Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th March 2013, 16:44
thorewi thorewi is offline
Junior Member
 
Join Date: Mar 2013
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default security_level of web document_root in 3.0.5

Hi,

I want to ask, in ispconfig 3.0.4, document_root of web (folder webXXX) was owned by user:group with security_level = 20, by root:root with security_level = 10. In ispconfig 3.0.5, there is always root:root, but I want there user:group, because I need to create folders and files there.

Code in nginx_plugin.inc.php 3.0.4:

$this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root'])); (line 628)

Code in nginx_plugin.inc.php 3.0.5:

$app->system->chown($data['new']['document_root'],'root'); (line 728)
$app->system->chgrp($data['new']['document_root'],'root'); (line 729)


Am i missing here something? Thx.
Reply With Quote
Sponsored Links
  #2  
Old 7th March 2013, 16:57
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
I want to ask, in ispconfig 3.0.4, document_root of web (folder webXXX) was owned by user:group with security_level = 20, by root:root with security_level = 10. In ispconfig 3.0.5, there is always root:root, but I want there user:group, because I need to create folders and files there.
The permissions have been changed, so root:root is the correct owner in 3.0.5.1. for security Level 2 as well.

the root folder of the website shall not be used to create any files there. If you want to add custom files and folders not accessible by http, then put them in the private subfolder.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 7th March 2013, 17:10
thorewi thorewi is offline
Junior Member
 
Join Date: Mar 2013
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hm sorry, but in 3.0.4 there wasn't any folder like private so I have to put all my libs, resources and other stuff to root to avoid them being accessible by http, so now I would have to change all my websites and also all my git repositories, which have the same directory structure as production because of ftp deployment... I would also have to change all constants in all projects with path to my libs, third party libs and so on... it's not real.... and the second problem - when I'm doing ftp deployment, a deployment software creates a file in root with last commit or file hash or so... we use 2 various software and both do that this way. so they doesn't work anymore...
Reply With Quote
  #4  
Old 7th March 2013, 17:17
thorewi thorewi is offline
Junior Member
 
Join Date: Mar 2013
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

and I need 3.0.5 because of php-fpm ondemand feature... of course I can just overwrite these two lines by myself but it's not a solution
Reply With Quote
  #5  
Old 7th March 2013, 17:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

We had to change this for security reasons, there was no option to fix the issue while keeping the old permissions. The web root was not made to store any files there directly. The private folder was introduced in 3.0.5 to offer an alternative storage location for files that shall be kept private.

You can configure in System > Server config that the permissions of existing sites dont get altered on update. But new sites will always get created with the new permission scheme.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 7th March 2013, 17:48
thorewi thorewi is offline
Junior Member
 
Join Date: Mar 2013
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

yes I understand you, but when you look here:

http://framework.zend.com/manual/1.1...e.project.html

and here:

http://doc.nette.org/en/presenters

(two frameworks we use)

the structure is as I mentioned - one public folder and other folders with libs and app on the same structure level. So it's not our invention... So I dont know what to do now and there is also the problem with deployment - mostly we use git-ftp (https://github.com/resmo/git-ftp) and it works as i said - creating a file with last commit in ftp root... but at least there is a option to change it.

I understand the security is very important, that's why I use ispconfig, but I'm afraid many users will be little upset

But thanks for your help.
Reply With Quote
  #7  
Old 7th March 2013, 21:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Make a feature request in the bugtracker, maybe we can add another option to switch the permissions to the user.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 8th March 2013, 15:46
lamar lamar is offline
Junior Member
 
Join Date: Mar 2011
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

This means that open_basedir no longer be used for files outside the web folder?
It is really unpleasantly.

thorewi:
do you have any solution for new security?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hangs, BUG: Bad page state in process lucani Installation/Configuration 1 6th September 2012 18:50
I'm attack brute force qb7 General 6 21st July 2012 21:34
Problem with fetchmail/getmail brianetilley Installation/Configuration 3 27th January 2012 12:15
ISPConfig reports SMTP-server down, with Roundcube installed toffie Installation/Configuration 2 1st December 2011 10:55
Error show pages in server qb7 General 1 31st October 2011 09:09


All times are GMT +2. The time now is 07:56.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.