SECRUTIY issue with Virtual hosting with Proftpd & Mysql

Discussion in 'HOWTO-Related Questions' started by snowfly, Jul 5, 2006.

  1. snowfly

    snowfly Member

    SECURITY issue with Virtual hosting with Proftpd & Mysql

    Hi all,

    I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql:

    I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.

    However I came across a big security issue.
    As all the files/dirs that created by these virtual ftp users are owned by the system user:
    User: ftpuser
    Group: ftpgroup
    Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!

    Here's an example, 2 virtual users have these homedirs:
    In /home:
    drwxr-sr-x   3 ftpuser ftpgroup 4096 Jun 27 12:46 user1
    drwxr-sr-x   3 ftpuser ftpgroup 4096 Jul  1 19:28 user2
    So user1 has all their files in /home/user1/
    and user2 in /home/user2

    And as you can see both are owned by the ftpuser.ftpgroup.

    If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:
    $dir "../"
    if ($handle opendir($dir)) {
       while (
    false !== ($file readdir($handle))) {
           if (
    $file != "." && $file != "..") {
    It would result in these dirs being displayed:

    And if the changed $dir to be: "../user2/", they could view all files under user2's directory.

    Basically cause everything is owned by the same system user/group.

    How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

    Thanks, Mike.
    Last edited: Jul 5, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

    Enable PHP Safe Mode for your web sites.
  3. snowfly

    snowfly Member

    Ok thanks, I will try that this weekend.
    I presume that I follow:
    And foreach virtual host, set things like 'safe_mode_include_dir ' and 'safe_mode_exec_dir ', and 'open_basedir'
  4. falko

    falko Super Moderator ISPConfig Developer

    Yes. Something like this should work:

    php_admin_flag safe_mode On
    php_admin_value open_basedir /var/www/web1/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web1/phptmp/
    php_admin_value session.save_path /var/www/web1/phptmp/
    Of course, you must adjust the paths.
  5. snowfly

    snowfly Member

    Excellent, thanks :)
    That worked well.

    Glad to have that security flaw fixed up, now I can rest easy knowing users my servers can't read/view anything they aren't allowed to! :)

Share This Page