Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st October 2009, 19:53
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation suexec allows deleting files which owner is root

Hi folks,

I used the Lenny Perfect Server Tutorial to install my server.
ISPConfig 3.0.1.5

I use php fastcgi in all sites. My problem was that php was not allowed to write to files in the docroot, even if owner and group are correct (webXX and clientXX), rights of all directories and files were 755. Then I tried 775, and suddenly php was allowed to write in the docroot.

"That's not so pretty" I thought, so I looked around and found suexec.
I didn't found a switch in ISPConfig to enable suexec, so I added it manually to my vhost for testing:

<VirtualHost *:80>
SuexecUserGroup web13 client4

Now php could write in the docroot with 755. "Nice" I thought. Until I tested it in the depth:

First problem:
-r--r--r-- 1 root root 54 2009-10-21 18:11 test.php

test.php can be executed, even if owner is root.

Second Problem:
test.php can delete files owned by root, even if I set owner of test.php to web13 and group to client4.

test.php:
PHP Code:
<?php
unlink
("deleteme");
?>
-r--r--r-- 1 web13 client4 54 2009-10-21 18:11 test.php
-r--r--r-- 1 root root 0 2009-10-21 19:44 deleteme

Deleting is always possible.

Why is this possible? I thought suexec would prevent something link this.

Third problem:
-rwsr-xr-- 1 root www-data 14K 2009-07-14 22:47 /usr/lib/apache2/suexec

In http://httpd.apache.org/docs/2.0/suexec.html I read that suexec has to be owned by apache, but here it is owned by root. If I change the owner to www-data, apache won't stat (no suexec wrapper found).

EDIT:
When I do "su web13" I stay root, but I get no error.
/var/log/sulog says:
SU 10/22 11:21 + pts/1 root-web13

Last edited by xerc; 22nd October 2009 at 11:37.
Reply With Quote
Sponsored Links
  #2  
Old 22nd October 2009, 12:43
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,077
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

Quote:
I didn't found a switch in ISPConfig to enable suexec
There is a checkbox labeled "suxec" in the website settings. Do not edit the vhosts manually!

test.php must be owned by the user and group of the website and not root. None of your users is able to create files as root, you simply created the file with the root user and so the file has the wrong owner.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd October 2009, 12:50
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,
i found the checkbox, thanks a lot.

But why can the phpscript, even if it is owned by web13, delete a file which owner is root? If I install phpshell, I can even start shellscripts as web13 which owner is root, if they lie in the webroot.
Reply With Quote
  #4  
Old 22nd October 2009, 12:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,077
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

This depends on the permissions of the file and not just the owner. If you run:

chwon root:root myfile.sh
chmod 700 myfile.sh

then nobody except of the root user itself can modify or delete it.

But if a file has permissions for another group or even others to modify or run it, the members of the group or others can use or edit the file. Thats theway the linux permission system works.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 22nd October 2009, 13:12
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Till,

seems like you haven't read my first post completly.

test.php:
PHP Code:
<?php
unlink
("deleteme");
?>
-r--r--r-- 1 web13 client4 54 2009-10-21 18:11 test.php
-r-------- 1 root root 0 2009-10-21 19:44 deleteme

Deleting of file "deleteme" is always possible when I execute test.php in browser.

That's what it's all about, this should not be possible.
Reply With Quote
  #6  
Old 22nd October 2009, 13:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,077
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

Seems as you have not read my post properly I told you that test.php has to be owned by the user and group of the website and not root.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 22nd October 2009, 13:27
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default



please look at my previous post. There you can see that test.php is owned by web13:client4. So definetly not root.

Greetings
Reply With Quote
  #8  
Old 22nd October 2009, 13:36
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,077
Thanks: 826
Thanked 5,396 Times in 4,240 Posts
Default

And you called the php script trogh the webbrowser and nit not executed it on the shell? Then you must have a serious problem with the linux permission system on your server.

Please create a php script owned by the web user and group with the following content:

<?php
system('whoami');
?>
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 22nd October 2009, 13:51
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes, I called the script from a browser.

With suexec it says "web13" and I can delete the file owned by root.
If I deactivate suexec it says "www-data" and i can't delete the file owned by root.
Reply With Quote
  #10  
Old 22nd October 2009, 18:20
giftsnake giftsnake is offline
Senior Member
 
Join Date: Jan 2009
Posts: 108
Thanks: 15
Thanked 9 Times in 8 Posts
 
Default

using suPHP (system('whoami'); shows web1) i can delete files owned by root and permissions 700 also.

i cant delete files in /var/www/domain.com/ but in web/deletefolder/ (when deletefolder has permissions for web1 to access, but file is still 700 and root!)


rmdir('folder'); works like a charm too!

Last edited by giftsnake; 22nd October 2009 at 18:29. Reason: rmdir folder....
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Flash Player (version 10.0r22) did not load bobwdn HOWTO-Related Questions 10 11th September 2011 11:08
automatic webmail link admins Installation/Configuration 16 22nd June 2009 16:42
Setting up a new server - Suse 11.1 londonman Server Operation 34 10th April 2009 13:16
Postfix email server problems Access denied 554 554 5.7.1 state 14 AceRimmer Server Operation 4 19th June 2008 14:36
Add Webmin to the system sushestvo Installation/Configuration 44 21st August 2007 16:52


All times are GMT +2. The time now is 14:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.