Issues with custom File Manager Development for ISPConfig

Discussion in 'General' started by Finco, Jun 3, 2020.

  1. Finco

    Finco New Member

    I want to be as brief and as detailed as possible.
    I am setting up ISPConfig in a shared hosting environment. Now I have decided to create a File Manager Module for ISPConfig.

    It would be similar to cPanel where each user can login with their ISPConfig details and click on the File Manager Module.

    The issue I have with this Module is permissions problem. Currently, the script executes as the ispconfig user so it does not have permissions to write to any of the created Websites.

    Question
    How can I make my file manager script automatically run as the currently logged in user so they can have Read Write and Execute permissions for only the files they own? Similar to how it is done in cPanel

    I have been on this issue for weeks now and tried a lot of ideas.

    I will really really appreciate any assistance on this issue. I just need highlevel ideas or suggestions on how it is done on other control panels
     
  2. ahrasis

    ahrasis Well-Known Member

    For just me there is no need for such a module. FTP or SSH account access createdfrom ISPConfig should already work fine.
     
    Th0m likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The way you try to implement this can't work for several reasons:

    1) The user that you log in at ISPConfig is no Linux system user.
    2) The ISPConfig UI runs as nonprivileged user ispconfig, so it can not access websites.
    3) The whole setup won't work on Multiserver systems anyway.

    Like @ahrasis posted, you have to connect to the website by FTP or SSH from your code to be able to read / write / upload files.
     
    Finco and Th0m like this.
  4. Finco

    Finco New Member

    This is a Shared Hosting Environment. Users are will be migrated from DirectAdmin to ISPConfig. In DirectAdmin, a filemanager is redily available.

    Also, this is 2020, things are getting simpler and customers are getting less and less technically inclined. Using SSH, FTP, SFTP etc is not a problem for me. But I am trying to make things as easy as possible for my customers
     
  5. Finco

    Finco New Member

    Thank you for your response. Apparently, this might be my only option. I just have a default feeling that FTP is slower.
     
  6. ahrasis

    ahrasis Well-Known Member

    Yes, this is 2020 and people are more learned and concerned about security rather than easiness that you mentioned; and as mentioned by @till your way is clearly not a viable option.

    That're all said, there are threads discussing some details on getting and passing user ftp details to some web file manager, though they are not officially supported, but you might want to search for and look into.
     
    Th0m likes this.
  7. Finco

    Finco New Member

    I will appreciate if you could point me in the direction of such threads. The only one I found similar to my needs is this: https://www.howtoforge.com/community/threads/filemanager.73471/
     
  8. nhybgtvfr

    nhybgtvfr Active Member

    Finco likes this.
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Of course how "other control panels" work overall is somewhat irrelevant, you need solutions that will work in ISPConfig setup (including multiserver) if you intend to your file manager module to be used by others (which would be a nice contribution).

    How familiar are you with web server/web application security? There are a lot of things which must be done correctly; it is very easy to create a total security mess with this type of application, allowing access to other website files and that sort of thing. It can be done, but if you're new to it, expect a lot of design and implementation revisions until it starts taking a viable shape. It's an interesting topic though, and you'll certainly find some good input here and elsewhere as you work through it.

    My first thought is have the file manager app run underneath each individual website (so the file manager ui runs on each webserver in a multi-server setup), not directly as part of the ISPConfig panel interface (which only runs on the control panel node). In your described setup, you have the client using the ISPConfig interface, which can be made to proxy requests for a path (eg. /files or /filemanager) to the corresponding website. The file manager app configuration should restrict connections from only the control panel node.

    That solves the user/permissions issue, as each website should be setup to allow access to its own files. While running on the individual websites, you would want the back-end to run under the website chroot if at all possible. (You can now run php-fpm under each website chroot, which would restrict the configurations that can use the file manager, but would be a good choice for baseline required setup.) If you don't run chroot for each website, at minimum you should have a sane open_basedir set.

    The client has already authenticated to ISPConfig and has an active session (sys_session table), what is needed is effectively the proxy running on the control panel node to authenticate to the file manager app running underneath each website. This could be done in various ways, I'd probably generate a per-client shared secret to be embedded in the path (so the proxy requests go to something like https://clientdomain.com/ispc-file-manager/5d3e47d056d432ed3e3372b5c06c5beb/ which varies for each website) as well as using some authentication (a client certificate would be best, handled in the web proxy/server, not the file manager app).

