DA security issue

A

adam-pca

Verified User
Joined
May 4, 2004
Messages
21
Hi,

I was just told by some user of mine that it was possible to cd into anyones public_html and read files.

After checking I found it was, the user even managed to get alot of sql passwords from config files etc.

I'm still trying to clean the mess up. :(

Anyway, to the point. After searching for the general area of permissions on here I noticed, http://www.directadmin.com/features.php?id=497.

It appears like default DA install uses apache_public_html=0, so I changed it and created a new account. Then I checked out if the same problem happened on the new user, oddly it didn't.

I went through and chowned and chmoded the public_html dirs to USER:apache and 750. It seems to have fixed it.

Not to sure why DA is using that as default if those permissions allow such open access.

I could be wrong, could someone please comment on this.

Thanks,
Adam
 
I believe that the default was changed in a recent version... This issue has been hashed over many times.

Note that even with perms at user:apache 750, it is still possible for any user on the system to read any file that apache has access to (i.e., anything in public_html).
 
if the issue is with shell browsing then you can block list permissions in the home directory this at least will help stop them finding usernames to cd into, its possible other way's of course.

open base dir will help with what ballyn mentioned.
 
@ballyn: I have open base dir as Chrysalis suggested, to prevent that.

@Chrysalis: The main issue really is, someone COULD read config files, get passwords, etc. Not something I would be too happy about should I be a customer of any host with such an easy open setup.

I also just noticed it is possible to grab .htpasswd files, which the public_html fix didn't fix. It's not too hard to decrypt .htpasswd should someone want to.

This issue really needs resolving. :rolleyes:

For now I guess I can create a script to chown and chmod the domain or domains dir to prevent .htpasswd and file viewing/stealing.

I just hope DA offers a solution to this.

Thanks,
Adam
 
Hello,

As Chrysalis has mentioned this issue has been thrown back and forth many many times. Some admins want it one way, other want it another way. We can't have both options as the default, so we opted for the current one. The reasons for not doing 750 grp apache are that frontpage wont work, some systems, cgis will not work, and on Freebsd, if apache is the group, then all files saved to the directory become owned by apache as well, again breaking pretty much all cgis and frontpage (suexec wont' work with apache as the group).

All we can really do is give the admin the option, hence the apache_public_html setting.

John
 
Also note that open_basedir does not solve the issue... even with it enabled, it's still possible to achieve the same results unless php is much more significantly secured.
 
end of the day if its a big problem dont provide shell access, since once in the shell there are so many ways to find out usernames on the server and as such to know what dir's to cd into.
 
If you make /home look like this:

Code: 
drwx--x--x  125 root     root         4096 Oct  6 00:06 /home

your shell users may still be able to read specific files/directories if they know they're there, but they won't be able to see any usernames:

Code: 
[jlasman@da1 /]$ ls -al /home/*
ls: /home/*: No such file or directory
[jlasman@da1 /]$

Jeff
 
Surely security is the number one issue for a web hosting control panel?

DA Support said :
We can't have both options as the default, so we opted for the current one.
Click to expand...

Trouble is, I've had DA for a little while and I've only just noticed this option is available!


Can one option to prevent users with shell access trawling the filesystem be to chroot their shell to their home directory? (when creating new users, the admin could choose the shell they get?)

To get FP to work, is it not possible to create a new group which apache is a member of, instead of using apache as the group files are created with?

Would it not be a good idea to set open_basedir on as a default?


The forum is good source of information, but there's nothing like a central place to find out all this without spending a lot of time looking for things you don't know exist. Would a Knowledgebase be a good idea?
 
Are we discussing shell users that AREN'T jailed here? Because I have yet to be successful in breaking out of the jail and viewing other users' files.

BigWil
 
You must log in or register to reply here.
Back
Top