From 19f123b0c4789e83a1aca61d134715368918628c Mon Sep 17 00:00:00 2001 From: D9ping Date: Tue, 21 Aug 2018 23:43:50 +0200 Subject: [PATCH 1/5] WIP: Php default configuration hardening. Signed-off-by: D9ping --- installers/common.sh | 58 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/installers/common.sh b/installers/common.sh index 0de8cf49..c5dcd4b4 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -28,6 +28,11 @@ function install_error() { exit 1 } +# Outputs a RaspAP Warning line +function install_warning() { + echo -e "\033[1;33mWarning: $*\033[m" +} + # Outputs a welcome message function display_welcome() { raspberry='\033[0;35m' @@ -263,13 +268,63 @@ function patch_system_files() { fi } + +# Change configuration of php cgi. +function configure_php() { + phpcgiconf="" + if [ "$php_package" = "php7.0-cgi" ]; then + phpcgiconf="/etc/php/7.0/cgi/php.ini" + elif [ "$php_package" = "php5-cgi" ]; then + phpcgiconf="/etc/php/cgi/php.ini" + fi + + if [ -f "$phpcgiconf" ]; then + # Set the httpOnly flag on session cookies. + # So they cannot be read by javascript, if cookie flag supported by useragent. + sudo sed -i 's/^session.cookie_httponly\s*=\s*([O|o]ff|0)\s*$/session.cookie_httponly = 1/' "$phpcgiconf" + # Enable PHP Zend Opcache if off. + sudo sed -i 's/;opcache.enable\s*=\s*([O|o]ff|0)\s*$/opcache.enable=1/' "$phpcgiconf" + # Turn off unused assert function for unit test support. + #sudo sed -i 's/;assert.active\s*=\s*([O|o]n|1)\s*$/assert.active = 0/' "$phpcgiconf" + # Turn off file upload support if on. + #sudo sed -i 's/file_uploads\s*=\s*([O|o]n|1)\s*$/file_uploads = 0/' "$phpcgiconf" + # Use sha1 instead of md5 for sessionid. + sudo sed -i 's/^session.hash_function\s*=\s*0\s*$/session.hash_function = 1/' "$phpcgiconf" + # Disable the X-Powered-By header and magic logo uri(if enabled php5). + sudo sed -i 's/^expose_php\s*=\s*([O|o]n|1)\s*$/expose_php = 0/' "$phpcgiconf" + else + install_warning "Php configuration could not be found." + fi + + # Make sure opcache extension is turned on. + if [ -f "/usr/sbin/phpenmod" ]; then + sudo phpenmod opcache + else + install_warning "phpenmod not installed." + fi + + # Disable unused php extensions to safe memory use and for hardening. + if [ -f "/usr/sbin/phpdismod" ]; then + sudo phpdismod phar + sudo phpdismod ftp + sudo phpdismod sockets + sudo phpdismod shmop + sudo phpdismod sysvmsg + sudo phpdismod sysvsem + sudo phpdismod sysvshm + sudo phpdismod tokenizer + else + install_warning "phpdismmod not installed or not in path." + fi +} + function install_complete() { install_log "Installation completed!" echo -n "The system needs to be rebooted as a final step. Reboot now? [y/N]: " read answer if [[ $answer != "y" ]]; then - echo "Installation aborted." + echo "Reboot aborted." exit 0 fi sudo shutdown -r now || install_error "Unable to execute shutdown" @@ -289,5 +344,6 @@ function install_raspap() { move_config_file default_configuration patch_system_files + configure_php install_complete } From 8355c1cbfe03794150368243e76f635eea9f2578 Mon Sep 17 00:00:00 2001 From: D9ping Date: Thu, 23 Aug 2018 00:44:12 +0200 Subject: [PATCH 2/5] Use sed regular expressions to deal with changing php configuration. Don't try turn on not existing Zend Opcache under php 5<= Turn on session.use_strict_mode if off. Don't change decreated expose_php. Signed-off-by: D9ping --- installers/common.sh | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/installers/common.sh b/installers/common.sh index c5dcd4b4..32e58b03 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -269,7 +269,7 @@ function patch_system_files() { } -# Change configuration of php cgi. +# Change configuration of php-cgi. function configure_php() { phpcgiconf="" if [ "$php_package" = "php7.0-cgi" ]; then @@ -281,27 +281,25 @@ function configure_php() { if [ -f "$phpcgiconf" ]; then # Set the httpOnly flag on session cookies. # So they cannot be read by javascript, if cookie flag supported by useragent. - sudo sed -i 's/^session.cookie_httponly\s*=\s*([O|o]ff|0)\s*$/session.cookie_httponly = 1/' "$phpcgiconf" - # Enable PHP Zend Opcache if off. - sudo sed -i 's/;opcache.enable\s*=\s*([O|o]ff|0)\s*$/opcache.enable=1/' "$phpcgiconf" - # Turn off unused assert function for unit test support. - #sudo sed -i 's/;assert.active\s*=\s*([O|o]n|1)\s*$/assert.active = 0/' "$phpcgiconf" + sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' "$phpcgiconf" + # Don't accept uninitialized session ID's. + sudo sed -i -E 's/^session\.use_strict_mode\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.use_strict_mode = 1/' "$phpcgiconf" # Turn off file upload support if on. - #sudo sed -i 's/file_uploads\s*=\s*([O|o]n|1)\s*$/file_uploads = 0/' "$phpcgiconf" - # Use sha1 instead of md5 for sessionid. - sudo sed -i 's/^session.hash_function\s*=\s*0\s*$/session.hash_function = 1/' "$phpcgiconf" - # Disable the X-Powered-By header and magic logo uri(if enabled php5). - sudo sed -i 's/^expose_php\s*=\s*([O|o]n|1)\s*$/expose_php = 0/' "$phpcgiconf" + sudo sed -i -E 's/^file_uploads\s*=\s*(1|([O|o]n)|([T|t]rue)|([Y|y]es))\s*$/file_uploads = 0/' "$phpcgiconf" + if [ "$php_package" = "php7.0-cgi" ]; then + # Enable PHP Zend Opcache. + sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' "$phpcgiconf" + # Make sure opcache extension is turned on. + if [ -f "/usr/sbin/phpenmod" ]; then + sudo phpenmod opcache + else + install_warning "phpenmod not found." + fi + fi else - install_warning "Php configuration could not be found." + install_warning "PHP configuration could not be found." fi - # Make sure opcache extension is turned on. - if [ -f "/usr/sbin/phpenmod" ]; then - sudo phpenmod opcache - else - install_warning "phpenmod not installed." - fi # Disable unused php extensions to safe memory use and for hardening. if [ -f "/usr/sbin/phpdismod" ]; then @@ -314,8 +312,11 @@ function configure_php() { sudo phpdismod sysvshm sudo phpdismod tokenizer else - install_warning "phpdismmod not installed or not in path." + install_warning "phpdismmod not found." fi + + # Apply new php configuration. + sudo service lighttpd reload } function install_complete() { @@ -324,7 +325,7 @@ function install_complete() { echo -n "The system needs to be rebooted as a final step. Reboot now? [y/N]: " read answer if [[ $answer != "y" ]]; then - echo "Reboot aborted." + echo "Installation reboot aborted." exit 0 fi sudo shutdown -r now || install_error "Unable to execute shutdown" From aa96780c0be6319d51de35b18320a38384018c2f Mon Sep 17 00:00:00 2001 From: D9ping Date: Fri, 24 Aug 2018 10:22:59 +0200 Subject: [PATCH 3/5] Backup php configuration before changing it. Removed support for disabling php extensions. Signed-off-by: D9ping --- installers/common.sh | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/installers/common.sh b/installers/common.sh index 32e58b03..71a18c8c 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -270,7 +270,8 @@ function patch_system_files() { # Change configuration of php-cgi. -function configure_php() { +function reconfigure_php() { + install_log "Reconfiguring php" phpcgiconf="" if [ "$php_package" = "php7.0-cgi" ]; then phpcgiconf="/etc/php/7.0/cgi/php.ini" @@ -279,13 +280,12 @@ function configure_php() { fi if [ -f "$phpcgiconf" ]; then - # Set the httpOnly flag on session cookies. - # So they cannot be read by javascript, if cookie flag supported by useragent. + # Backup php configuration. + sudo cp "$phpcgiconf" "$phpcgiconf.