Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 21st October 2009, 20:53
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation suexec allows deleting files which owner is root

Hi folks,

I used the Lenny Perfect Server Tutorial to install my server.
ISPConfig 3.0.1.5

I use php fastcgi in all sites. My problem was that php was not allowed to write to files in the docroot, even if owner and group are correct (webXX and clientXX), rights of all directories and files were 755. Then I tried 775, and suddenly php was allowed to write in the docroot.

"That's not so pretty" I thought, so I looked around and found suexec.
I didn't found a switch in ISPConfig to enable suexec, so I added it manually to my vhost for testing:

<VirtualHost *:80>
SuexecUserGroup web13 client4

Now php could write in the docroot with 755. "Nice" I thought. Until I tested it in the depth:

First problem:
-r--r--r-- 1 root root 54 2009-10-21 18:11 test.php

test.php can be executed, even if owner is root.

Second Problem:
test.php can delete files owned by root, even if I set owner of test.php to web13 and group to client4.

test.php:
PHP Code:
<?php
unlink
("deleteme");
?>
-r--r--r-- 1 web13 client4 54 2009-10-21 18:11 test.php
-r--r--r-- 1 root root 0 2009-10-21 19:44 deleteme

Deleting is always possible.

Why is this possible? I thought suexec would prevent something link this.

Third problem:
-rwsr-xr-- 1 root www-data 14K 2009-07-14 22:47 /usr/lib/apache2/suexec

In http://httpd.apache.org/docs/2.0/suexec.html I read that suexec has to be owned by apache, but here it is owned by root. If I change the owner to www-data, apache won't stat (no suexec wrapper found).

EDIT:
When I do "su web13" I stay root, but I get no error.
/var/log/sulog says:
SU 10/22 11:21 + pts/1 root-web13

Last edited by xerc; 22nd October 2009 at 12:37.
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Flash Player (version 10.0r22) did not load bobwdn HOWTO-Related Questions 10 11th September 2011 12:08
automatic webmail link admins Installation/Configuration 16 22nd June 2009 17:42
Setting up a new server - Suse 11.1 londonman Server Operation 34 10th April 2009 14:16
Postfix email server problems Access denied 554 554 5.7.1 state 14 AceRimmer Server Operation 4 19th June 2008 15:36
Add Webmin to the system sushestvo Installation/Configuration 44 21st August 2007 17:52


All times are GMT +2. The time now is 03:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.