudo/admin b/install/ubuntu/17.10/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/17.10/sudo/admin +++ b/install/ubuntu/17.10/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* diff --git a/install/ubuntu/18.04/sudo/admin b/install/ubuntu/18.04/sudo/admin index 4226bdd4..331fa1f2 100644 --- a/install/ubuntu/18.04/sudo/admin +++ b/install/ubuntu/18.04/sudo/admin @@ -4,5 +4,5 @@ Defaults:admin !syslog Defaults:admin !requiretty Defaults:root !requiretty -admin ALL=(ALL) ALL +# sudo is limited to vesta scripts admin ALL=NOPASSWD:/usr/local/vesta/bin/* From cde42691701667502369f76e197c30005431f959 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Thu, 18 Oct 2018 00:14:28 +0300 Subject: [PATCH 07/10] Release 0.9.8-23 --- src/deb/ioncube/control | 2 +- src/deb/nginx/control | 2 +- src/deb/php/control | 2 +- src/deb/softaculous/control | 2 +- src/deb/vesta/control | 2 +- src/deb/vesta/postinst | 8 ++++++++ src/rpm/specs/vesta-ioncube.spec | 2 +- src/rpm/specs/vesta-nginx.spec | 2 +- src/rpm/specs/vesta-php.spec | 2 +- src/rpm/specs/vesta-softaculous.spec | 2 +- src/rpm/specs/vesta.spec | 17 ++++++++++++++++- upd/add_notifications.sh | 2 +- upd/fix_dhcprenew.sh | 20 ++++++++++++++++++++ upd/limit_sudo.sh | 6 ++++++ 14 files changed, 60 insertions(+), 11 deletions(-) create mode 100755 upd/fix_dhcprenew.sh create mode 100755 upd/limit_sudo.sh diff --git a/src/deb/ioncube/control b/src/deb/ioncube/control index 89268f6e..9db6cc14 100644 --- a/src/deb/ioncube/control +++ b/src/deb/ioncube/control @@ -1,7 +1,7 @@ Source: vesta-ioncube Package: vesta-ioncube Priority: optional -Version: 0.9.8-22 +Version: 0.9.8-23 Section: admin Maintainer: Serghey Rodin Homepage: https://www.ioncube.com diff --git a/src/deb/nginx/control b/src/deb/nginx/control index 9dc7351a..19ec8bbb 100644 --- a/src/deb/nginx/control +++ b/src/deb/nginx/control @@ -1,7 +1,7 @@ Source: vesta-nginx Package: vesta-nginx Priority: optional -Version: 0.9.8-22 +Version: 0.9.8-23 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/php/control b/src/deb/php/control index 3714008d..e8702027 100644 --- a/src/deb/php/control +++ b/src/deb/php/control @@ -1,7 +1,7 @@ Source: vesta-php Package: vesta-php Priority: optional -Version: 0.9.8-22 +Version: 0.9.8-23 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/softaculous/control b/src/deb/softaculous/control index 35140df6..c5c9eb67 100644 --- a/src/deb/softaculous/control +++ b/src/deb/softaculous/control @@ -1,7 +1,7 @@ Source: vesta-softaculous Package: vesta-softaculous Priority: optional -Version: 0.9.8-22 +Version: 0.9.8-23 Section: admin Maintainer: Serghey Rodin Homepage: https://www.softaculous.com diff --git a/src/deb/vesta/control b/src/deb/vesta/control index 028a4e41..9f83c2a6 100644 --- a/src/deb/vesta/control +++ b/src/deb/vesta/control @@ -1,7 +1,7 @@ Source: vesta Package: vesta Priority: optional -Version: 0.9.8-22 +Version: 0.9.8-23 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/vesta/postinst b/src/deb/vesta/postinst index 3cba15e9..516df08b 100755 --- a/src/deb/vesta/postinst +++ b/src/deb/vesta/postinst @@ -28,4 +28,12 @@ if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then /usr/local/vesta/upd/fix_roundcube.sh fi +if [ -x /usr/local/vesta/upd/limit_sudo.sh ]; then + /usr/local/vesta/upd/limit_sudo.sh +fi + +if [ -x /usr/local/vesta/upd/fix_dhcprenew.sh ]; then + /usr/local/vesta/upd/fix_dhcprenew.sh +fi + exit 0 diff --git a/src/rpm/specs/vesta-ioncube.spec b/src/rpm/specs/vesta-ioncube.spec index 5d48dc29..54bb5cf4 100644 --- a/src/rpm/specs/vesta-ioncube.spec +++ b/src/rpm/specs/vesta-ioncube.spec @@ -1,6 +1,6 @@ Name: vesta-ioncube Version: 0.9.8 -Release: 22 +Release: 23 Summary: ionCube Loader Group: System Environment/Base License: "Freely redistributable without restriction" diff --git a/src/rpm/specs/vesta-nginx.spec b/src/rpm/specs/vesta-nginx.spec index a633ef85..ca530cc1 100644 --- a/src/rpm/specs/vesta-nginx.spec +++ b/src/rpm/specs/vesta-nginx.spec @@ -1,6 +1,6 @@ Name: vesta-nginx Version: 0.9.8 -Release: 22 +Release: 23 Summary: Vesta Control Panel Group: System Environment/Base License: BSD-like diff --git a/src/rpm/specs/vesta-php.spec b/src/rpm/specs/vesta-php.spec index 12d1c401..fe5aded9 100644 --- a/src/rpm/specs/vesta-php.spec +++ b/src/rpm/specs/vesta-php.spec @@ -1,6 +1,6 @@ Name: vesta-php Version: 0.9.8 -Release: 22 +Release: 23 Summary: Vesta Control Panel Group: System Environment/Base License: GPL diff --git a/src/rpm/specs/vesta-softaculous.spec b/src/rpm/specs/vesta-softaculous.spec index 7e92cfdb..ece330e8 100644 --- a/src/rpm/specs/vesta-softaculous.spec +++ b/src/rpm/specs/vesta-softaculous.spec @@ -1,6 +1,6 @@ Name: vesta-softaculous Version: 0.9.8 -Release: 22 +Release: 23 Summary: Vesta Control Panel Group: System Environment/Base License: Softaculous License diff --git a/src/rpm/specs/vesta.spec b/src/rpm/specs/vesta.spec index 58359da0..bb82d404 100644 --- a/src/rpm/specs/vesta.spec +++ b/src/rpm/specs/vesta.spec @@ -1,6 +1,6 @@ Name: vesta Version: 0.9.8 -Release: 22 +Release: 23 Summary: Vesta Control Panel Group: System Environment/Base License: GPL @@ -45,6 +45,15 @@ if [ $1 -ge 2 ]; then if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then /usr/local/vesta/upd/fix_roundcube.sh fi + + if [ -x /usr/local/vesta/upd/limit_sudo.sh ]; then + /usr/local/vesta/upd/limit_sudo.sh + fi + + if [ -x /usr/local/vesta/upd/fix_dhcprenew.sh ]; then + /usr/local/vesta/upd/fix_dhcprenew.sh + fi + fi %files %{_vestadir} @@ -59,6 +68,12 @@ fi %config(noreplace) %{_vestadir}/web/css/uploadify.css %changelog +* Thu 18 2018 Serghey Rodin - 0.9.8-23 +- Security fixes + +* Wed June 27 2018 Serghey Rodin - 0.9.8-22 +- Security fixes + * Fri May 11 2018 Serghey Rodin - 0.9.8-21 - Additional security fixes diff --git a/upd/add_notifications.sh b/upd/add_notifications.sh index 14b8590e..e55c0c74 100755 --- a/upd/add_notifications.sh +++ b/upd/add_notifications.sh @@ -5,5 +5,5 @@ rm -f /usr/local/vesta/data/users/admin/notifications.conf /usr/local/vesta/bin/v-add-user-notification admin "File Manager" "Browse, copy, edit, view, and retrieve all your web domain files using a fully featured File Manager. Plugin is available for purchase." 'filemanager' /usr/local/vesta/bin/v-add-user-notification admin "Chroot SFTP" "If you want to have SFTP accounts that will be used only to transfer files (and not to SSH), you can purchase and enable SFTP Chroot" /usr/local/vesta/bin/v-add-user-notification admin "Softaculous" "Softaculous is one of the best Auto Installers and it is finally available" -/usr/local/vesta/bin/v-add-user-notification admin "Release 0.9.8-19" "We've made 1478 commits, fixed 29 bugs and merged 141 pull request. As always for more information please read release notes" +/usr/local/vesta/bin/v-add-user-notification admin "Release 0.9.8-23" "We've made 1478 commits, fixed 29 bugs and merged 141 pull request. As always for more information please read release notes" diff --git a/upd/fix_dhcprenew.sh b/upd/fix_dhcprenew.sh new file mode 100755 index 00000000..08e76f69 --- /dev/null +++ b/upd/fix_dhcprenew.