    The control panel node would of course have to generate a web server config file which sets up the proxy correctly (ie. a different url for each website), and the web server nodes would have to setup web server config for the same location to run the file manager. Take a look at ispconfig-monit.conf which does a good part of what you need to generate on the control panel node (it proxies /monit path to the monit http server, using client certificate authentication, and checking for a valid ispconfig session); I don't have any starting point for nginx, offhand. Note that the proxy module (running on the control panel) must check for a valid ISPConfig session. You may end up needing to add a field to sys_session to read the client's shared secret.

    (A caveat on why a per-website shared secret is needed, it is still (see https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3952) common that websites are misconfigured in ways that have the wrong website displayed (request site1, and get site2 displayed) - the unique file manager path per website prevents such a misconfiguration from allowing one website owner access to the other website's files.)

    There are definitely some pieces to work out, eg. you may have to embed the website name in the proxy path (so the control panel ui button/link goes to /files/domain1.com/ or similar) so the proxy can tell where to send the request (as clients often have more than one website). So maybe a request to /files/domain1.com/ hits the proxy, which looks up the client's shared secret from the session, and proxies to https://domain1.com/ispc-file-manager/...shared_secret.../. But it seems like a viable approach, and addresses most of the obvious security issues that I can think of right offhand. And now, someone else will join in and point out something glaringly obvious which I overlooked... :)
     
    Finco and Th0m like this.
  10. Finco

    Finco New Member

    Thank you very much for taking the time out to give the idea.
    After reading your reply, not familiar. But getting more and more used to Linux security Mechanisms.

    I love this idea, though I don't understand all of it, but I love it.
    A much more rudimentary idea similar to this came to my mind. The idea was just to create a Plugin that copies the filemanager file to the doc root after the user logs in. The only security is that the file would be renamed to something random each time. Or the filemanager would authenticate separately with ispconfig database.

    My major issue with the idea is that a user could connect via FTP and view the src code of this file manager, they could modify it and echo out sensitive info.
    I think this security problem will affect your idea too, am I right?
     
  11. Finco

    Finco New Member

  12. nhybgtvfr

    nhybgtvfr Active Member

    you can't guarantee that will work.
    there could be accounts with a zero limit on ftp users. or just 1 allowed ftp user which already exists, and you have no way of finding out what their existing password is, and you can't just change their password, they could have critical automated systems using it regularly.
    same with ssh access.
    something like net2ftp would be to provide filemanager style access to users with existing ftp accounts, who don't want to use a standalone ftp client, or can't for some reason, maybe their in a webcafe where there isn't one installed, or the firewall blocks the required ports....

    you could find a way to copy something like tinyfilemanager to their root folder, but again, for even minimal security, the filename for it would need to be randomized, and it would need to be removed once they've finished using it, so you'd need some way of finding out they've finished. since they probably won't close it down cleanly, just close the browser tab, or the browser itself. and that still leaves a short window of time where that file can be found and used maliciously. so not really an acceptable option.

    although jesse's idea is interesting, if tinyfilemanager or similar can be installed in one location on each server, and only accessible using the proxied url with active session id from the control panel interface. that at least gets around the possibility of a random site scanner stumbling upon something that will allow them filemanager style access without having to supply valid account credentials at some point.
    sounds easy to create in practice, bet it's a lot harder to do in reality.
     
  13. ahrasis

    ahrasis Well-Known Member

    Sighed... Do you really want it to be that complicated as it seems to me either you really want things to be that complicated or you do not know what you really wanted.

    As I hinted all you need is to get the relevant ftp data from ISPConfig database and pass that via the webftp button in ISPConfig so that the web file manager will open without asking for ftp login details BUT that is the main security issue as that include passing password unencrypted.

    I digged an unfinished, but I think related discussion about that in an old netftp thread at: https://www.howtoforge.com/community/threads/net2ftp-integration.42573/page-2#post-304017

    I am advising you not to waste your time on this for some "lazy not well educated users" because it is to me clearly ridiculous and not safe, while the current way is already "easy enough" and safer.

    And clearly to pursue this, you must be equipped with a very good programming skill as well as understanding on how to do a proper plugin for ISPConfig both the current 3.1 and the coming 3.2.

    Hacking will definitely not help you for long.
     
