*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
/**
* \file htdocs/admin/system/security.php
* \brief Page to show Security information
*/
require '../../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/memory.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/events.class.php';
// Load translation files required by the page
$langs->loadLangs(array("install", "other", "admin"));
if (!$user->admin) {
accessforbidden();
}
if (GETPOST('action', 'aZ09') == 'donothing') {
exit;
}
$execmethod = empty($conf->global->MAIN_EXEC_USE_POPEN) ? 1 : $conf->global->MAIN_EXEC_USE_POPEN;
/*
* View
*/
llxHeader();
print load_fiche_titre($langs->trans("Security"), '', 'title_setup');
print ''.$langs->trans("YouMayFindSecurityAdviceHere", 'hhttps://wiki.dolibarr.org/index.php/Security_information').' ('.$langs->trans("Reload").')
';
print '
';
print load_fiche_titre($langs->trans("PHPSetup"), '', 'folder');
// Get version of PHP
$phpversion = version_php();
print "PHP: ".$langs->trans("Version").": ".$phpversion;
if (function_exists('php_ini_loaded_file')) {
$inipath = php_ini_loaded_file();
print " - INI: ".$inipath;
}
print "
\n";
// Get version of web server
print "
Web server - ".$langs->trans("Version").": ".$_SERVER["SERVER_SOFTWARE"]."
\n";
print ''.$langs->trans("DataRootServer").": ".DOL_DATA_ROOT."
\n";
// Web user group by default
$labeluser = dol_getwebuser('user');
$labelgroup = dol_getwebuser('group');
if ($labeluser && $labelgroup) {
print ''.$langs->trans("WebUserGroup")." (env vars) : ".$labeluser.':'.$labelgroup;
if (function_exists('posix_geteuid') && function_exists('posix_getpwuid')) {
$arrayofinfoofuser = posix_getpwuid(posix_geteuid());
print ' (POSIX '.$arrayofinfoofuser['name'].':'.$arrayofinfoofuser['gecos'].':'.$arrayofinfoofuser['dir'].':'.$arrayofinfoofuser['shell'].')
'."\n";
}
}
// Web user group real (detected by 'id' external command)
if (function_exists('exec')) {
$arrayout = array(); $varout = 0;
exec('id', $arrayout, $varout);
if (empty($varout)) { // Test command is ok. Work only on Linux OS.
print ''.$langs->trans("WebUserGroup")." (real, 'id' command) : ".join(',', $arrayout)."
\n";
}
}
print '
';
print "PHP safe_mode = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).' '.$langs->trans("Deprecated")." (removed in PHP 5.4)
\n";
print "PHP open_basedir = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("ARestrictedPath").', '.$langs->transnoentitiesnoconv("Example").' '.$_SERVER["DOCUMENT_ROOT"]).')')."
\n";
print "PHP allow_url_fopen = ".(ini_get('allow_url_fopen') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_fopen') : yn(0)).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n";
print "PHP allow_url_include = ".(ini_get('allow_url_include') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_include') : yn(0)).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n";
print "PHP disable_functions = ";
$arrayoffunctionsdisabled = explode(',', ini_get('disable_functions'));
$arrayoffunctionstodisable = explode(',', 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals');
if ($execmethod == 1) {
$arrayoffunctionstodisable2 = explode(',', 'passthru,shell_exec,system,proc_open,popen');
$functiontokeep = 'exec';
} else {
$arrayoffunctionstodisable2 = explode(',', 'exec,passthru,shell_exec,system,proc_open');
$functiontokeep = 'popen';
}
$i = 0;
foreach ($arrayoffunctionsdisabled as $functionkey) {
if ($i > 0) {
print ', ';
}
print ''.$functionkey.'';
$i++;
}
print "
\n";
$todisabletext = '';
$i = 0;
foreach ($arrayoffunctionstodisable as $functiontodisable) {
if (! in_array($functiontodisable, $arrayoffunctionsdisabled)) {
if ($i > 0) {
$todisabletext .= ', ';
}
$todisabletext .= img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.$functiontodisable.'';
$i++;
}
}
if ($todisabletext) {
print $langs->trans("YouShouldDisablePHPFunctions").': '.$todisabletext;
print '
';
}
$todisabletext = '';
$i = 0;
foreach ($arrayoffunctionstodisable2 as $functiontodisable) {
if (! in_array($functiontodisable, $arrayoffunctionsdisabled)) {
if ($i > 0) {
$todisabletext .= ', ';
}
$todisabletext .= img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.$functiontodisable.'';
