Password in file in /private ?

Discussion in 'General' started by francoisPE, Jun 27, 2021.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    I would like to know how ISPC website folder '/private' is private...
    I am studying possibility to store mysql password in a file in ISPC website folder '/private' .
    Can hacker access that file by any means ?
    Many thanks
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Only if they have access to your site's root folder via ssh or ftp, otherwise, they normally won't be able to access it.
     
  3. francoisPE

    francoisPE Member HowtoForge Supporter

    Thanks a lot :)
    I will not give ftp or ssh access !
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And take care to give files that contain passwords the right permissions, e.g. 600 to ensure that only the user of this website is able to read it.
     
  5. francoisPE

    francoisPE Member HowtoForge Supporter

    It will be 700 because it is an executable !
    Thanks for the reminder :)
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You don't need any password to be executable.
     
  7. francoisPE

    francoisPE Member HowtoForge Supporter

    sorry, bypass in my explaination.
    My file is an exe (.sh) containing 'mysql -u -p' command
     
  8. francoisPE

    francoisPE Member HowtoForge Supporter

    I have an additional question
    I use dolibarr
    dolibarr is reachable at https://mysite.tld/htdocs
    I build a redirect : no flag, path = /htdocs/

    In my web root, `ls -lrt` gives :
    drwxr-xr-x 2 web30 client15 4096 Jun 30 14:26 error
    drwxr-xr-x 2 web30 client15 4096 Jun 30 14:26 stats
    drwxr-xr-x 8 web30 client15 4096 Jun 30 14:26 dev
    drwxr-xr-x 23 web30 client15 4096 Jun 30 14:26 build
    drwxr-xr-x 5 web30 client15 4096 Jun 30 14:26 doc
    drwxr-xr-x 16 web30 client15 4096 Jun 30 14:26 scripts
    drwxr-xr-x 74 web30 client15 4096 Jun 30 14:26 htdocs

    My question is:
    Considering redirection, is it possible to reach 'scripts' directory with curl, wget, browser, or other hacker tool ?
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Try it yourself. If browser can reach it, then can curl and wget.
    With the information you have provided it is not possible to know if your scripts directory is secure or not.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't think any browsers can reach that folder if it is in the sites's root.
     
  11. francoisPE

    francoisPE Member HowtoForge Supporter

  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As I said, I don't think any browsers can reach that folder if it is in the site's root.

    Normally when one use php for example, one will code them to specify root folders to secure certain important files from being touched via browser. I am not sure what language your site is using but it should have a way of specifying that kind of folders.
     
  13. francoisPE

    francoisPE Member HowtoForge Supporter

    I am using php. I will look at that security approach.
    what are related commands ?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Each website in ISPConfig has a folder named 'private', which is outside of the web root and made to store files that shall not be accessible via browser.
     
  15. francoisPE

    francoisPE Member HowtoForge Supporter

    I know, but, with Dolibarr, I can't work like this... unfortunately !
     
  16. francoisPE

    francoisPE Member HowtoForge Supporter

    I am trying in apache conf for that website

    <Directory "/var/www/clients/clientx/weby/web/scripts">
    Require all denied
    </Directory>

    Let see !
     

Share This Page