Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General
Reload this Page issue with no admin user allocated
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th September 2006, 07:28
djtremors djtremors is offline
Senior Member
  
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default issue with no admin user allocated
Hey all,

Just noticed an issue where I have a user as an admin and files on their home path is 644 but I noticed that when I remove the admin rights to the ispc system for that site, all files belong to "apache" user now.

This opens the server up for writing now and any content can be changed if there is a vulnerable page whereas as the user they can't modify the files with the 644 permissions.

PHP Code:
drwxrwxr-x   2 apache web7 4096 Jul 21 10:32 cgi-bin
drwxr-xr-x   3 apache web7 4096 Sep  5 09:58 log
drwxrwxrwx   2 apache web7 4096 Sep 12 12:13 phptmp
drwxr-xr-x   2 apache web7 4096 Jul 21 10:32 ssl
drwxr-xr-x  11 apache web7 4096 Sep  8 21:24 user
drwxrwxr-x  17 apache web7 4096 Sep 12 15:25 web 
anyone notice this?
Reply With Quote
Sponsored Links
  #2  
Old 12th September 2006, 17:12
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,685
Thanks: 1,899
Thanked 2,599 Times in 2,448 Posts
Default
Quote:
Originally Posted by djtremors
Hey all,

Just noticed an issue where I have a user as an admin and files on their home path is 644 but I noticed that when I remove the admin rights to the ispc system for that site, all files belong to "apache" user now.
That's the expected behaviour because we need some user to allocate the pages to if there's no site admin, and we chose the Apache user for it. Of course, you should have a site admin, and you shouldn't give shell access to your users, and use PHP Safe Mode if possible.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 13th September 2006, 00:18
djtremors djtremors is offline
Senior Member
  
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default
So you think making it the apache user is the best idea? Why not root or some huge number ie. 87726876534 so that no one can write to any of the files?

Where can I change this as it's a security issue for me?
Reply With Quote
  #4  
Old 13th September 2006, 09:03
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,066
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
Default
This is all setup in the file /root/ispconfig/scripts/lib/config.lib.php.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 13th September 2006, 09:04
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,066
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
Default
Quote:
Originally Posted by djtremors
So you think making it the apache user is the best idea? Why not root or some huge number ie. 87726876534 so that no one can write to any of the files?
It is not an issue if you either use SuPHP, SueEXEC or use Safemode in PHP which is always recommended.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 13th September 2006, 11:28
djtremors djtremors is offline
Senior Member
  
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default
I can't get suphp or suexec working right now and it doesn't seem like a right reason to turn it on anyway. php safemode only tells apache to force executing scripts to work only with the same uid which it's still apache and writable too. Not only that it breaks CMS sites like Joomla and

I'll modify the config.lib.php file.
Reply With Quote
  #7  
Old 13th September 2006, 20:03
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,066
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
Default
ISPConfig enables open basedir restrictions in PHP if you enable the php safemode checkbox, so noone will be able to read other directories as long as there are no security vulnerabilities in PHP
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Cannot receive emails : DSN: User Unknown shiidii Installation/Configuration 24 22nd September 2006 18:05
Virtual Users And Domains With Postfix, Courier... USER Web admin? Maquiavelo HOWTO-Related Questions 4 10th June 2006 21:12
Users and websites aren't created Glorfindel Installation/Configuration 9 23rd February 2006 04:20
Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAs pontifex HOWTO-Related Questions 2 26th October 2005 17:54


All times are GMT +2. The time now is 09:12.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.