Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #61  
Old 20th January 2006, 11:25
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Quote:
Originally Posted by falko
...I'm not sure though if it's enough to say "this reseller is allowed to install CMS' in his web sites, and that one isn't" instead of specifiying a number...
Ok, I agree with all you've said, but talking only about the reseller I see the following problem:
Suppose a reseller has all the tipical limitations ispconfig can give him, plus 20 CMS.
He's got 4 different plans. Now, what is the poor man going to do if the 20 CMS are over? I mean, maybe the reseller has a comertial website with his plans for everyone to see. If CMS's are over, will he be "buying" from the ispconfig admin more CMS's? or will he be modifying his plans?
I think 1 CMS per MySQL is a good choice, and reseller is CMS 1 or 0, but not number limited.
What do you think? Maybe the reseller problem has a solution, i dont know.
Reply With Quote
Sponsored Links
  #62  
Old 20th January 2006, 11:41
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,655 Times in 4,464 Posts
Default

Quote:
Originally Posted by danf.1979
Ok, I agree with all you've said, but talking only about the reseller I see the following problem:
Suppose a reseller has all the tipical limitations ispconfig can give him, plus 20 CMS.
He's got 4 different plans. Now, what is the poor man going to do if the 20 CMS are over? I mean, maybe the reseller has a comertial website with his plans for everyone to see. If CMS's are over, will he be "buying" from the ispconfig admin more CMS's? or will he be modifying his plans?
I think 1 CMS per MySQL is a good choice, and reseller is CMS 1 or 0, but not number limited.
What do you think? Maybe the reseller problem has a solution, i dont know.
Ok, if we limit it by 1 cms = 1 mysql db, then we can limit the number of CMS by the number of databases. Thats fine too.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #63  
Old 30th January 2006, 19:03
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

deleted... sorry. This question was my own mistake.

Last edited by danf.1979; 30th January 2006 at 19:08.
Reply With Quote
  #64  
Old 31st January 2006, 15:59
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Hi to all.
I was just wondering about a *maybe* quota problem.

Some CMS allow uploads to certain directories, so those dirs must be world writeable. For example, CMS Made Simple allow creating directories under the upload directory, which is world writeable. Created directories are being created with owner www-data and group www-data.

My question is, do this newly created directories or uploaded files count for the quota's client? I dont think so, but I'm not really sure.

If they are not, is there any way to fix this?
Reply With Quote
  #65  
Old 31st January 2006, 19:14
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,655 Times in 4,464 Posts
Default

Quote:
Originally Posted by danf.1979
Hi to all.
I was just wondering about a *maybe* quota problem.

Some CMS allow uploads to certain directories, so those dirs must be world writeable. For example, CMS Made Simple allow creating directories under the upload directory, which is world writeable. Created directories are being created with owner www-data and group www-data.

My question is, do this newly created directories or uploaded files count for the quota's client? I dont think so, but I'm not really sure.
Files that belong to www-data do not coun to the web quota.


Quote:
If they are not, is there any way to fix this?
Yes. But the fix is more related to your setup then to ISPCOnfig.

If you run PHP either via SuPHP or as PHP CGI with SuExec, all scripts where running under the username of web admin and not as www-data. Then all files created by CMS systems belong to the correct group and user and count to the qouta.

The drawback with SuPHP and CGI-PHP is that you loose some performance compared to mod_php.

Another possible solution might to work with PHP as fastCGI, but never tested that and it shall be not so easy to setup.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #66  
Old 4th February 2006, 22:40
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Uhm ok thanks. The solution is not simple because doing what you say would imply that every cms would create new folders with the right owner but the user would be unable to upload files to it because folders dont get created world writeable by the cms. Maybe a cron job would do the trick, but I'm not solving this problem right now.

I wanted to aske you something Till (or someone who knows, falko for ex). I got this code:
Code:
		$get_all_db = $go_api->db->queryAllRecords("SELECT * FROM isp_isp_datenbank where doctype_id = 1029 and web_id = $web_id");

		foreach($get_all_db as $db) {

					$dbs .= '
					<tr style="background-color: #666666;"> 
					<td colspan="2"><span style="font-weight: bold; color: white; font-size: 13px;">
					<div style="margin-left: 40px;"><input name="db_database" type="radio" value='.$db["datenbankname"].'>&nbsp;&nbsp;'.$db["datenbankname"].'</div></span> </td>
					</tr>';

			$n++;
		}
It generates radio buttons for the database for a given web_id. I'm not quite sure I understand the doc_id right now, I'm really being fixing and optimizing the installer code. I implemented a class for the cms_installer.php file (my own writeconf.php) but I use global statements on the methods of the class. I dont know if that would be the "correct" thing to do, but they manage to get the cms installed and that class serves to install like 10 cms rght now. Maybe you could comment on this?
Ok, back to the code. I dont really know if always a database gets installed with a 1029 doctype_id and I think that that would be the only possible failure of the mysql query right now.
I have done a very nice template for the cms installer (i think its pretty), but I know that there are other people who can do much better templates than me with css for example. Maybe some volunter to get css on this? anyone?
Ok thanks.
Oh, another question. Do i have to code some stuff to prevent sql injection in the various forms I use? I have never done this so thats why I ask. I dont know if is enough with the *general* security platform that ispconfig provides to my script.
Reply With Quote
  #67  
Old 4th February 2006, 23:17
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Oh, something else I want to comment (not really needed right now though).
I think of ISPConfig to be the better code I've seen. Maybe it is not my code style, but I think the relationships between the scripts, the database and the daemons are really very very clever. I have little experience to say that though, and I just know little about ISPConfig code, just what I've needed to code my own script.
I have my own daemon checking for its own .signal files. With that I've managed to get a root script executed and the cms identified. I know I could do the identification with only the database, but till now the sistem works ok and the code is not very extense.
For example, cms_installer.php (my own writeconf.php) is about 275 lines, maybe 250 or 240 of code. It detects the signal file, makes necessary querys, define all necesary variables for each cms installation, and executes the install class. The install class is another script (59 lines) that executes create directories, copy, chmod, chown, rm stuff, makes the config file of the cms, gets mysql stuff done, etc.
I have done a very singular thing for the getting all this thing working. I install the cms, erase all customized field in mysql and export the sql to a file. Then even may be able of customizing this setups with new templates, pages or modified languaje files with better names and explanations for the translations. Most all of them are with the default installation though (but with my own database dump). I have most cms with default installation though, I havent have the time to make this on all cms ofcourse. With this I have been able to forgot completely about defaults installers. I maybe able in the future to choose a custom language for the cms installation, I dont know. Many things can be done with this thing I guess. I even want to make simple mysql controls for the cms manager so mysql dabase creation, cms deletions, maybe updates also, as I said, I dont know really yet what to do first. And also, I am right now optimizing code and making modifications.