  14. nhybgtvfr

    nhybgtvfr Active Member

    but you can't get the ftp password from the ispconfig database.

    what you can get from the ispconfig database does not let you get back to the clear unencrypted password, unless your plan is to also store another copy of the password in the database using reversible encryption, which is even more of a security risk, or in plaintext, which is just not going to happen.
    as @till states in the thread you link to:
    plus it assumes that an ftp account already exists, or can be created when, as already stated at the start of my previous post, that may not be the case.

    the point is there are a lot of 'lazy and uneducated users' out there who expect file manager style access thanks to other control panels and may not know how to use ftp clients. there are also occasions when file manager style access is required and you're access is through a network/firewall where ftp or ssh is not allowed.
    and while the existing methods may be easy enough for you, and probably everyone else on this forum, it clearly isn't for a lot of our clients, hence the amount of interest in having an integrated method of access we can provide them with, clearly going back at least 10 years judging by that thread.
     
    Last edited: Jun 4, 2020
    ahrasis and Finco like this.
  15. Jesse Norell

    Jesse Norell Well-Known Member

    If you mean to access an obscure path/file name without the proxy through control panel setup, that's not an acceptable risk for many folks. This can be designed and implemented securely, "boy I sure hope nobody finds this!" is not an approach that will find much support, and certainly wouldn't be permitted into ISPConfig releases.

    But to discuss the idea for the sake of learning, there is additionally a timing issue with that design. The user logs into the control panel, the control panel needs to signal to the web server to copy over the file manager to an obscure name; presumably when the user logs out, it should also signal to remove the file manager.

    Currently the only master -> slave communication is made by the slave servers polling the master once per minute to check the job queue for what needs done. That leaves up to one minute where a user who logs in in order to manage files can't actually do so, because it hasn't been setup on the web server yet. That is why I proposed having the control panel generate the shared secret and set things up ahead of time.

    On a side note, to legitimately add a layer of security to your idea, the control panel node might also tell the web server your ip address along with the obscure name, and at least ip-based access control could be applied. Not perfect, but better.

    If there were database (or api) credentials in the file manager code, and that were placed where websites could read the file (eg. an obscure filename the control panel redirects you to), yes, that certainly is a major security issue, as there are numerous ways those credentials could be leaked (via http/ftp/ssh).

    Taking a step back from that, I don't know what the filemanager would be "authenticating" though, as the solution you originally described was for control panel users to have a file manager; the user has already authenticated to the control panel, so the file manager needs to operate without authenticating the user again.

    No, I don't see any need for the file manager to have db/api credentials to the master server, and did not intend for it to, hence no concern with leaking them.
     
    Finco likes this.
  16. Jesse Norell

    Jesse Norell Well-Known Member

    And for one or both of these reasons (easy to use tool, or just find/use what you can that works), I have seen users in the past using external web-based file managers to access their site - ie. giving total control/access to their site to random third parties because they were meeting the "need". I agree, it's a somewhat complex setup to do it right, and not worth the time for my own needs/use, but it certainly has varying degrees of value to others; some quite high.

    It makes me think back to other recent conversations on how those who value this could collectively fund a developer to implement it...
     
  17. Finco

    Finco New Member

    Actually, I already solved this issue by creating a new ftp user (with a known random password) for every login. The ftp user will be used only by the filemanager App.

    I'm guessing a lot of people will not approve this method because of the fact that passwords will use symmetric-key encryption.

    But from my research, tight security is not always comfortable for users. They prefer to tone it down.

    I am considering adding an option to the Filemanager Module interface. It will give users the option to choose if they would like to be automatically logged in or if they don't mind inputting their password each time they need to access the file manager. It will explain why automatically logging in is less secure and the security conscious users can choose to turn it off while the ones that care less can turn it on
     
    Last edited: Jun 7, 2020
    ahrasis likes this.
  18. Finco

    Finco New Member

    Well that's why it's called a business....
    In business, customer is king and you need to satisfy them. Sometimes, you spoon feed them because without paying customers, there is no business. FincoHost was created for these (as you put it) lazy users and we must make them satisfied.
     
    ahrasis and Th0m like this.
  19. Finco

    Finco New Member

    This is not an issue. Personally, I come from a programming background with obsession with PHP. To crown it up, ISPConfig code base is neat, organised, readable and well commented. So basically, programming it is not a problem.

    That's why I requested for high level ideas
     
  20. Finco

    Finco New Member

    Lol you are right though
     

Share This Page