SECURITY issue with Virtual hosting with Proftpd & Mysql
I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting
I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.
However I came across a big security issue.
As all the files/dirs that created by these virtual ftp users are owned by the system user:
Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!
Here's an example, 2 virtual users have these homedirs:
and user2 in /home/user2
And as you can see both are owned by the ftpuser.ftpgroup.
If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:
And if the changed $dir to be: "../user2/", they could view all files under user2's directory.
Basically cause everything is owned by the same system user/group.
How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...
I presume that I follow: http://nz.php.net/manual/en/features.safe-mode.php
And foreach virtual host, set things like 'safe_mode_include_dir ' and 'safe_mode_exec_dir ', and 'open_basedir'
That worked well.
Glad to have that security flaw fixed up, now I can rest easy knowing users my servers can't read/view anything they aren't allowed to! :)
|All times are GMT +2. The time now is 19:57.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.