Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 5th July 2006, 04:39
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 93
Thanks: 0
Thanked 5 Times in 4 Posts
Default SECURITY issue with Virtual hosting with Proftpd & Mysql

Hi all,

I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting

I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.

However I came across a big security issue.
As all the files/dirs that created by these virtual ftp users are owned by the system user:
User: ftpuser
Group: ftpgroup
Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!

Here's an example, 2 virtual users have these homedirs:
In /home:
Code:
drwxr-sr-x   3 ftpuser ftpgroup 4096 Jun 27 12:46 user1
drwxr-sr-x   3 ftpuser ftpgroup 4096 Jul  1 19:28 user2
So user1 has all their files in /home/user1/
and user2 in /home/user2

And as you can see both are owned by the ftpuser.ftpgroup.

If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:
PHP Code:
$dir "../"
if ($handle opendir($dir)) {
   while (
false !== ($file readdir($handle))) {
       if (
$file != "." && $file != "..") {
           echo 
"$file<br>";
       }
   }
   
closedir($handle);

It would result in these dirs being displayed:
user1
user2

And if the changed $dir to be: "../user2/", they could view all files under user2's directory.

Basically cause everything is owned by the same system user/group.

How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

Thanks, Mike.

Last edited by snowfly; 5th July 2006 at 06:05.
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Hosting With Proftpd And MySQL (Incl. Quota) pontifex HOWTO-Related Questions 56 22nd June 2007 13:29
Virtual Hosting With Proftpd And MySQL (Incl. Quota) Secure? ToysunStory HOWTO-Related Questions 1 9th May 2006 00:03
proftpd virtual host not working DaddyFix Installation/Configuration 6 19th April 2006 19:59
Mandriva 10.2 Perfect Setup Install Problems... ctroyp Installation/Configuration 12 30th December 2005 16:04
MySQL issue during install of ISPConfig ricbax Installation/Configuration 4 16th September 2005 09:41


All times are GMT +2. The time now is 19:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.