Web home directories world writable?

Discussion in 'Installation/Configuration' started by zarrelli, Jul 25, 2006.

  1. zarrelli

    zarrelli New Member

    I was looking at the launch script

    ls /etc/init.d/ispconfig_server


    ###################################
    #
    # ISPConfig Server-Startscript
    #
    ###################################

    TMPDIR=/tmp
    PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin

    case "$1" in
    start)
    echo "Starting ISPConfig system..."
    /etc/init.d/mysqld start &> /dev/null
    /etc/init.d/mysql start &> /dev/null
    sleep 3
    /root/ispconfig/httpd/bin/apachectl startssl
    /root/ispconfig/sv/ispconfig_wconf &> /dev/null &
    /root/ispconfig/php/php -q /root/ispconfig/scripts/shell/firewall.php
    if ps ax | grep -iw '/home/admispconfig/ispconfig/tools/clamav/bin/freshclam' |

    So the ispconfig server is contained in /root/ispconfig directory?

    Then I looked at ps of apache processes:

    homeland:/etc/init.d# ps axwu | grep apache
    root 2217 0.0 0.5 102352 12184 ? Ss 11:02 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 2280 0.1 1.4 119820 29308 ? S 11:02 0:02 /usr/sbin/apache2 -k start -DSSL
    www-data 2281 0.0 1.3 116828 27264 ? S 11:02 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 2283 0.0 1.3 118168 28612 ? S 11:02 0:01 /usr/sbin/apache2 -k start -DSSL
    www-data 2337 0.0 1.3 117848 28456 ? S 11:02 0:01 /usr/sbin/apache2 -k start -DSSL
    www-data 6963 0.0 1.3 117600 27940 ? S 11:06 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 7132 0.0 1.3 117764 28176 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 7134 0.0 1.3 117616 28012 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 7135 0.0 1.3 117712 28192 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 7137 0.0 1.3 116592 26936 ? S 11:10 0:00 /usr/sbin/apache2 -k start -DSSL
    www-data 8388 0.0 0.5 102352 12216 ? S 11:24 0:00 /usr/sbin/apache2 -k start -DSSL
    root 8436 0.0 0.0 2620 504 pts/0 R+ 11:26 0:00 grep apache
    homeland:/etc/init.d# ps axwu | grep httpd
    root 2067 0.0 0.2 27524 5948 ? Ss 11:01 0:00 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    admispc 2072 0.0 0.6 34220 13836 ? S 11:01 0:01 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    root 2218 0.0 0.0 2680 436 ? S 11:02 0:00 /root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d
    admispc 2492 0.0 0.6 34180 14000 ? S 11:02 0:01 /root/ispconfig/httpd/bin/ispconfig_httpd -DSSL
    root 8440 0.0 0.0 2620 504 pts/0 R+ 11:26 0:00 grep httpd

    Well, the apache serving user pages has www-data.www-data owner/group.

    But since all the user web space are under their userid:

    ls -lah /var/www/

    drwxr-xr-x 15 web11_giorgio web11 4.0K Jul 25 11:03 web11

    That means that each sub directory under web11 root hdtocs should be readable, writable and executable by all (-a in chmod). The same for files in there: to be overwritable by a php generated web process they should be worldwide writable.

    I noticed that to make ispconfig be able to modify files in user web homes, its userid is added to each user group.

    Aren't these settings a bit insecure? Ore there's something I don't catch?
     
  2. till

    till Super Moderator

    No. Please install and enable SuPHP and SuExec for the other CGI scripts.
     

Share This Page