FTP to www-data

Discussion in 'Tips/Tricks/Mods' started by Marcio Urakawa, Dec 17, 2020.

  1. For security reasons I would like to change the owner of the files to www-data and not in the web: client format.
    The site works.
    But when I change to www-data the FTP user is no longer able to send files, even if I change the uid as www-data in the ftp_user table, does anyone know how to solve it?
     
  2. I know that some functionality of the site will be lost, but I need to remove these permissions to avoid intrusion problems.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is more secure to use webXX:clientXX as user. Changing this will break several things like FTP uploads and some PHP scripts.

    Why would using www-data be more secure?
     
    Marcio Urakawa likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Using www-data is way insecure the using webxx:clientxx as @Th0m mentioned dlaready.
     
    Marcio Urakawa likes this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Changing website file/directory ownership so they can't be modified by php processes (running as the web# user) certainly can improve security in a few ways; you might consider using another user to own them so the web server can read but not modify them (I have used root owned files for that purpose, but any user id created for the purpose would do, too).

    As to your question, obviously you did not change ownership to www-data using ftp, and you would similarly need to manage the files via another means as well. You could write a script to quickly change ownership back to the website user to run before using ftp, and another script to revert ownership when done. Or maybe have an ftp account that uploads your website files to another place, and a script that monitors those and copies to your actual website. Or maybe even use a bindfs mount to change ownership (actual files are managed via ftp in one location, and bindfs mount changes to www-data or other ownership for the web mountpoint).
     
    Marcio Urakawa likes this.
  6. I work in a place where there are hundreds of outdated cms and the people who care do not know about t.i
    They just do post.There is Joomla still hosted with version 1.5 full of vulnerabilities.

    The way we do it on other servers so that malicious code cannot execute is by changing the owner of the file.

    A few minutes ago, I had a problem with a user who had the site in the webxx format: clientxx. Joomla was doing spam due to user registration. In just one day there were 2,000 undue users.

    It is a bit of a boring scenario because the users who host the site do not know how to care. They are professionals from other areas.
     
    Last edited: Dec 17, 2020
  7. It can be the root user or any other but webxx: clientxx. However, when I do that, I can't transfer files.

    About the script I don't know if it pays, I'm thinking what to do. Thanks.
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Allowing people to upload as www-data would make your server very vulnerable to other attacks.

    Maybe I have a different vision on this, but if one of my clients had outdated site that's being spammed, that's their problem before it becomes mine - and if it could affect my server, I would disable their web and warn them that they have to get their sh*t together.
     
  9. I can not do it. They are not paid customers, but users of the same company.
    About www-data, it could be another one, except webxx-clientxx to avoid execution.
     
  10. nhybgtvfr

    nhybgtvfr Active Member

    surely as users of the same company, it should be easier.
    make sure management is aware of the issue, and that the compromised/outdated sites can (and at some point will) get used to send out spam, viruses, porn - including child porn, bank/card phishing emails etc. and that the company (ie directors/senior management) could be held liable for all of that content.
    they'll soon have a policy in place that sites must be kept up to date.

    alternatively, if you're the it manger/web services manager or similar, inform everyone that the dept will be implementing new security policies, and that sites that are not kept up-to-date will be disabled unless the site owner can provide a suitable reason for remaining on an older cms version. give them time to update their sites, and then start disabling those that don't get disabled.
    once it starts impacting on the users ability to do their job/make their sales/ process their reports/whatever.. they'll learn to keep their site up to date.

    it's either that, or you start keeping all the sites updated yourself.... just changing file/folder ownership isn't going to cut it. something still has to be able to run the cms, so it's still going to have unpatched vulnerabilities, blocking ownership or execution of files in eg wordpress uploads folder, isn't going to stop a plugin exploit from still being run and abused.
     
    Marcio Urakawa and Th0m like this.
  11. We have a security policy, but unfortunately few people care. I can't update almost a thousand websites every time Joomla or Wordpress is updated. It is impossible, users do not know how to do it because they are from different areas.

    I have another server with Apache / Mysql / PHP and the sites work that way changing to another group of users like myuser: users and when they want to send files they just use Filezilla, when they want to post access to / administrator or / wp-admin . It’s not perfect but they’re used to it. At Ispconfig I came across this situation.
     
  12. nhybgtvfr

    nhybgtvfr Active Member

    if your security policy isn't being enforced because people don't care, then despite what you say, you don't really have a security policy.
    you need to start enforcing it, and that would be easier with senior management on board. maybe start explaining to them in detail the jail terms they could get if they or the company is found to be responsible for the distribution of child porn, or for enabling banking fraud. that should help get them on board. ;)

    as for updating lots of sites, they can all be done in one go...
    i use this one for wordpress. InfiniteWP - Multiple WordPress site management solution
    don't really have to deal with joomla myself, but a quick google:
    Watchful - a website manager for WordPress and Joomla
    Manage Multiple WordPress & Joomla Sites in One Dashboard (mysites.guru)
    YourSites Manager, by Geraint Edwards - Joomla Extension Directory
     
  13. I work in a place where there is a lot of change in employees, in health areas, teachers, technicians.
    But my question is not about t.i or work policies.
    I would just like to know about this FTP question.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    If this is an apache web server, then just untick the suexec checkbox in website settings. This will make all php scripts run as www-data instead of the client user, so PHP can't change files uploaded by FTP user. But to be clear here, I do not recommend this, it's really bad security wise.
     
    Marcio Urakawa likes this.
  15. Thanks for the answer.
    Why do you think you are insecure?

    If the hacker is unable to do anything on the site?
    I have a government domain that every time they scan the sites and if it is Joomla or Wordpress that is out of date they find a breach fast and take the site down. I know that the ideal would be to update the CMS and install security plugins, but I can't do it on a thousand sites with each update.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    A hacker can do many things on such a site, he can compromise the database so that visitors get infected when they visit that website, he can upload temporary files and execute them on the server in the background and the media folders are writable probably as media and image uploads won't work otherwise. Plus running everything as www-data opens up attack vectors on globally installed software like phpmyadmin.
     
    Marcio Urakawa likes this.
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Probably a better question for you to consider is, why do you think that changing file ownership will make your site secure? It does close one class of vulnerabilities, but changing to www-data opens another class of vulnerabilities. Using another user helps, but as mentioned, there are multitudes of ways an insecure sure can still be abused, so definitely don't be fooled into thinking they "can't do anything"on those sites. If you really want that to be true, disable php entirely or simply deactivate the site.
     
    Marcio Urakawa likes this.
  18. If it is another users? I said www-data just to differentiate it from webxx: clientxx. Can be myuser: users
    As I have several outdated Joomla, I always see problems running in outdated Plugins.
     
  19. If I were you, what would you do?

    Being the following situation:
    1000 sites with Joomla in version 1.5 up to version 2.5 with several outdated pluigins.
    I cannot disable the sites, nor PHP.
    In your experience, what would be the safest way?

    I would like a technical and non-political solution if possible.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    using a different user will not solve the underlying problem that an attacker will still have access to media and temp directories and the database, so he can still do in most parts what he wants. What you can do is to install a web application firewall like mod_security and activate strict filter rule sets. That's at least a temporary solution until the website owners have fixed and updated their sites.
     

Share This Page