$i++;
}
}
if ($todisabletext) {
print $langs->trans("IfCLINotRequiredYouShouldDisablePHPFunctions").': '.$todisabletext;
print '
';
}
print $langs->trans("PHPFunctionsRequiredForCLI").': ';
if (in_array($functiontokeep, $arrayoffunctionsdisabled)) {
print img_picto($langs->trans("PHPFunctionsRequiredForCLI"), 'warning');
}
print ''.$functiontokeep.'';
print '
';
print '
';
// XDebug
print ''.$langs->trans("XDebug").': ';
$test = !function_exists('xdebug_is_enabled');
if ($test) {
print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
} else {
print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedMayExposeInformation", $langs->transnoentities("XDebug"));
print ' - '.$langs->trans("MoreInformation").' XDebug admin page';
}
print '
';
// OS Permissions
print '
';
print '
';
print '
';
print load_fiche_titre($langs->trans("OSSetup").' - '.$langs->trans("PermissionsOnFiles"), '', 'folder');
print ''.$langs->trans("PermissionsOnFilesInWebRoot").': ';
$arrayoffilesinroot = dol_dir_list(DOL_DOCUMENT_ROOT, 'all', 1, '', array('\/custom'), 'name', SORT_ASC, 4, 1, '', 1);
$fileswithwritepermission = array();
foreach ($arrayoffilesinroot as $fileinroot) {
// Test if there is at least one write permission file. If yes, add the entry into array $fileswithwritepermission
if (isset($fileinroot['perm']) && ($fileinroot['perm'] & 0222)) {
$fileswithwritepermission[] = $fileinroot['relativename'];
}
}
if (empty($fileswithwritepermission)) {
print img_picto('', 'tick').' '.$langs->trans("NoWritableFilesFoundIntoRootDir");
} else {
print img_warning().' '.$langs->trans("SomeFilesOrDirInRootAreWritable");
print '
'.$langs->trans("Example").': ';
$i = 0;
foreach ($fileswithwritepermission as $filewithwritepermission) {
if ($i > 0) {
print ', ';
}
print ''.$filewithwritepermission.'';
if ($i > 20) {
print ' ...';
break;
}
$i++;
}
}
print '
';
print ''.$langs->trans("PermissionsOnFile", $conffile).': '; // $conffile is defined into filefunc.inc.php
$perms = fileperms($dolibarr_main_document_root.'/'.$conffile);
if ($perms) {
if (($perms & 0x0004) || ($perms & 0x0002)) {
print img_warning().' '.$langs->trans("ConfFileIsReadableOrWritableByAnyUsers");
// Web user group by default
$labeluser = dol_getwebuser('user');
$labelgroup = dol_getwebuser('group');
print ' '.$langs->trans("User").': '.$labeluser.':'.$labelgroup;
if (function_exists('posix_geteuid') && function_exists('posix_getpwuid')) {
$arrayofinfoofuser = posix_getpwuid(posix_geteuid());
print ' (POSIX '.$arrayofinfoofuser['name'].':'.$arrayofinfoofuser['gecos'].':'.$arrayofinfoofuser['dir'].':'.$arrayofinfoofuser['shell'].')';
}
} else {
print img_picto('', 'tick');
}
} else {
print img_warning().' '.$langs->trans("FailedToReadFile", $conffile);
}
print '
';
// File conf.php
print '
';
print '
';
print '
';
print load_fiche_titre($langs->trans("ConfigurationFile").' ('.$conffile.')', '', 'folder');
print '$dolibarr_main_prod: '.$dolibarr_main_prod;
if (empty($dolibarr_main_prod)) {
print ' '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 1);
}
print '
';
print '$dolibarr_nocsrfcheck: '.$dolibarr_nocsrfcheck;
if (!empty($dolibarr_nocsrfcheck)) {
print ' '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 0);
}
print '
';
print '$dolibarr_main_restrict_ip: ';
if (empty($dolibarr_main_restrict_ip)) {
print ''.$langs->trans("None").'';
//print ' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("IPsOfUsers")).')';
}
print '
';
// Menu security
print '
';
print '
';
print '
';
print load_fiche_titre($langs->trans("Menu").' '.$langs->trans("SecuritySetup").' + '.$langs->trans("OtherSetup"), '', 'folder');
//print ''.$langs->trans("PasswordEncryption").': ';
print 'MAIN_SECURITY_HASH_ALGO = '.(empty($conf->global->MAIN_SECURITY_HASH_ALGO) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_HASH_ALGO)." ";
if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) {
print ' If unset: \'md5\'';
}
if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
print '
MAIN_SECURITY_SALT = '.(empty($conf->global->MAIN_SECURITY_SALT) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_SALT).'
