Insecure permissions for config files

W

wKkaY

Verified User
Joined
Jul 1, 2004
Messages
13
Location
KL, Malaysia
hi,

i'm using DA on FreeBSD. i have found that the /usr/local/directadmin/data/users/*/httpd.conf files are world-readable. i believe it's a good practice to restrict it to be viewable to root only. while it isn't critical, having world-readable permissions allows a local user to get a list of hosted domains for each user.

the same goes to the /etc/exim.* files. although this isn't so important, since the configs are based around a template anyway.
 
I don't think its possible because then either Directadmin won't be able to read write to it, apache won't be able to access it etc.

This is why most people using DA have ssh disabled until a jail system is finished.
 
jmstacey said:
I don't think its possible because then either

1) Directadmin won't be able to read write to it
2) apache won't be able to access it etc.

3) This is why most people using DA have ssh disabled until a jail system is finished.
Click to expand...
1) what do world-readable permissions have anything to do with directadmin writing the file? :)

2) N/A here. apache starts as root and can read any file it likes.

3) a customer will still have local access to the system, via PHP or Perl scripting. try this for size:

Code: 
#!/usr/bin/perl

print "Content-type: text/plain\n\n";

open(PASSWD, "/etc/passwd");
@passwds=<PASSWD>;

foreach $passwd (@passwds) {
        ($uname, $pass, $uid, $gid, $name, $home, $sh) = split(/:/, $passwd);

        if ($uid >= 1000) {
                print "$uname - $uid\n";

                open(APACHE, "/usr/local/directadmin/data/users/$uname/httpd.conf");
                while (<APACHE>) { print $_ if /ServerName/; }
		close(APACHE);
        }
}

close(PASSWD);
 
DA runs as root, correct? So /usr/local/directadmin/data/users/*/httpd.conf could be chmod 400 apache? Right?

Phi1.
 
I just wonder why people worried about such harmless issues as world-readable httpd.conf and exim.conf, while it's so many much more important security problems around...
 
you never know when something as 'harmless' like this comes back to bite you.

if you don't mind, please do not post in my thread until you have something constructive to add. thank you.
 
l0rdphi1 said:
DA runs as root, correct? So /usr/local/directadmin/data/users/*/httpd.conf could be chmod 400 apache? Right?
Click to expand...
Phil,

I don't know about on a FreeBSD system, but on RHL, my directadmin daemons run as nobody:
Code: 
[jlasman@da1 users]$ ps waux | grep directadmin
root      1370  0.0  0.0  2004  300 ?        S    Mar27   0:07 /usr/local/directadmin/da-popb4smtp
nobody   29362  0.0  0.0  3952   12 ?        S    Aug01   0:00 /usr/local/directadmin/directadmin d
nobody    1128  0.0  0.0  3952   12 ?        S    Aug04   0:00 /usr/local/directadmin/directadmin d
nobody    1129  0.0  0.0  3952   12 ?        S    Aug04   0:00 /usr/local/directadmin/directadmin d
nobody    1130  0.0  0.0  3952   12 ?        S    Aug04   0:00 /usr/local/directadmin/directadmin d
nobody    2564  0.0  0.0  3952   12 ?        S    Aug04   0:00 /usr/local/directadmin/directadmin d
nobody    2565  0.0  0.0  3952   12 ?        S    Aug04   0:00 /usr/local/directadmin/directadmin d
My guess is that the directadmin instance that runs every minute does run as root; I just wanted to clear the point for the forum archive.

Jeff
 
Last edited:
wKkaY said:
please do not post in my thread
Click to expand...
With all due respect (which may not be much, wKkaY), it's not yourthread. It's everyone's thread, and it's on the DirectAdmin forum.

Please do not bring to the DirectAdmin community the kind of arrogance the FreeBSD mailing lists are well known for.

If you insist on doing that, you'll find that those of us who can help you, won't.

You're certainly welcome to try changing the file permissions to see whether or not you break anything.

Please let us know what you find.

Edited 08/05/04 16:09 to add:
For what it's worth, /etc/httpd/conf/httpd.conf on all installations I've looked at are all owned root:root and are world readable.

Perhaps you want to try something different. Fine. Please let us know if it impacts the system or not, so we can decide whether or not we like it, and so that we can carry on an intelligent discussion with DA rather than just make unproved assertions.

Jeff
 
Last edited:
fine, be pedantic if you wish. s/my/this/g.

anyway, i have tested /etc/exim.conf and /usr/local/directadmin/data/users/*/httpd.conf with 600 permissions and it the following two still function:

1) starting/stopping exim/apache
2) making apache-related changes (to vhosts and such)
 
changing to 600 also works for me. As such there are two options.

1. Chmod all files manually
2. Wait and see if DA approves this and makes an update.
 
The third option is:
Simple add line
PHP: 
chmod 600 /usr/local/directadmin/data/users/$username/httpd.conf
to /usr/local/directadmin/scripts/custom/domain_create_post.sh
 
I've done a bit of studying this morning.

The /etc/httpd/conf/httpd.conf file is owned by root.

The /usr/local/directadmin/data/users/*/httpd.conf files are owned by directadmin.

Yet apache's preforked daemons are running as apache.

I don't know how apache can be reading httpd.conf under the circumstances wKkaY and jmstacey describe.

So I've posted to some isp lists I belong to, to see what others are doing.

Jeff
 
clayrabbit: thanks :) and sorry for being rude before as jlasman has pointed out.

skurf: yups, you've pointed out the right page!
 
You must log in or register to reply here.
Back
Top