Another suPHP question

Discussion in 'Installation/Configuration' started by smartcall, Jan 19, 2007.

  1. smartcall

    smartcall ISPConfig Developer ISPConfig Developer

    Dear all,

    What really disturbes me is that even with suPHP engine ON, PHP scripts can still read from other users directories and even from /etc. Thus giving the ability to expose usernames and passwords to anyone.

    To what umask and corresponding chmod should the files and dirs be changed, and what umask to set in proftpd.conf?

    Thanks
     
    Last edited: Jan 19, 2007
  2. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    Username exposure yes, password exposure no. Passwords are crypted and stored in a shadow file, only accessible by root.

    I strongly advise against changing permissions of directories like /etc, /bin, etc. It will make your system unusable.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You can change the open_basedir restriction in your php.ini to the document root of all websites (normally /var/www), so the directory /etc can not be accessed.
     
  4. smartcall

    smartcall ISPConfig Developer ISPConfig Developer

    open_basedir = On doesn't work well with Joomla. And I sell specialized Joomla hosting. Joomla has a file called configuration.php, where all the information is unencripted.
    What I found out is, that for some reason, if suPHP is on and umask = 077 then .htaccess files are not read bu Apache and nothing works.
    So what would be a solution to that?
    I want the files in web directories to be chmod to 600, but in the same time Apache cant read the .htaccess
    And as you know hosting users can't be told 'we are the best, but you need to manualy change things in order to be our clients'

    Thanks
     
  5. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    Set permissions of only .htaccess to 644? The rest according to user/web with 600?

    Because .ht files cannot be read anyway by apache due to the configuration (unless you removed the basic restrictions).
     

Share This Page