View Single Post
Old 19th September 2006, 08:03
Dave Lane Dave Lane is offline
Junior Member
Join Date: Mar 2006
Location: Christchurch, New Zealand
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via ICQ to Dave Lane

Right - applied a minor hack to ISPConfig (version 2.2.2) see below for diff - to add the Webserver user (in our case on Ubuntu Dapper Linux it's "www-data") to each web?? customer's default group, and also to create new users in our web directory (in our case /home/www) with permissions 750 rather than the default 755 (which allows users of any customer to look into any other customer's web directories and read email, database passwords, etc. - NOT GOOD).

To apply this fix retroactively, go into your web root directory and run the following (note - DON'T use the -R flag, as that will screw things up big time) - assuming you're using web? or web?? to designate your web customers:
chmod 750 web?? web?
Following this, restart apache - on Ubuntu Dapper, it's
 /etc/init.d/apache2 restart
otherwise you might find that some sites fail to display (not sure why this happens, but a restart seems to fix it) with "permission denied" errors in the logs and "could not access .htaccess" or similar.

At this stage, I'm not aware of any problems with this solution - seems to work well - but it might have implications on quota management or other ISPConfig maintenance task - not sure.

Here's the diff for /root/ispconfig/scripts/lib/config.lib.php that makes it all happen.

Index: config.lib.php
--- config.lib.php      (revision 2844)
+++ config.lib.php      (working copy)
@@ -1087,14 +1087,33 @@
   //////////////////// admispconfig der Gruppe hinzuf�gen ENDE //////////////

+  // modified by 20060919 to ensure that the web user can read into //
+  // all web client directories, but web clients can't read other web client's directories
+  // Adding Apache2 "www-data" user to each web group by default.
   $apache_user = $this->apache_user;
+  $mod->system->add_user_to_group("web".$doc_id,$apache_user);
+  // end 20060919 modification //
+  $apache_user = $this->apache_user;
   if($update == 0 || $dir_new){
     exec("chown -R $apache_user:web$doc_id $web_path_realname &> /dev/null");
     exec("chown -R $apache_user:web$doc_id $web_path &> /dev/null");
     exec("chmod -R 775 $web_path");
     exec("chmod -R 775 $web_path_realname");
-    exec("chmod 755 $web_path");
-    exec("chmod 755 $web_path_realname");
+    // modified by 20060919 to set up permissions: drwxr-x--- //
+    // to keep users from accessing the directories of other web?? customers.
+    // This does not lock out other users of the same web?? customer (who, by default,
+    // belong to the web?? group.
+    // users associated with the //
+    // exec("chmod 755 $web_path");
+    // exec("chmod 755 $web_path_realname");
+    exec("chmod 750 $web_path");
+    // note: not sure why we do this, as the "realname" appears to be a simple symbolic link to the
+    // "web_path" directory, and in Linux filesystems, links simply inherit the permissions of the
+    // thing they're linked to (at least on our system with ext3 filesystems)...
+    exec("chmod 750 $web_path_realname");
+    // end 20060919 modification //
     exec("chmod 755 $web_path/user"); // user-Verzeichnis sollte nicht group-writable sein, weil Sendmail sonst warnings ausgeben k�nnte wg. der .forward-Datei
     exec("chmod 755 $web_path/log");
     exec("chmod 755 $web_path/ssl");
Hope that's helpful to someone. Falko, Till, is there any reason that ISPConfig isn't already configured like this? Perhaps my solution is too simplistic? I would've thought that the default 755 permissions would be very loose for a production virtual hosting environment, no?

Kind regards,

Reply With Quote