`date +%F-%R`" + # Turn on the httpOnly flag if off. sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' "$phpcgiconf" # Don't accept uninitialized session ID's. sudo sed -i -E 's/^session\.use_strict_mode\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.use_strict_mode = 1/' "$phpcgiconf" - # Turn off file upload support if on. - sudo sed -i -E 's/^file_uploads\s*=\s*(1|([O|o]n)|([T|t]rue)|([Y|y]es))\s*$/file_uploads = 0/' "$phpcgiconf" if [ "$php_package" = "php7.0-cgi" ]; then # Enable PHP Zend Opcache. sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' "$phpcgiconf" @@ -300,21 +300,6 @@ function configure_php() { install_warning "PHP configuration could not be found." fi - - # Disable unused php extensions to safe memory use and for hardening. - if [ -f "/usr/sbin/phpdismod" ]; then - sudo phpdismod phar - sudo phpdismod ftp - sudo phpdismod sockets - sudo phpdismod shmop - sudo phpdismod sysvmsg - sudo phpdismod sysvsem - sudo phpdismod sysvshm - sudo phpdismod tokenizer - else - install_warning "phpdismmod not found." - fi - # Apply new php configuration. sudo service lighttpd reload } @@ -345,6 +330,6 @@ function install_raspap() { move_config_file default_configuration patch_system_files - configure_php + reconfigure_php install_complete } From e428271ef2376e86a0fc96a8bc0277d078c55e4c Mon Sep 17 00:00:00 2001 From: D9ping Date: Mon, 27 Aug 2018 23:10:56 +0200 Subject: [PATCH 4/5] Fix for #225, (Credits to DrStacheWH) Removed duplicated create_logging_scripts function. Signed-off-by: D9ping --- installers/common.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/installers/common.sh b/installers/common.sh index 71a18c8c..2fd86378 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -113,14 +113,12 @@ function create_logging_scripts() { sudo mkdir $raspap_dir/hostapd || install_error "Unable to create directory '$raspap_dir/hostapd'" # Move existing shell scripts - sudo mv $webroot_dir/installers/*log.sh $raspap_dir/hostapd || install_error "Unable to move logging scripts" + sudo mv "$webroot_dir/installers/"*log.sh "$raspap_dir/hostapd" || install_error "Unable to move logging scripts" + # Make enablelog.sh and disablelog.sh not writable by www-data group. + sudo chown -c root:"$raspap_user" "$raspap_dir/hostapd/"*log.sh || install_error "Unable change owner and/or group." + sudo chmod 750 "$raspap_dir/hostapd/"*log.sh || install_error "Unable to change file permissions." } -# Generate logging enable/disable files for hostapd -function create_logging_scripts() { - sudo mkdir /etc/raspap/hostapd - sudo mv /var/www/html/installers/*log.sh /etc/raspap/hostapd -} # Fetches latest files from github to webroot function download_latest_files() { From 03f2620e483e92e75660768953bbe7b4e33d9c11 Mon Sep 17 00:00:00 2001 From: D9ping Date: Fri, 31 Aug 2018 23:38:30 +0200 Subject: [PATCH 5/5] Backup php.ini to $raspap_dir/backups folder. Ask for before changing php configuration of httpOnly and opcache. Do not change session.use_strict_mode, no extra question. Ask to restore backup of php.ini from $raspap_dir/backups folder in uninstall.sh. Signed-off-by: D9ping --- installers/common.sh | 44 +++++++++++++++++++++++++---------------- installers/uninstall.sh | 35 +++++++++++++++++++++++++------- 2 files changed, 55 insertions(+), 24 deletions(-) diff --git a/installers/common.sh b/installers/common.sh index 2fd86378..872961a2 100755 --- a/installers/common.sh +++ b/installers/common.sh @@ -15,7 +15,14 @@ else version_msg="Raspian earlier than 8.0 (Wheezy)" webroot_dir="/var/www" php_package="php5-cgi" -fi +fi + +phpcgiconf="" +if [ "$php_package" = "php7.0-cgi" ]; then + phpcgiconf="/etc/php/7.0/cgi/php.ini" +elif [ "$php_package" = "php5-cgi" ]; then + phpcgiconf="/etc/php5/cgi/php.ini" +fi # Outputs a RaspAP Install log line function install_log() { @@ -269,23 +276,28 @@ function patch_system_files() { # Change configuration of php-cgi. function reconfigure_php() { - install_log "Reconfiguring php" - phpcgiconf="" - if [ "$php_package" = "php7.0-cgi" ]; then - phpcgiconf="/etc/php/7.0/cgi/php.ini" - elif [ "$php_package" = "php5-cgi" ]; then - phpcgiconf="/etc/php/cgi/php.ini" + if [ ! -f "$phpcgiconf" ]; then + install_warning "PHP configuration could not be found." + return fi - if [ -f "$phpcgiconf" ]; then - # Backup php configuration. - sudo cp "$phpcgiconf" "$phpcgiconf.