IMPORTANT: changes to /var/www/html path in CB2.0

DutchTSE said:

I agree with Richard, /tmp is mounted with noexec for security reasons. Why create a new tmp directory for the webapps? Nobody can guarantee Roundcube/phpmyadmin/other webapps are 100% secure and will never be abused to place an executable in /var/www/tmp.

Click to expand...

If Roundcube/phpmyadmin/other webapps are abused what would stop hackers from writing into webapp's root located in /var/www/html/roundcube/ or /var/www/html/phpmyadmin/, etc?

Why do you think you are secured when mounting /tmp with noexec? And why do you think you're less secured when separating webapps temp directory?

zEitEr said:

If Roundcube/phpmyadmin/other webapps are abused what would stop hackers from writing into webapp's root located in /var/www/html/roundcube/ or /var/www/html/phpmyadmin/, etc?

Click to expand...

The same "what would" applies to websites of users, why do we (everyone) use a noexec /tmp if hackers cannot be stopped writing into /home/<username>/?

zEitEr said:

Why do you think you are secured when mounting /tmp with noexec? And why do you think you're less secured when separating webapps temp directory?

Click to expand...

It at least stops hackers from executing executables from the /tmp, a mainly used technique by scriptkiddies. Why does DirectAdmin "highly recommend" mounting /tmp with noexec (http://www.directadmin.com/install.html)? Apparently there is a reason for that. So why turn down the security by separating the webapps temp directory, which isn't protected with noexec? And if we really need this change for squirrelmail, why also use it for phpmyadmin and roundcube etc, and not only for squirrelmail?

We dont even use squirrelmail as it is old and useless compared to Roundcube, but we will be affected by this change because we use roundcube and phpmyadmin. Maybe limit this change and only apply it IF squirrelmail is installed through custombuild? And leave the tmp if squirremail is not installed.

But why do you think this change doesn't impact the security of your server?

Click to expand...

First of all, please understand, I express my own point of view based on my experience and knowledges. And I might be wrong in some aspects.

Secondly, I believe that /tmp directory is commonly used in malware as it presents almost on all servers and is world writable. While malware usually does not use ENV, or SERVER vars to find 'upload_tmp_dir', they directly try "/tmp" or other common paths. The new temp directory is owned by webapps:webapps


So the other scripts and sites can not write into it.

And I hardly can recall any issue with roundcube/phpmyadmin/squirrelmail when a hacker hacked a server through the webapps. I see constantly high number of hacks done through WP, Joomla, etc sites.

Thirdly, as you already mentioned we won't stop a hacker from exploiting a server with only noexec,nosuid mount options on /tmp:


and etc work fine.

But I still do recommend to secure /tmp with noexec,nosuid. This gives a protections from bots, and scriptkiddies.


So, to make a conclusion. Bots and scriptkiddies with scripted attacks rely on the defaults in order to function. They try to write and execute scripts from /tmp, /var/tmp, they in most cases do not check values of ENV and SERVER vars to find a location of 'upload_tmp_dir'. Thus mounting /tmp with noexec is almost the same as to move temp dir to another location. The both should give the same effect.

Relying on "hackers use /tmp and not ENV" is a security through obscurity thing. Just because they usually don't doesn't mean they won't or can't.
There are enough remote command execution bugs found in phpmyadmin in the past, I am not convinced they won't find new ones in the future. This change is unnecessary for hosters that don't use Squirrelmail so please do not activate it if Squirrelmail is not installed... I think that is a good deal for both parties (that need the change and don't need the change).

I have the following enabled. Been active for some time now, 2-4 months or so, with only one small insignificant issue, with a png minimizer plugin in WP. Otherwise no issues. I will read-up on the other changes.

disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

I used the CB2 DA Plugin to harden php, under "Secure PHP" - [/CMD_PLUGINS_ADMIN/custombuild/update_software_configuration.html]

Thx

Does it affect now Custombuild 1.x as well? recently ran into an issue with Custombuild 1.1 because of the TMP path was changed for phpmyadmin to /var/www/tmp on a server with Custombuild 1.1, and the directory /var/www/tmp was missing.

Maybe that had another cause? I've still got a server on CB 1.2 and this one had /var/www/tmp present and I did not create it.

I use CentOS 7 + DirectAdmin 1.51.3 + suPHP

I add to 3 files "50-webapps.ini" variable open_basedir
open_basedir=/var/www/html/:/var/www/tmp/

Why by default (after first installation DA) variable open_basedir not installed for user webapps?! Access list and rewrite all available files in server to not security services in \var\www\html\: webmail and etc - very bad idea!


Please add this guide in https://help.directadmin.com/item.php?id=183.