Nfs share permissione issue

Discussion in 'Installation/Configuration' started by dr-l3x, Dec 27, 2013.

  1. dr-l3x

    dr-l3x New Member

    Hi to all,

    I setup a multi server ispconfig with several server and services.
    Web servers use a nfs share on /var/www , and i have to add a chmod o+x on web folder otherwise i get a 403 forbidden, same configuration on locale disk work without any problem and whitout any permission modification.
    There is any way to resolve this issue without adding o+x on web folders ?
     
    Last edited: Dec 27, 2013
  2. alicumircea

    alicumircea New Member

    Did you try
    Code:
    chown www-data:www-data /var/www -R
    or whatever your web user and group is depending on the distro used?
    Afterwards it is advisable to set directories permissions to 755 and files 644:
    Code:
    find /var/www/clients/client1/web1/web -type d -exec chmod 0755 {} \;
    find /var/www/clients/client1/web1/web -type f -exec chmod 0644 {} \;
     
    Last edited: Dec 29, 2013
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not do that! It will break your whole web server and destroy all websites created with ispconfig irreversibly! If you did that already, you have to restore a full backup of all files with correct permissions. The find commands will breaky everything too, so dont execite them!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you tried to disable the web folder protection under System > server config > web? NFS is not capable to handle extended file attributes correctly, so the protetion wont work over nfs anyway.
     
  5. dr-l3x

    dr-l3x New Member

    Hi Till,

    I have try to disable web folder protection, but i'm still stuck on 403 forbidden with nfs share :(

    This is my share option on NFS Server

    /home/NFS/WEB-01 172.31.255.3/32(rw,sync,fsid=0,no_root_squash,no_subtree_check)

    On client i haven't use any special mount option

    172.31.255.1:/home/NFS/WEB-01/WEB on /var/www type nfs (rw,addr=172.31.255.1)

    All distro are Ubuntu 12.04 LTS

    Any ideas ?

    Thanks
     
  6. alicumircea

    alicumircea New Member

    Hi Till,

    Why is that? I just migrated my old ispconfig to new servers last week with nfs shares using this method and it works perfect. After struggeling a bit I was able to configure dovecot to work correctly on the nfs share.
    Your afirmation got me a bit concerned now.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    In ISPConfig, each website runs under a different user (not www-data) and has folder permissions to prevent access from other hosted sites.

    Your chmod killed all security features like user separation of websites, ssh jails, jailed cronjobs and opened webiste dirs for access by all clients and killed ftp. So Each client is able to get access to all other websites of other clients now and when a hacker is able to get access to one website e.g. by hacking a installed cms, he can manipĂșuate all other websites as well.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I'll have to test that. I've added a bugreport in our bugtracker.
     
  9. alicumircea

    alicumircea New Member

    That should be an easy fix on the permissions then. I'm running only 4 sites hosting saas. There are no clients in ispconfig - just mine. I can easily replicate it on a VM and test. Never used ftp, I only upload data by scp and nobody has access to the ispconfig interface.
    Do you think it will work?

    Sorry dr-l3x for spamming your post.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Fixed in 3.0.5.4-dev
     

Share This Page