More secure permissions on public_html/private_html

[layer0]

I have a recommendation to DA for more secure permissions...

We are already implementing this on our servers, however I recommend

public_html to be 0711 and $user:apache, same goes for private_html.

This would be much more secure - as therefore a user can't use CGI or shell (even if you don't provide shell access, they can use CGI to do what they like) to cd into other public_html's...

right now public_html/private_html are 755, that's not very secure.

This seems like it could be a really easy fix, and do wonders for security. We already have a script to reset all users and domains to these permissions....after we've done this on a few servers we'll release the script here - but really, it doesn't take a rocket scientist to make such a script either

 

[smtalk]

user:user is better for security (with suPHP)

 

[layer0]

user:user is better for security

That wouldn't work if you are doing chmod 711. Apache won't be able to read and serve the user's files.

Other control panels, i.e. H-Sphere do it in this way. It works great. In fact I believe even cPanel does it this way (unless you modify it).

If you are running a suexec setup, this becomes even more secure.

 

[smtalk]

Yes, I know that. suexec is installed by default with Apache (on DirectAdmin install). If folder is owned by user:apache, then if you run suPHP, you have to set it to user:apache too, that's why it's not very secure. chmod 711 is good only for that it doesn't let to list the directory.

 

[layer0]

I'm not sure you completely understand me, also - you can even use chmod 710 for increased security.

But, what I'm trying to say is, in a *default* DA setup, try shell or cgi, then try

cd /home/admin/public_html

from the enduser's shell. You'll see exactly what I'm talking about.

Try it with above permissions and 711 or 710, and that won't happen.

 

[smtalk]

I know what you're talking about, and I said what issues can be with it. Also, if you want to use jailed ssh - just use http://help.directadmin.com/item.php?id=90 We were on user:apache, and we switched to user:user from version 1.24 (and we have an option in directadmin.conf (apache_public_html=0), so if you want - you can set it to apache_public_html=1 and you will have chmod 750 (more secure) for public_html. More info: http://www.directadmin.com/features.php?id=497

 

[layer0]

Ah - I did not realize this was already an option. 750 seems pretty secure to me.

Although it is less secure, is apache_public_html=0 actually the default? It appears that is how it is on a default, out of the box install I've just done on a dev server.

 

[smtalk]

Yes, apache_public_html=0 is set by default, because it lets cgi files to run from the public_html directory more easily, and apache_public_html=1 is more secure because it chmods the directory to 750.

 

[layer0]

We ended up setting that to 1 on all servers, and, in case anyone is interested, here's a very quick script to set that for all users:

#!/bin/bash

for user in `/bin/ls /usr/local/directadmin/data/users`
do
	if [ -d /home/$user/domains ]
	then
		for domain in `/bin/ls /home/$user/domains`
		do
			if [ -d /home/$user/domains/$domain/public_html ] && [ -d /home/$user/domains/$domain/private_html ]
			then
				chown -v $user:apache /home/$user/domains/$domain/private_html
				chown -v $user:apache /home/$user/domains/$domain/public_html
				chmod -v 0750 /home/$user/domains/$domain/private_html
				chmod -v 0750 /home/$user/domains/$domain/public_html
			fi
		done
	fi
done

exit $?