Isolate Users (#431)

* WIP to isolate users * Resolved issue with SSH AsUser Updated Isolated User Script to use Server User for Team Access Updated Path creation script to simplify for running as the isolated user * Included the server user * PHPMyAdmin script updated Wordpress Script Updated Updated Execute Script to support executing as isolated users * Issue Resolution & Resolved Failing Unit Tests * Fix for isolated_username vs user * Run the deploy as the isolated user * queue updates for isolated user * Support isolated users in cronjobs * script tests for isolated users * Queue tests for isolated users * Cronjob tests for isolated user * Removed default queue command for laravel apps * add default user to factory * laravel pint fixes * ensure echos are consistent * removed unneeded parameter * update * fix queues for isolated users * revert addslashes --------- Co-authored-by: Saeed Vaziry <mr.saeedvaziry@gmail.com>
2025-07-02 14:36:17 +00:00 · 2025-01-18 00:17:48 +00:00
parent 5947ae80bb
commit c1ae58772c
50 changed files with 717 additions and 69 deletions
--- a/app/SSH/Services/PHP/PHP.php
+++ b/app/SSH/Services/PHP/PHP.php
@ -110,4 +110,32 @@ public function getPHPIni(string $type): string
            sprintf('/etc/php/%s/%s/php.ini', $this->service->version, $type)
        );
    }
+
+    public function createFpmPool(string $user, string $version, $site_id): void
+    {
+        $this->service->server->ssh()->exec(
+            $this->getScript('create-fpm-pool.sh', [
+                'user' => $user,
+                'version' => $version,
+                'config' => $this->getScript('fpm-pool.conf', [
+                    'user' => $user,
+                    'version' => $version,
+                ]),
+            ]),
+            "create-{$version}fpm-pool-{$user}",
+            $site_id
+        );
+    }
+
+    public function removeFpmPool(string $user, string $version, $site_id): void
+    {
+        $this->service->server->ssh()->exec(
+            $this->getScript('remove-fpm-pool.sh', [
+                'user' => $user,
+                'version' => $version,
+            ]),
+            "remove-{$version}fpm-pool-{$user}",
+            $site_id
+        );
+    }
 }
--- a/app/SSH/Services/PHP/scripts/create-fpm-pool.sh
+++ b/app/SSH/Services/PHP/scripts/create-fpm-pool.sh
@ -0,0 +1,2 @@
+echo '__config__' | sudo tee /etc/php/__version__/fpm/pool.d/__user__.conf
+sudo service php__version__-fpm restart
--- a/app/SSH/Services/PHP/scripts/fpm-pool.conf
+++ b/app/SSH/Services/PHP/scripts/fpm-pool.conf
@ -0,0 +1,22 @@
+[__user__]
+user = __user__
+group = __user__
+
+listen = /run/php/php__version__-fpm-__user__.sock
+listen.owner = vito
+listen.group = vito
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 500
+
+php_admin_value[open_basedir] = /home/__user__/:/tmp/
+php_admin_value[upload_tmp_dir] = /home/__user__/tmp
+php_admin_value[session.save_path] = /home/__user__/tmp
+php_admin_value[display_errors] = off
+php_admin_value[log_errors] = on
+php_admin_value[error_log] = /home/__user__/.logs/php_errors.log
--- a/app/SSH/Services/PHP/scripts/remove-fpm-pool.sh
+++ b/app/SSH/Services/PHP/scripts/remove-fpm-pool.sh
@ -0,0 +1,2 @@
+sudo rm -f /etc/php/__version__/fpm/pool.d/__user__.conf
+sudo service php__version__-fpm restart
--- a/app/SSH/Services/ProcessManager/Supervisor.php
+++ b/app/SSH/Services/ProcessManager/Supervisor.php
@ -53,9 +53,11 @@ public function create(
            ),
            true
        );
-        $this->service->server->ssh($user)->exec(
+        $this->service->server->ssh()->exec(
            $this->getScript('supervisor/create-worker.sh', [
                'id' => $id,
+                'log_file' => $logFile,
+                'user' => $user,
            ]),
            'create-worker',
            $siteId
--- a/app/SSH/Services/ProcessManager/scripts/supervisor/create-worker.sh
+++ b/app/SSH/Services/ProcessManager/scripts/supervisor/create-worker.sh
@ -1,8 +1,14 @@
-mkdir -p ~/.logs
+if ! sudo mkdir -p "$(dirname __log_file__)"; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