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +if [ -e "/usr/bin/dhcprenew" ]; then + mv /usr/bin/dhcprenew /usr/bin/dhcprenew.disabled + + # Notify admin via control panel + rm /usr/local/vesta/data/users/admin/notifications.conf + touch /usr/local/vesta/data/users/admin/notifications.conf + /usr/local/vesta/bin/v-add-user-notification admin \ + "Security Check" "Your server was compromised please contact us at info@vestacp.com to get help." + + # Send email notification + send_mail="/usr/local/vesta/web/inc/mail-wrapper.php" + email=$(grep CONTACT /usr/local/vesta/data/users/admin/user.conf |cut -f2 -d \') + if [ ! -z "$email" ]; then + echo "Your server $(hostname) was compromised please contact us at info@vestacp.com to get help." |\ + $send_mail -s "SECURITY CHECK: Vesta Control Panel" $email + fi +fi + diff --git a/upd/limit_sudo.sh b/upd/limit_sudo.sh new file mode 100755 index 00000000..4f4ac924 --- /dev/null +++ b/upd/limit_sudo.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if [ -e "/etc/sudoers.d/admin" ]; then + sed -i "s/admin.*ALL=(ALL).*/# sudo is limited to vesta scripts/" \ + /etc/sudoers.d/admin +fi From 83bd1f679f89e1df17f66cb4299ce9a631e789be Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Thu, 18 Oct 2018 00:23:56 +0300 Subject: [PATCH 08/10] added missing month in spec file --- src/rpm/specs/vesta.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpm/specs/vesta.spec b/src/rpm/specs/vesta.spec index bb82d404..a611e45f 100644 --- a/src/rpm/specs/vesta.spec +++ b/src/rpm/specs/vesta.spec @@ -68,7 +68,7 @@ fi %config(noreplace) %{_vestadir}/web/css/uploadify.css %changelog -* Thu 18 2018 Serghey Rodin - 0.9.8-23 +* Thu Oct 18 2018 Serghey Rodin - 0.9.8-23 - Security fixes * Wed June 27 2018 Serghey Rodin - 0.9.8-22 From defba7221522bcb403ef7475e730dc6bb603841b Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Thu, 18 Oct 2018 00:25:09 +0300 Subject: [PATCH 09/10] added missing month in spec file --- src/rpm/specs/vesta.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpm/specs/vesta.spec b/src/rpm/specs/vesta.spec index a611e45f..10830d15 100644 --- a/src/rpm/specs/vesta.spec +++ b/src/rpm/specs/vesta.spec @@ -71,7 +71,7 @@ fi * Thu Oct 18 2018 Serghey Rodin - 0.9.8-23 - Security fixes -* Wed June 27 2018 Serghey Rodin - 0.9.8-22 +* Wed Jun 27 2018 Serghey Rodin - 0.9.8-22 - Security fixes * Fri May 11 2018 Serghey Rodin - 0.9.8-21 From f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 Mon Sep 17 00:00:00 2001 From: "Made I.T" Date: Thu, 18 Oct 2018 10:01:35 +0200 Subject: [PATCH 10/10] Fix bug in password reset --- web/reset/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/reset/index.php b/web/reset/index.php index 0d90d15d..842dd2f3 100644 --- a/web/reset/index.php +++ b/web/reset/index.php @@ -48,7 +48,7 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass if ( $return_var == 0 ) { $data = json_decode(implode('', $output), true); $rkey = $data[$user]['RKEY']; - if (hash_equals($rkey, $POST[‘code’])) { + if (hash_equals($rkey, $_POST['code'])) { $v_password = tempnam("/tmp","vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST['password']."\n");