All accounts in directadmin has public_html permission 777

Amit

Amit

Verified User
Joined
Mar 24, 2020
Messages
129
Location
India
Hi
All account on my directadmin have public_html
Screenshot_20200413-055621_Chrome.jpg
permission 777 and also the new account with the same permission is it normal? Please see the attachment.
 
If you use SSL for your domains, then they'll need to load from private_html. Some will enable SSL, and if the symlink between public_html and private_html doesn't exist, it will try to load the site content from private_html and give a message to upload the site content to private_html. It is best to have the public_html -> private_html symlink enabled by default to prevent this problem.

See more here:

https://knownhost.com/wiki/control-panels/directadmin/how-to-upload-to-private-html

In my server, private_html is 777 as are all symlinks and public_html is 755:

lrwxrwxrwx 1 admin admin 13 Sep 28 2019 private_html -> ./public_html
drwxr-xr-x 3 admin admin 4096 Sep 27 2019 public_html
 
Hi scriptkitty, I need your opinion I do know whether you have tested it or not. Recently I was doing some experiment on security of domains on same da user account. I have created a php file inside subdomain having command rm mv touch etc. These commands was working on main domain and other subdomains too or other domains inside same da user account. Now consider if one of your subdomain get hacked then it in that case hackers are able to access to other domain too and inject backdoors. This is the biggest security issue I saw so far. Which makes me not to host multiple domain on same da user.
 
@Amit I think that is done by design, the owner of that user account is also the owner of all the (sub) domains ?.
What is your php version anyway ? php-fpm or mod_php ? if you have mod_php did you enable mod_ruid2 ?
 
An attacker that gains enough of a foothold to inject malicious php code into an account will be able to access all domains within that account using that code. This is because access is limited by user, not domain.

I remember thinking when cPanel increased their prices dramatically on a per account basis that many would try to get around it by using a ton of addon domains in a single account, and that it was going to mean tons of malware for me to clean. Ugh
 
It'd like to note it's permissions of a shortcut (symlink) :) Actual folder (not shortcut) permissions are in effect when accessing the files.
 
Active8 said:
@Amit I think that is done by design, the owner of that user account is also the owner of all the (sub) domains ?.
What is your php version anyway ? php-fpm or mod_php ? if you have mod_php did you enable mod_ruid2 ?
Click to expand...
Both mod_php and fpm and on both this on effect
 
scriptkitty said:
An attacker that gains enough of a foothold to inject malicious php code into an account will be able to access all domains within that account using that code. This is because access is limited by user, not domain.

I remember thinking when cPanel increased their prices dramatically on a per account basis that many would try to get around it by using a ton of addon domains in a single account, and that it was going to mean tons of malware for me to clean. Ugh
Click to expand...
Ok this mean people should avoid hosting multiple domains on same account.because weak of security of any one domain may increase chances of loosing other website. Its actually very hard to find malicious code but seems easy with WordPress due to plugins. And one thing I also want to mentioned here that cpanel done very inappropriate by insane increasing of its price. Thank for directadmin. But directadmin does not provide php.ini edition many of developer demands it. Directadmin should bring this feature in order to beat cpanel.
 
DirectAdmin developers are listening to feature requests. They’ve pushed out more features in the past 6 months than I could’ve ever imagined possible. Keep voicing your opinions and add to feature requests to let them know what’s important to you!
 
Amit said:
Ok this mean people should avoid hosting multiple domains on same account.because weak of security of any one domain may increase chances of loosing other website. Its actually very hard to find malicious code but seems easy with WordPress due to plugins. And one thing I also want to mentioned here that cpanel done very inappropriate by insane increasing of its price. Thank for directadmin. But directadmin does not provide php.ini edition many of developer demands it. Directadmin should bring this feature in order to beat cpanel.
Click to expand...
The feature you are looking for is possible when using CloudLinux.
 

Attachments

  • 2ED84476-4753-4B94-AEAF-8B2E2E8693F5.png
    2ED84476-4753-4B94-AEAF-8B2E2E8693F5.png
    153.8 KB · Views: 98
scriptkitty said:
DirectAdmin developers are listening to feature requests. They’ve pushed out more features in the past 6 months than I could’ve ever imagined possible. Keep voicing your opinions and add to feature requests to let them know what’s important to you!
Click to expand...
Yes I know done a lot like single sign on, file manager etc for better user experience , ini editor is pretty important for developers. I got 10 requests for this by developers and they shifted to cpanel because of this.
 
I haven't seen this what you have on Cloudlinux for selection on cPanel either, so good luck for those devs then.

Amit said:
Ok this mean people should avoid hosting multiple domains on same account.because weak of security of any one domain may increase chances of loosing other website.
Click to expand...
This is the same on cPanel, only is done different with the directory's but is also under the same account, so then cP would have the same "weakness".
 
Richard G said:
This is the same on cPanel, only is done different with the directory's but is also under the same account, so then cP would have the same "weakness".
Click to expand...
I was literally in the process of noting exactly this when a storm knocked my internet out! Thanks for mentioning this. :)
 
You must log in or register to reply here.
Back
Top