`date +%F-%R`" - # Turn on the httpOnly flag if off. + # Backup php.ini and create symlink for restoring. + datetimephpconf=$(date +%F-%R) + sudo cp "$phpcgiconf" "$raspap_dir/backups/php.ini.$datetimephpconf" + sudo ln -sf "$raspap_dir/backups/php.ini.$datetimephpconf" "$raspap_dir/backups/php.ini" + + echo -n "Turn on httpOnly flag for session cookies(recommended)? [Y/n]: " + read answer + if [ "$answer" != 'n' ] && [ "$answer" != 'N' ]; then + install_log "Php-cgi enabling session.cookie_httponly." sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' "$phpcgiconf" - # Don't accept uninitialized session ID's. - sudo sed -i -E 's/^session\.use_strict_mode\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.use_strict_mode = 1/' "$phpcgiconf" - if [ "$php_package" = "php7.0-cgi" ]; then - # Enable PHP Zend Opcache. + fi + + if [ "$php_package" = "php7.0-cgi" ]; then + echo -n "Turn on php opcache? [Y/n]: " + read answer + if [ "$answer" != 'n' ] && [ "$answer" != 'N' ]; then + install_log "Php-cgi enabling opcache.enable." sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' "$phpcgiconf" # Make sure opcache extension is turned on. if [ -f "/usr/sbin/phpenmod" ]; then @@ -294,8 +306,6 @@ function reconfigure_php() { install_warning "phpenmod not found." fi fi - else - install_warning "PHP configuration could not be found." fi # Apply new php configuration. diff --git a/installers/uninstall.sh b/installers/uninstall.sh index 3854fa04..bcf74c1f 100755 --- a/installers/uninstall.sh +++ b/installers/uninstall.sh @@ -4,14 +4,28 @@ raspap_user="www-data" version=`sed 's/\..*//' /etc/debian_version` # Determine version and set default home location for lighttpd -if [ $version -ge 8 ]; then - version_msg="Raspian version 8.0 or later" - webroot_dir="/var/www/html" -else - version_msg="Raspian version earlier than 8.0" - webroot_dir="/var/www" +webroot_dir="/var/www/html" +if [ $version -eq 9 ]; then + version_msg="Raspian 9.0 (Stretch)" + php_package="php7.0-cgi" +elif [ $version -eq 8 ]; then + version_msg="Raspian 8.0 (Jessie)" + webroot_dir="/var/www" + php_package="php5-cgi" +else + version_msg="Raspian earlier than 8.0 (Wheezy)" + webroot_dir="/var/www" + php_package="php5-cgi" fi +phpcgiconf="" +if [ "$php_package" = "php7.0-cgi" ]; then + phpcgiconf="/etc/php/7.0/cgi/php.ini" +elif [ "$php_package" = "php5-cgi" ]; then + phpcgiconf="/etc/php5/cgi/php.ini" +fi + + # Outputs a RaspAP Install log line function install_log() { echo -e "\033[1;32mRaspAP Install: $*\033[m" @@ -68,6 +82,13 @@ function check_for_backups() { sudo cp "$raspap_dir/backups/dhcpcd.conf" /etc/dhcpcd.conf fi fi + if [ -f "$raspap_dir/backups/php.ini" ] && [ -f "$phpcgiconf" ]; then + echo -n "Restore the last php.ini file? [y/N]: " + read answer + if [[ $answer -eq 'y' ]]; then + sudo cp "$raspap_dir/backups/php.ini" "$phpcgiconf" + fi + fi if [ -f "$raspap_dir/backups/rc.local" ]; then echo -n "Restore the last rc.local file? [y/N]: " read answer @@ -75,7 +96,7 @@ function check_for_backups() { sudo cp "$raspap_dir/backups/rc.local" /etc/rc.local else echo -n "Remove RaspAP Lines from /etc/rc.local? [Y/n]: " - if $answer -ne 'n' ]]; then + if [[ $answer -ne 'n' ]]; then sed -i '/#RASPAP/d' /etc/rc.local fi fi