View Single Post
  #1  
Old 5th July 2006, 05:39
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 93
Thanks: 0
Thanked 6 Times in 5 Posts
Default SECURITY issue with Virtual hosting with Proftpd & Mysql

Hi all,

I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting

I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.

However I came across a big security issue.
As all the files/dirs that created by these virtual ftp users are owned by the system user:
User: ftpuser
Group: ftpgroup
Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!

Here's an example, 2 virtual users have these homedirs:
In /home:
Code:
drwxr-sr-x   3 ftpuser ftpgroup 4096 Jun 27 12:46 user1
drwxr-sr-x   3 ftpuser ftpgroup 4096 Jul  1 19:28 user2
So user1 has all their files in /home/user1/
and user2 in /home/user2

And as you can see both are owned by the ftpuser.ftpgroup.

If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:
PHP Code:
$dir "../"
if ($handle opendir($dir)) {
   while (
false !== ($file readdir($handle))) {
       if (
$file != "." && $file != "..") {
           echo 
"$file<br>";
       }
   }
   
closedir($handle);

It would result in these dirs being displayed:
user1
user2

And if the changed $dir to be: "../user2/", they could view all files under user2's directory.

Basically cause everything is owned by the same system user/group.

How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

Thanks, Mike.

Last edited by snowfly; 5th July 2006 at 07:05.
Reply With Quote
Sponsored Links