security_level of web document_root in 3.0.5

Discussion in 'Installation/Configuration' started by thorewi, Mar 7, 2013.

  1. thorewi

    thorewi New Member


    I want to ask, in ispconfig 3.0.4, document_root of web (folder webXXX) was owned by user:group with security_level = 20, by root:root with security_level = 10. In ispconfig 3.0.5, there is always root:root, but I want there user:group, because I need to create folders and files there.

    Code in 3.0.4:

    $this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root'])); (line 628)

    Code in 3.0.5:

    $app->system->chown($data['new']['document_root'],'root'); (line 728)
    $app->system->chgrp($data['new']['document_root'],'root'); (line 729)

    Am i missing here something? Thx.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions have been changed, so root:root is the correct owner in for security Level 2 as well.

    the root folder of the website shall not be used to create any files there. If you want to add custom files and folders not accessible by http, then put them in the private subfolder.
  3. thorewi

    thorewi New Member

    Hm sorry, but in 3.0.4 there wasn't any folder like private so I have to put all my libs, resources and other stuff to root to avoid them being accessible by http, so now I would have to change all my websites and also all my git repositories, which have the same directory structure as production because of ftp deployment... I would also have to change all constants in all projects with path to my libs, third party libs and so on... it's not real.... and the second problem - when I'm doing ftp deployment, a deployment software creates a file in root with last commit or file hash or so... we use 2 various software and both do that this way. so they doesn't work anymore...
  4. thorewi

    thorewi New Member

    and I need 3.0.5 because of php-fpm ondemand feature... of course I can just overwrite these two lines by myself but it's not a solution :(
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    We had to change this for security reasons, there was no option to fix the issue while keeping the old permissions. The web root was not made to store any files there directly. The private folder was introduced in 3.0.5 to offer an alternative storage location for files that shall be kept private.

    You can configure in System > Server config that the permissions of existing sites dont get altered on update. But new sites will always get created with the new permission scheme.
  6. thorewi

    thorewi New Member

    yes I understand you, but when you look here:

    and here:

    (two frameworks we use)

    the structure is as I mentioned - one public folder and other folders with libs and app on the same structure level. So it's not our invention... So I dont know what to do now :( and there is also the problem with deployment - mostly we use git-ftp ( and it works as i said - creating a file with last commit in ftp root... but at least there is a option to change it.

    I understand the security is very important, that's why I use ispconfig, but I'm afraid many users will be little upset :)

    But thanks for your help.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Make a feature request in the bugtracker, maybe we can add another option to switch the permissions to the user.
  8. lamar

    lamar New Member

    This means that open_basedir no longer be used for files outside the web folder?
    It is really unpleasantly.

    do you have any solution for new security?

Share This Page