';
} else {
print '('.$langs->trans("Recommanded").': password_hash)';
print '
';
}
if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
print 'The recommanded value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.
';
print 'If you really want to switch, you must:
';
print '- Go on home - setup - other and add constant MAIN_SECURITY_HASH_ALGO to value \'password_hash\'
';
print '- In same session, WITHOUT LOGGING OUT, go into your admin user record and set a new password
';
print '- You can now logout and login with this new password. You must now reset password of all other users.
';
print '
';
}
print '
';
print 'MAIN_SECURITY_ANTI_SSRF_SERVER_IP = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."
";
print '
';
print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0 ('.$langs->trans("Recommanded").': 0)' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)."
";
print '
';
print 'MAIN_EXEC_USE_POPEN = ';
if (empty($conf->global->MAIN_EXEC_USE_POPEN)) {
print ''.$langs->trans("Undefined").'';
} else {
print $conf->global->MAIN_EXEC_USE_POPEN;
}
if ($execmethod == 1) {
print ' ("exec" PHP method will be used for shell commands)';
}
if ($execmethod == 2) {
print ' ("popen" PHP method will be used for shell commands)';
}
print "
";
print '
';
print ''.$langs->trans("AntivirusEnabledOnUpload").': ';
print empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ? '' : img_picto('', 'tick').' ';
print yn(empty($conf->global->MAIN_ANTIVIRUS_COMMAND) ? 0 : 1);
if (!empty($conf->global->MAIN_ANTIVIRUS_COMMAND)) {
print ' - '.$conf->global->MAIN_ANTIVIRUS_COMMAND;
if (defined('MAIN_ANTIVIRUS_COMMAND')) {
print ' - '.$langs->trans("ValueIsForcedBySystem").'';
}
}
print '
';
print '
';
$securityevent = new Events($db);
$eventstolog = $securityevent->eventstolog;
print ''.$langs->trans("AuditedSecurityEvents").': ';
if (!empty($eventstolog) && is_array($eventstolog)) {
// Loop on each event type
$i = 0;
foreach ($eventstolog as $key => $arr) {
if ($arr['id']) {
$key = 'MAIN_LOGEVENTS_'.$arr['id'];
$value = empty($conf->global->$key) ? '' : $conf->global->$key;
if ($value) {
if ($i > 0) {
print ', ';
}
print ''.$key.'';
$i++;
}
}
}
print '
';
} else {
print img_warning().' '.$langs->trans("NoSecurityEventsAreAduited", $langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Audit")).'
';
}
// Modules/Applications
print '
';
print '
';
print '
';
print load_fiche_titre($langs->trans("Modules"), '', 'folder');
// Module log
print ''.$langs->trans("Syslog").': ';
$test = empty($conf->syslog->enabled);
if ($test) {
print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
} else {
if ($conf->global->SYSLOG_LEVEL > LOG_NOTICE) {
print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedWithTooHighLogLevel", $langs->transnoentities("Syslog"));
} else {
print img_picto('', 'tick.png').' '.$langs->trans("ModuleSyslogActivatedButLevelNotTooVerbose", $langs->transnoentities("Syslog"), $conf->global->SYSLOG_LEVEL);
}
//print ' '.$langs->trans("MoreInformation").' XDebug admin page';
}
print '
';
// Module debugbar
print ''.$langs->trans("DebugBar").': ';
$test = empty($conf->debugbar->enabled);
if ($test) {
print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
} else {
print img_picto('', 'error').' '.$langs->trans("ModuleActivatedDoNotUseInProduction", $langs->transnoentities("DebugBar"));
//print ' '.$langs->trans("MoreInformation").' XDebug admin page';
}
print '
';
// APIs
print '
';
print '
';
print '
';
print load_fiche_titre($langs->trans("API"), '', 'folder');
if (empty($conf->api->enabled) && empty($conf->webservices->enabled)) {
print $langs->trans("APIsAreNotEnabled");
} else {
if (!empty($conf->webservices->enabled)) {
print $langs->trans('YouEnableDeprecatedWSAPIsUseRESTAPIsInstead')."
\n";
print '
';
}
if (!empty($conf->api->enabled)) {
print 'API_ENDPOINT_RULES = '.(empty($conf->global->API_ENDPOINT_RULES) ? ''.$langs->trans("Undefined").'' : $conf->global->API_ENDPOINT_RULES)."
\n";
print '
';
}
}
print '
';
// End of page
llxFooter();
$db->close();