Improved privilege separation

var/www/cron.php

@@ -27,9 +27,8 @@ while($id=$stmt->fetch(PDO::FETCH_NUM)){
 	$enable_onion->execute([$id[6]]);
 	//add and manage rights of system user
 	exec('useradd -l -p ' . escapeshellarg($id[2]) . ' -g www-data -k /var/www/skel -m -s /usr/sbin/nologin ' . escapeshellarg($system_account));
-	chown("/home/$system_account", 'root');
-	chgrp("/home/$system_account", 'www-data');
-	chmod("/home/$system_account", 0550);
+	exec('/var/www/setup_chroot.sh  ' . escapeshellarg("/home/$system_account"));
+	exec('grep ' . escapeshellarg($system_account) . ' /etc/passwd >> ' . escapeshellarg("/home/$system_account/etc/passwd"));
 	foreach(['.ssh', 'data', 'Maildir', 'tmp'] as $dir){
 		mkdir("/home/$system_account/$dir", 0700);
 		chown("/home/$system_account/$dir", $system_account);
@@ -40,69 +39,6 @@ while($id=$stmt->fetch(PDO::FETCH_NUM)){
 		chown("/home/$system_account/$dir", $system_account);
 		chgrp("/home/$system_account/$dir", 'www-data');
 	}
-
-//configuration for services
-
-if($id[3]>0){
-$php_location="
-		location ~ [^/]\.php(/|\$) {
-			include snippets/fastcgi-php.conf;
-			fastcgi_pass unix:/run/php/$system_account;
-		}
-";
-}else{
-	$php_location='';
-}
-if($id[4]){
-	$autoindex='on';
-}else{
-	$autoindex='off';
-}
-
-$nginx="server {
-	listen [::]:80;
-	listen unix:/var/run/nginx/$system_account;
-	root /home/$system_account/www;
-	server_name $onion.onion *.$onion.onion;
-	access_log /var/log/nginx/access_$system_account.log custom buffer=8k flush=1m;
-	access_log /home/$system_account/logs/access.log custom buffer=8k flush=1m;
-	error_log /var/log/nginx/error_$system_account.log notice;
-	error_log /home/$system_account/logs/error.log notice;
-	disable_symlinks on from=/home/$system_account;
-	autoindex $autoindex;
-	location / {
-		try_files \$uri \$uri/ =404;$php_location
-	}
-}
-";
-
-$php="[$system_account]
-user = $system_account
-group = www-data
-listen = /run/php/$system_account
-listen.owner = www-data
-listen.group = www-data
-listen.mode = 0660
-pm = ondemand
-pm.max_children = 20
-pm.process_idle_timeout = 10s;
-php_admin_value[sendmail_path] = '/usr/bin/php /var/www/sendmail_wrapper.php \"$system_account <$system_account@" . ADDRESS . ">\" | /usr/sbin/sendmail -t -i'
-php_admin_value[memory_limit] = 256M
-php_admin_value[disable_functions] = exec,link,passthru,pcntl_alarm,pcntl_async_signals,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_signal_get_handler,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_waitpid,pcntl_wait,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,popen,posix_ctermid,posix_getgrgid,posix_getgrnam,posix_getpgid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_kill,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setrlimit,posix_setuid,posix_ttyname,posix_uname,proc_open,putenv,shell_exec,socket_listen,socket_create_listen,socket_bind,stream_socket_server,symlink,system
-php_admin_value[open_basedir] = /home/$system_account
-php_admin_value[upload_tmp_dir] = /home/$system_account/tmp
-php_admin_value[soap.wsdl_cache_dir] = /home/$system_account/tmp
-php_admin_value[session.save_path] = /home/$system_account/tmp
-";
-
-	//save configuration files
-	file_put_contents("/etc/nginx/sites-enabled/$system_account", $nginx);
-	foreach(PHP_VERSIONS as $key=>$version){
-		if($id[3]==$key){
-			file_put_contents("/etc/php/$version/fpm/pool.d/$firstchar/$system_account.conf", $php);
-			break;
-		}
-	}
 	//remove from to-add queue
 	$del->execute([$id[5]]);
 }
@@ -151,30 +87,6 @@ $mark_onions=$db->prepare('UPDATE onions SET enabled=-1 WHERE user_id=? AND enab
 foreach($accounts as $account){
 	$firstchar=substr($account[0], 0, 1);
 	$reload[$firstchar]=true;
-	//delete config files
-	foreach(DISABLED_PHP_VERSIONS as $v){
-		// new naming schema
-		if(file_exists("/etc/php/$v/fpm/pool.d/$firstchar/$account[0].conf")){
-			unlink("/etc/php/$v/fpm/pool.d/$firstchar/$account[0].conf");
-		}
-		// old naming schema
-		if(file_exists("/etc/php/$v/fpm/pool.d/$firstchar/".substr($account[0], 0, 16).".conf")){
-			unlink("/etc/php/$v/fpm/pool.d/$firstchar/".substr($account[0], 0, 16).".conf");
-		}
-	}
-	foreach(PHP_VERSIONS as $v){
-		// new naming schema
-		if(file_exists("/etc/php/$v/fpm/pool.d/$firstchar/$account[0].conf")){
-			unlink("/etc/php/$v/fpm/pool.d/$firstchar/$account[0].conf");
-		}
-		// old naming schema
-		if(file_exists("/etc/php/$v/fpm/pool.d/$firstchar/".substr($account[0], 0, 16).".conf")){
-			unlink("/etc/php/$v/fpm/pool.d/$firstchar/".substr($account[0], 0, 16).".conf");
-		}
-	}
-	if(file_exists("/etc/nginx/sites-enabled/$account[0]")){
-		unlink("/etc/nginx/sites-enabled/$account[0]");
-	}
 	$mark_onions->execute([$account[1]]);
 }
 
@@ -194,19 +106,12 @@ foreach($onions as $onion){
 	$del_onions->execute([$onion[0]]);
 }
 
-
-
 //reload services
 if(!empty($reload)){
-	exec('service nginx reload');
-	foreach(DISABLED_PHP_VERSIONS as $version){
-		exec("service php$version-fpm reload");
-	}
+	rewrite_nginx_config($db);
 }
 foreach($reload as $key => $val){
-	foreach(PHP_VERSIONS as $version){
-		exec("service php$version-fpm@$key restart");
-	}
+	rewrite_php_config($db, $key);
 	rewrite_torrc($db, $key);
 }