How do you want to get this on ispconfig? I mean, it works in my installation, but how is the coordination for controling the possible cms to get installed going to be? Maybe I can do that with some classification in mind. I wanto to classify the cms to different classes by cms type (forum, portal, chat, etc) and with that in mind make the mysql limitations. For example, 1 MySQL permits 1 cms, and that limitation would permit only one installation for the portal, but little forum and live support center cms are too included by default. General idea would be making little cms software world wide available and bigger cms limitated. I know it can be also user configured but I will not code this in the short term.

Last edited by danf.1979; 4th February 2006 at 23:22.
Reply With Quote
  #68  
Old 4th February 2006, 23:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,036
Thanks: 841
Thanked 5,655 Times in 4,464 Posts
Default

Quote:
Originally Posted by danf.1979
Uhm ok thanks. The solution is not simple because doing what you say would imply that every cms would create new folders with the right owner but the user would be unable to upload files to it because folders dont get created world writeable by the cms. Maybe a cron job would do the trick, but I'm not solving this problem right now.
IIf you use suexec + cgiphp or suphp, the cms runs under the username of the web admin and not the apache user, so these problems dont exist and the directories must not be world writable.

if you dont use suexec + cgiphp or suphp, the direcories must be world writable.

Quote:
I wanted to aske you something Till (or someone who knows, falko for ex). I got this code:
Code:
		$get_all_db = $go_api->db->queryAllRecords("SELECT * FROM isp_isp_datenbank where doctype_id = 1029 and web_id = $web_id");

		foreach($get_all_db as $db) {

					$dbs .= '
					<tr style="background-color: #666666;"> 
					<td colspan="2"><span style="font-weight: bold; color: white; font-size: 13px;">
					<div style="margin-left: 40px;"><input name="db_database" type="radio" value='.$db["datenbankname"].'>&nbsp;&nbsp;'.$db["datenbankname"].'</div></span> </td>
					</tr>';

			$n++;
		}
It generates radio buttons for the database for a given web_id. I'm not quite sure I understand the doc_id right now,
The doc_id is always the primary ID of a table. As the doctype_id for mysql databases is always 1029, you can optimize the query like this, but it does not harm if let it like it is now

SELECT * FROM isp_isp_datenbank where web_id = $web_id


Quote:
I'm really being fixing and optimizing the installer code. I implemented a class for the cms_installer.php file (my own writeconf.php) but I use global statements on the methods of the class. I dont know if that would be the "correct" thing to do, but they manage to get the cms installed and that class serves to install like 10 cms rght now. Maybe you could comment on this?
Generally it is better to avoid global variables. If the codebase grows you will get lesser variable conflicts. But you dont have to change your code now, if it works.

Quote:
Ok, back to the code. I dont really know if always a database gets installed with a 1029 doctype_id and I think that that would be the only possible failure of the mysql query right now.
yes, databases have always the same doctype_id 1029.

Quote:
Do i have to code some stuff to prevent sql injection in the various forms I use? I have never done this so thats why I ask. I dont know if is enough with the *general* security platform that ispconfig provides to my script.
If your form is not completely generated by the form designer, you have to check all variables against SQL injection. The most secure way is by checking the values with regular expressions and escape strings correctly with the function $go_api->db->quote(".......");
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #69  
Old 5th February 2006, 12:53
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

global variables, undeclared variables, and variables that are sent with post, get, cookies(basicly from the client to the server) would be the first thing an attacker will look for. It is highly recomended to never use global variables unless you really really really need to. If you do these methods you must check the variables really well.

For example, even if your variable is only used to grab an image(or just display the image name) and post it, you are running the risk of XSS attack. This was a huge problem with PostNuke, EasyNews php, webalizer, GNU Mailman, mp3 files and all sorts of programs out there. This type of attack isn't limited to images, really anythign that is posted.
(just wanted to provide an example of how dangerious user variables can be)

As till said, dont worry about changing your code if it works. I am currently going through the code, with time permitting , to help secure it.

Awesome work though. Thank you so much for doing that. If you need any help I am more then happy to help.
Reply With Quote
  #70  
Old 6th February 2006, 02:09
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
 
Default

Ok thanks to you too. I'll be posting soon because my class works, but I'm using too much globals on some methods in the class. I have only programmed classes in Python and I did not use globals, but I'm rather new to php. I was looking at this moment how vars are assigned to a given class in writeconf.php. I was not aware of the sintax to do that. I think thats how I can prevent extensive use of globals. I'll give it a try right now.
I have read also something about cross site scripting and some general security topics, but I'm not on it right now. I have other things to finish yet, but I wasnt aware of those topics, so thanks.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 02:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.