HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   security_level of web document_root in 3.0.5 (http://www.howtoforge.com/forums/showthread.php?t=60852)

thorewi 7th March 2013 17:44

security_level of web document_root in 3.0.5
 
Hi,

I want to ask, in ispconfig 3.0.4, document_root of web (folder webXXX) was owned by user:group with security_level = 20, by root:root with security_level = 10. In ispconfig 3.0.5, there is always root:root, but I want there user:group, because I need to create folders and files there.

Code in nginx_plugin.inc.php 3.0.4:

$this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root'])); (line 628)

Code in nginx_plugin.inc.php 3.0.5:

$app->system->chown($data['new']['document_root'],'root'); (line 728)
$app->system->chgrp($data['new']['document_root'],'root'); (line 729)


Am i missing here something? Thx.

till 7th March 2013 17:57

Quote:

I want to ask, in ispconfig 3.0.4, document_root of web (folder webXXX) was owned by user:group with security_level = 20, by root:root with security_level = 10. In ispconfig 3.0.5, there is always root:root, but I want there user:group, because I need to create folders and files there.
The permissions have been changed, so root:root is the correct owner in 3.0.5.1. for security Level 2 as well.

the root folder of the website shall not be used to create any files there. If you want to add custom files and folders not accessible by http, then put them in the private subfolder.

thorewi 7th March 2013 18:10

Hm sorry, but in 3.0.4 there wasn't any folder like private so I have to put all my libs, resources and other stuff to root to avoid them being accessible by http, so now I would have to change all my websites and also all my git repositories, which have the same directory structure as production because of ftp deployment... I would also have to change all constants in all projects with path to my libs, third party libs and so on... it's not real.... and the second problem - when I'm doing ftp deployment, a deployment software creates a file in root with last commit or file hash or so... we use 2 various software and both do that this way. so they doesn't work anymore...

thorewi 7th March 2013 18:17

and I need 3.0.5 because of php-fpm ondemand feature... of course I can just overwrite these two lines by myself but it's not a solution :(

till 7th March 2013 18:30

We had to change this for security reasons, there was no option to fix the issue while keeping the old permissions. The web root was not made to store any files there directly. The private folder was introduced in 3.0.5 to offer an alternative storage location for files that shall be kept private.

You can configure in System > Server config that the permissions of existing sites dont get altered on update. But new sites will always get created with the new permission scheme.

thorewi 7th March 2013 18:48

yes I understand you, but when you look here:

http://framework.zend.com/manual/1.1...e.project.html

and here:

http://doc.nette.org/en/presenters

(two frameworks we use)

the structure is as I mentioned - one public folder and other folders with libs and app on the same structure level. So it's not our invention... So I dont know what to do now :( and there is also the problem with deployment - mostly we use git-ftp (https://github.com/resmo/git-ftp) and it works as i said - creating a file with last commit in ftp root... but at least there is a option to change it.

I understand the security is very important, that's why I use ispconfig, but I'm afraid many users will be little upset :)

But thanks for your help.

till 7th March 2013 22:25

Make a feature request in the bugtracker, maybe we can add another option to switch the permissions to the user.

lamar 8th March 2013 16:46

This means that open_basedir no longer be used for files outside the web folder?
It is really unpleasantly.

thorewi:
do you have any solution for new security?


All times are GMT +2. The time now is 13:50.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.