-mkdir -p ~/.logs/workers
+if ! sudo touch __log_file__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

-touch ~/.logs/workers/__id__.log
+if ! sudo chown __user__:__user__ __log_file__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

 if ! sudo supervisorctl reread; then
    echo 'VITO_SSH_ERROR' && exit 1
--- a/app/SSH/Services/Webserver/Nginx.php
+++ b/app/SSH/Services/Webserver/Nginx.php
@ -52,8 +52,23 @@ public function uninstall(): void
        $this->service->server->os()->cleanup();
    }

+    /**
+     * @throws SSHError
+     */
    public function createVHost(Site $site): void
    {
+        // We need to get the isolated user first, if the site is isolated
+        // otherwise, use the default ssh user
+        $ssh = $this->service->server->ssh($site->user);
+
+        $ssh->exec(
+            $this->getScript('nginx/create-path.sh', [
+                'path' => $site->path,
+            ]),
+            'create-path',
+            $site->id
+        );
+
        $this->service->server->ssh()->exec(
            $this->getScript('nginx/create-vhost.sh', [
                'domain' => $site->domain,
@ -189,10 +204,16 @@ protected function generateVhost(Site $site, bool $noSSL = false): string
            $vhost = Str::replace('__port__', (string) $site->port, $vhost);
        }

+        $php_socket = 'unix:/var/run/php/php-fpm.sock';
+        if ($site->isIsolated()) {
+            $php_socket = "unix:/run/php/php{$site->php_version}-fpm-{$site->user}.sock";
+        }
+
        $vhost = Str::replace('__domain__', $site->domain, $vhost);
        $vhost = Str::replace('__aliases__', $site->getAliasesString(), $vhost);
        $vhost = Str::replace('__path__', $site->path, $vhost);
        $vhost = Str::replace('__web_directory__', $site->web_directory, $vhost);
+        $vhost = Str::replace('__php_socket__', $php_socket, $vhost);

        if ($ssl) {
            $vhost = Str::replace('__certificate__', $ssl->getCertificatePath(), $vhost);
--- a/app/SSH/Services/Webserver/scripts/nginx/create-path.sh
+++ b/app/SSH/Services/Webserver/scripts/nginx/create-path.sh
@ -0,0 +1,16 @@
+export DEBIAN_FRONTEND=noninteractive
+
+if ! rm -rf __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
+
+if ! mkdir __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
+
+if ! chmod -R 755 __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
--- a/app/SSH/Services/Webserver/scripts/nginx/create-vhost.sh
+++ b/app/SSH/Services/Webserver/scripts/nginx/create-vhost.sh
@ -1,15 +1,3 @@
-if ! rm -rf __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
-if ! mkdir __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
-if ! sudo chown -R 755 __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
 if ! echo '' | sudo tee /etc/nginx/conf.d/__domain___redirects; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi
--- a/app/SSH/Services/Webserver/scripts/nginx/php-vhost-ssl.conf
+++ b/app/SSH/Services/Webserver/scripts/nginx/php-vhost-ssl.conf
@ -24,7 +24,7 @@ server {
    error_page 404 /index.php;

    location ~ \.php$ {
-        fastcgi_pass unix:/var/run/php/php__php_version__-fpm.sock;
+        fastcgi_pass __php_socket__;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_hide_header X-Powered-By;
--- a/app/SSH/Services/Webserver/scripts/nginx/php-vhost.conf
+++ b/app/SSH/Services/Webserver/scripts/nginx/php-vhost.conf
@ -20,7 +20,7 @@ server {
    error_page 404 /index.php;

    location ~ \.php$ {
-        fastcgi_pass unix:/var/run/php/php__php_version__-fpm.sock;
+        fastcgi_pass __php_socket__;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_hide_header X-Powered-By;