mod_ruid2 and ~username

D

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,577
I am running custombuild 2.0, mod_php and mod_ruid2. mod_ruid2 is installed by using custombuild.

I just noticed that http://12.12.12.12/~username/ (12.12.12.12 is server main ip) works on my server (it even works on php pages!). But I think I have read somewhere in the forums that it is a security risk when ~username function is enabled on mod_ruid2 server (I can't seem to find that post anymore, though). Is that correct?

If so, may I suggest that custombuild 2.0 as default make this ~username disabled if mod_ruid2 is installed?

If I was to disable it myself, is this guide still the correct and best way to do it?: http://help.directadmin.com/item.php?id=344
 
Last edited:
I don't remember what security risk it might be, only vague remember reading something about it a year or two ago on these forums, but at that time I was running suphp, so I did not think much about it. So I might be wrong, but at least somone mentioned that when using mod_ruid2 it was better for security to disable ~username - I will try to search more in the forums, maybe I find the post again ...
 
I've read this in the howto about disabling the ~username:
Additionally you could disable site access through ip/~user - because mod_ruid2 is not in effect there. If users try to install e.g. wordpress there it will fail.
Click to expand...
So disabling is better because mod_ruid2 is not in effect when using ~username.
 
Yes, that was my guess, and a question of mine:

"Are the scripts still run proper user or not?"

left without an answer. Probably I was not accurate enough when asking.
 
Isn't this question...
"Are the scripts still run proper user or not?"
Click to expand...
...not answered by this piece of text?
because mod_ruid2 is not in effect there
Click to expand...

If mod_ruid2 is not in effect, a script normally will run as user... well... apache or nobody is used when no mod_ruid2 is used, correct?
Or do I not understand your question correctly?
 
Last edited:
Richard, thank you for your clarification. I did get answer from you. Initially the question was addressed to ditto. And when saying that my question was left unanswered I did not mean you. You were kind enough to confirm my guess, and to answer ditto's question as well, and now I guess all of us here have answers and should be happy.
 
@zEitEr, sorry for not answering the question, but it was because I was not sure, yet. Anyway, I think I found the forum post I was thinking about:

quote from: http://forum.directadmin.com/showthread.php?t=37467&p=221306#post221306
Actually, and please don't mind if i make this exploit public, but if you use the IP/~account/shell.php style access, mod_ruid2 simply won't work at all.
You can access everything on your server outside /home without write permissions (/, /etc/...).

I'd recommend disabling the userdir access, solution here http://forum.directadmin.com/showthread.php?t=30820 or returning to suphp.
Click to expand...

Also here is some quotes of the replies:

quote from: http://forum.directadmin.com/showthread.php?t=37467&p=221309#post221309
Maybe we can add the suggestion of disabling ip/~user on the main page as it's no luxury to know that mod_ruid2 won't be in effect.
Click to expand...

quote from: http://forum.directadmin.com/showthread.php?t=37467&p=227599#post227599
I've disabled the ~/user access. Since mod_ruid2 just doesn't work there it differs from the normal environment you offer, thus a source of confusion and error.
Click to expand...

If smtalk or john read this, maybe you can consider to make it so that in custombuild 2.0 if mod_ruid2 is installed, then that custombuild disable ~username by default?
 
I was not able to reproduce that ~user behavior using CB 2.0. You may try uploading test.php with the following content in a few accounts of yours and run it using http://hostname/~username/test.php:
Code: 
<?php
echo posix_getuid()."\n";
echo posix_geteuid()."\n";
?>

Please let us know the results.
 
You must log in or register to reply here.
Back
Top