HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   SECRUTIY issue with Virtual hosting with Proftpd & Mysql (http://www.howtoforge.com/forums/showthread.php?t=5349)

snowfly 5th July 2006 04:39

SECURITY issue with Virtual hosting with Proftpd & Mysql
 
Hi all,

I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting

I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.

However I came across a big security issue.
As all the files/dirs that created by these virtual ftp users are owned by the system user:
User: ftpuser
Group: ftpgroup
Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!

Here's an example, 2 virtual users have these homedirs:
In /home:
Code:

drwxr-sr-x  3 ftpuser ftpgroup 4096 Jun 27 12:46 user1
drwxr-sr-x  3 ftpuser ftpgroup 4096 Jul  1 19:28 user2

So user1 has all their files in /home/user1/
and user2 in /home/user2

And as you can see both are owned by the ftpuser.ftpgroup.

If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:
PHP Code:

$dir "../"
if ($handle opendir($dir)) {
   while (
false !== ($file readdir($handle))) {
       if (
$file != "." && $file != "..") {
           echo 
"$file<br>";
       }
   }
   
closedir($handle);


It would result in these dirs being displayed:
user1
user2

And if the changed $dir to be: "../user2/", they could view all files under user2's directory.

Basically cause everything is owned by the same system user/group.

How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

Thanks, Mike.

falko 6th July 2006 11:45

Quote:

Originally Posted by snowfly
How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

Thanks, Mike.

Enable PHP Safe Mode for your web sites.

snowfly 7th July 2006 04:16

Quote:

Originally Posted by falko
Enable PHP Safe Mode for your web sites.

Ok thanks, I will try that this weekend.
I presume that I follow: http://nz.php.net/manual/en/features.safe-mode.php
And foreach virtual host, set things like 'safe_mode_include_dir ' and 'safe_mode_exec_dir ', and 'open_basedir'

falko 8th July 2006 11:49

Quote:

Originally Posted by snowfly
Ok thanks, I will try that this weekend.
I presume that I follow: http://nz.php.net/manual/en/features.safe-mode.php
And foreach virtual host, set things like 'safe_mode_include_dir ' and 'safe_mode_exec_dir ', and 'open_basedir'

Yes. Something like this should work:

Code:

php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web1/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web1/phptmp/
php_admin_value session.save_path /var/www/web1/phptmp/

Of course, you must adjust the paths.

snowfly 9th July 2006 04:50

Quote:

Originally Posted by falko
Yes. Something like this should work:

Code:

php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web1/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web1/phptmp/
php_admin_value session.save_path /var/www/web1/phptmp/

Of course, you must adjust the paths.

Excellent, thanks :)
That worked well.

Glad to have that security flaw fixed up, now I can rest easy knowing users my servers can't read/view anything they aren't allowed to! :)


All times are GMT +2. The time now is 19:57.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.