Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th August 2011, 00:28
nveid nveid is offline
Member
 
Join Date: Jan 2006
Location: Daytona Beach, FL
Posts: 87
Thanks: 7
Thanked 17 Times in 14 Posts
Send a message via Yahoo to nveid Send a message via Skype™ to nveid
Default Unique Shell ID & Group Friendly Websites

I want to submit this to the subversion repo..

I find this very useful, I mostly have these set under the advanced menu that only admins can do but basically what it accomplishes is

a) Establishes a Unique ID for Shell Users separate from the main website

b) Establishes a Group friendly policy on the website. (so a shell users added in the group of the website can also edit files on the website.)

The configuration is very simple, I have a checkbox in the options section under the Websites for Group Friendly and a Checkbox for Unique ID under options for shell users. Using this configuration you can also control regular shel users in the ISPConfig that are not directly tied to the website.

Check with Till/Falko to make sure this is an okay mod to add, I want to refine it a little more before I commit or give a patch. But my end goal is simply better Shell User/Webdomain management, possibly even just attaching some shell users to the client itself.
__________________
-- RLB
Reply With Quote
Sponsored Links
  #2  
Old 29th August 2011, 10:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,678
Thanks: 819
Thanked 5,318 Times in 4,171 Posts
Default

Where is the benefit of this solution compared with the current setup? Currently the shell users of the website can edit the website files, as all shell users share the same userid. If the users have a different userid, you will have to setup separate home directories for the users and seprarate jailkit jails etc., this will prevent the users from accessing the website files as they will not be able to leave their jail.

For security reasons, the goal was that group write permissions are not required for a website. If we change that, a website that has mod_php enabled can be used to hack all other websites or if there is a hack e.g. in phpmyadmin, the hacker can take over all websites then.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 29th August 2011 at 11:00.
Reply With Quote
  #3  
Old 29th August 2011, 12:07
nveid nveid is offline
Member
 
Join Date: Jan 2006
Location: Daytona Beach, FL
Posts: 87
Thanks: 7
Thanked 17 Times in 14 Posts
Send a message via Yahoo to nveid Send a message via Skype™ to nveid
Default

Well for my setup in particular, I need the control panel to manage shell accounts as well to include shell services. And one particular account may have multiple shell users attached to it, and they have their own stash of files in their own home directory and not allow the other shell users access to their files. My server setup in particular, and I'm sure there may be others, offers more than just web-hosting accounts. And the shell user accounts are not jailed so they have access to the development tools that are on the server.

I understand that offering non-jailed shell users is a security risk in some environments. Though the more I think about this, the more I"m thinking I should move my system to an ACL permission scheme for my setup. In doing that, perhaps have a multi-select box on the web-domain part specifying in the domain that also have write access to the website on the user level.

I'd like to incorporate my setup into the actual ISPConfig setup so I won't have to constantly take my patch in and out as versions increase. Perhaps offer it on a special server configuration security level?
__________________
-- RLB
Reply With Quote
  #4  
Old 29th August 2011, 12:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,678
Thanks: 819
Thanked 5,318 Times in 4,171 Posts
Default

As you offer shell user hosting, then this makes sense indeed. I havent thought about that option.

Quote:
Perhaps offer it on a special server configuration security level?
That might be a good place to implement it. Basically we could do a setting on a per website basis as well as you suggested in the first post, this would be more flexible on one side but on the other side, it would be more likely that a user changes this setting for a exsiting web and I guess it would be a real mess if we have a website with e.g. 10 jailed shell user where someone switches this setting and we have to find a way to migrate the security system then. Maybe it is even nescessary to block this setting after a web is created, what do you think?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 29th August 2011, 12:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,678
Thanks: 819
Thanked 5,318 Times in 4,171 Posts
Default

As you offer shell user hosting, then this makes sense indeed. I havent thought about that option.

Quote:
Perhaps offer it on a special server configuration security level?
That might be a good place to implement it. Basically we could do a setting on a per website basis as well as you suggested in the first post, this would be more flexible on one side but on the other side, it would be more likely that a user changes this setting for a exsiting web and I guess it would be a real mess if we have a website with e.g. 10 jailed shell user where someone switches this setting and we have to find a way to migrate the security system then. Maybe it is even nescessary to block this setting after a web is created, what do you think?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 29th August 2011, 12:31
nveid nveid is offline
Member
 
Join Date: Jan 2006
Location: Daytona Beach, FL
Posts: 87
Thanks: 7
Thanked 17 Times in 14 Posts
Send a message via Yahoo to nveid Send a message via Skype™ to nveid
Default

Quote:
Maybe it is even nescessary to block this setting after a web is created, what do you think?
That is the current setup I have, it is an option settable under the "advanced" limits menu that only admin can set. I don't want customers on their own deciding to allow this behavior.
__________________
-- RLB
Reply With Quote
  #7  
Old 29th August 2011, 12:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,678
Thanks: 819
Thanked 5,318 Times in 4,171 Posts
Default

Ok, then feel free to upload the changes to svn. I think we should add is a check that throws a error message when a administrator tries to change this setting when there is already a shell user for this website. And in case that jails wont work anymore with that setting, we might have to add a warning or make it impossible to select that setting if jailkit is selected for that client in the client settings.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig Users Permissions guimnk Installation/Configuration 14 14th April 2011 18:26
freebsd 7, samba 3, domain controller alexdimarco Suggest HOWTO 6 5th November 2010 16:54
Can't access to my website - after install problem pallermo Installation/Configuration 18 4th June 2010 13:29
High on Lenny - Lvm Mount Problem Serverman Technical 1 23rd June 2009 16:26
ubuntu ispconfig joomla .htaccess steve1084 General 8 6th January 2007 15:55


All times are GMT +2. The time now is 02:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.