Hello, it is possible to change folders and files permissions of ispconfig, after update to 3.1.2 folder permissions in web1 is set to 771 instead of 755 if yes, where ? Thanks
The permission 771 is correct and works fine on my servers, 775 would allow all users of all websites to read the website files of all other users, so that's nothing that you would want to use. Maybe you should describe what your problem is?
Right, I meant 755. My question was why do you want to make your setup insecure by allowing each client to access all other websites?
The default permissions are safe, that's why we use it and not 755. What you do by assigning 755 is that you give world read access to all clients and all users of your system so any client can browse the contents of all other client sites.
Btw, the permissions of the web dir in ISPConfig are not 771, they are 711: Code: root@server1:/var/www/test.tld# ls -la total 36 drwxr-xr-x 9 root root 4096 Feb 16 14:03 . drwxr-xr-x 5 root root 4096 Feb 16 14:03 .. drwxr-xr-x 2 web13 client0 4096 Feb 16 14:03 cgi-bin drwxr-xr-x 2 root root 4096 Feb 17 08:03 log drwx--x--- 2 web13 client0 4096 Feb 16 14:03 private drwxr-xr-x 2 root root 4096 Feb 16 14:03 ssl drwxrwx--- 2 web13 client0 4096 Feb 16 14:03 tmp drwx--x--x 4 web13 client0 4096 Feb 16 14:03 web drwx--x--- 2 web13 client0 4096 Feb 16 14:03 webdav
Did anything change since this topic? i am using 3.1.13 and all client folders have 755 permission as default. (/var/www/clients) including webfolders /var/www/clients/client*/web*/* Please kindly urgently assist on the issue and advise correct permissions, i have shared user base with lots of sensitive data.
The client folders (folders which contain private or sensitive data of a client) are not set to 755 in ISPConfig as you can see in this thread, they were setup securely already in 2017. See post #7 in this thread, the only folders which contain data of the client are the folder 'web' and the folder 'private' and none of these folders is set to 755. Private folder: drwx--x--- 2 web13 client0 4096 Feb 16 14:03 private Web folder: drwx--x--x 4 web13 client0 4096 Feb 16 14:03 web
Till Thank you for your prompt response, seems that my server has been compromised and something has changed the permissions on full folder structure. i did emergency shutdown and am rebuilding the system. Thank you again !
Instead of rebuilding your server, better compare your current permissions. I doubt that someone hacked your server and changed the permissions, it would not make any sense for a hacker to do that as he must be root user to do it and when he is root user, there is no need to manipulate folder permissions of lower privileged users. I'll post you here how they should be: Code: root@server1:~# ls -la /var/www/clients/ total 16 drwxr-xr-x 4 root root 4096 Feb 28 2018 . drwxr-xr-x 7 root root 4096 Feb 19 02:50 .. drwxr-xr-x 4 root root 4096 Oct 18 15:50 client0 drwxr-xr-x 5 root root 4096 Oct 18 15:50 client1 root@server1:~# ls -la /var/www/clients/client0/ total 16 drwxr-xr-x 4 root root 4096 Oct 18 15:50 . drwxr-xr-x 4 root root 4096 Feb 28 2018 .. lrwxrwxrwx 1 root root 30 Feb 27 2018 test100.int -> /var/www/clients/client0/web1/ lrwxrwxrwx 1 root root 30 Oct 18 15:50 test4.de -> /var/www/clients/client0/web5/ drwxr-xr-x 9 root root 4096 Feb 27 2018 web1 drwxr-xr-x 9 root root 4096 Oct 18 15:50 web5 root@server1:~# ls -la /var/www/clients/client0/web1 total 36 drwxr-xr-x 9 root root 4096 Feb 27 2018 . drwxr-xr-x 4 root root 4096 Oct 18 15:50 .. drwxr-xr-x 2 web1 client0 4096 Feb 27 2018 cgi-bin drwxr-xr-x 2 root root 4096 Feb 21 00:02 log drwx--x--- 2 web1 client0 4096 Oct 7 13:00 private drwx------ 2 web1 client0 4096 Feb 27 2018 .ssh drwxr-xr-x 2 root root 4096 Feb 27 2018 ssl drwxrwxrwx 2 web1 client0 4096 Oct 28 00:02 tmp drwxr-x--x 14 web1 client0 4096 Oct 26 10:35 web
The only folders that contain client data in the above example are: /var/www/clients/client0/web1/web and /var/www/clients/client0/web1/private and both have secure permissions.
till Oh i see so only folders in /var/www/clients/* needs secure permission of 711 are web and 710 for private folders of each customer. and if i understand correctly it is fine to have 755 on other folders. In that case i think it was false alarm since i did better workaround and found out that only two "web" folders were set to 755 and i believe this is my fault! Thank you so much again you truly have saved my day! One more question if i may ask, which has lead me to this topic from google. Is 711 folder permission on correct user:usergroup bullet prof security if it comes to uploading malicious scripts to client web /var/www/clients/client*/web*/web* folders ? i mean can the script find its way out to other folders and files outside client folder ?
The permissions of a folder basically define what can go in, and not what can go out. There is actually no bulletproof way as many different software plays together and needs to access folders. For example, the web folder must be accessible by the user that runs apache or nginx to read static (image) files, so we can not just chown it to the web user and make it 700. This means we need at least 710. Larger setups use a network filesystem for /var/www, after we set web permission to 710, many of them failed as they need at least 711, so we had to go with 711 for the web folder and 710 for the private folder. It's always a combination of settings that makes a server as secure as possible. These are: 1) Use a good PHP mode like PHP-FPM for all websites and idsable executable functions like exec. passtrough, etc. for that PHP method. 2) Use php open_basedir (is set by default) to restrict the php file open functions to the website. 3) Always enable suexec in the website. 4) Limit cronjobs to URL cron and jailed cron. 5) Limit shell users to jailed shell users.
