Folder and files permissions

Discussion in 'Installation/Configuration' started by betafer, Feb 17, 2017.

  1. betafer

    betafer Member

    Hello,
    it is possible to change folders and files permissions of ispconfig, after update to 3.1.2 folder permissions in web1 is set to 771 instead of 755
    if yes, where ?

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The permission 771 is correct and works fine on my servers, 775 would allow all users of all websites to read the website files of all other users, so that's nothing that you would want to use. Maybe you should describe what your problem is?
     
  3. betafer

    betafer Member

    755 not 771...
    I would like to have folders permissions set on 755 instead of 771
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Right, I meant 755. My question was why do you want to make your setup insecure by allowing each client to access all other websites?
     
  5. betafer

    betafer Member

    771 is safe ?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The default permissions are safe, that's why we use it and not 755. What you do by assigning 755 is that you give world read access to all clients and all users of your system so any client can browse the contents of all other client sites.
     
    Last edited: Feb 17, 2017
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw, the permissions of the web dir in ISPConfig are not 771, they are 711:

    Code:
    root@server1:/var/www/test.tld# ls -la
    total 36
    drwxr-xr-x 9 root  root    4096 Feb 16 14:03 .
    drwxr-xr-x 5 root  root    4096 Feb 16 14:03 ..
    drwxr-xr-x 2 web13 client0 4096 Feb 16 14:03 cgi-bin
    drwxr-xr-x 2 root  root    4096 Feb 17 08:03 log
    drwx--x--- 2 web13 client0 4096 Feb 16 14:03 private
    drwxr-xr-x 2 root  root    4096 Feb 16 14:03 ssl
    drwxrwx--- 2 web13 client0 4096 Feb 16 14:03 tmp
    drwx--x--x 4 web13 client0 4096 Feb 16 14:03 web
    drwx--x--- 2 web13 client0 4096 Feb 16 14:03 webdav
    
     
  8. backofficegeorgia

    backofficegeorgia New Member

    Did anything change since this topic? i am using 3.1.13 and all client folders have 755 permission as default. (/var/www/clients) including webfolders /var/www/clients/client*/web*/*
    Please kindly urgently assist on the issue and advise correct permissions, i have shared user base with lots of sensitive data.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The client folders (folders which contain private or sensitive data of a client) are not set to 755 in ISPConfig as you can see in this thread, they were setup securely already in 2017. See post #7 in this thread, the only folders which contain data of the client are the folder 'web' and the folder 'private' and none of these folders is set to 755.

    Private folder:

    drwx--x--- 2 web13 client0 4096 Feb 16 14:03 private

    Web folder:

    drwx--x--x 4 web13 client0 4096 Feb 16 14:03 web
     
  10. backofficegeorgia

    backofficegeorgia New Member

    Till
    Thank you for your prompt response, seems that my server has been compromised and something has changed the permissions on full folder structure. i did emergency shutdown and am rebuilding the system.

    Thank you again !
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Instead of rebuilding your server, better compare your current permissions. I doubt that someone hacked your server and changed the permissions, it would not make any sense for a hacker to do that as he must be root user to do it and when he is root user, there is no need to manipulate folder permissions of lower privileged users. I'll post you here how they should be:

    Code:
    root@server1:~# ls -la /var/www/clients/
    total 16
    drwxr-xr-x 4 root root 4096 Feb 28  2018 .
    drwxr-xr-x 7 root root 4096 Feb 19 02:50 ..
    drwxr-xr-x 4 root root 4096 Oct 18 15:50 client0
    drwxr-xr-x 5 root root 4096 Oct 18 15:50 client1
    root@server1:~# ls -la /var/www/clients/client0/
    total 16
    drwxr-xr-x 4 root root 4096 Oct 18 15:50 .
    drwxr-xr-x 4 root root 4096 Feb 28  2018 ..
    lrwxrwxrwx 1 root root   30 Feb 27  2018 test100.int -> /var/www/clients/client0/web1/
    lrwxrwxrwx 1 root root   30 Oct 18 15:50 test4.de -> /var/www/clients/client0/web5/
    drwxr-xr-x 9 root root 4096 Feb 27  2018 web1
    drwxr-xr-x 9 root root 4096 Oct 18 15:50 web5
    root@server1:~# ls -la /var/www/clients/client0/web1
    total 36
    drwxr-xr-x  9 root root    4096 Feb 27  2018 .
    drwxr-xr-x  4 root root    4096 Oct 18 15:50 ..
    drwxr-xr-x  2 web1 client0 4096 Feb 27  2018 cgi-bin
    drwxr-xr-x  2 root root    4096 Feb 21 00:02 log
    drwx--x---  2 web1 client0 4096 Oct  7 13:00 private
    drwx------  2 web1 client0 4096 Feb 27  2018 .ssh
    drwxr-xr-x  2 root root    4096 Feb 27  2018 ssl
    drwxrwxrwx  2 web1 client0 4096 Oct 28 00:02 tmp
    drwxr-x--x 14 web1 client0 4096 Oct 26 10:35 web
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The only folders that contain client data in the above example are:

    /var/www/clients/client0/web1/web

    and

    /var/www/clients/client0/web1/private

    and both have secure permissions.
     
  13. backofficegeorgia

    backofficegeorgia New Member

    till
    Oh i see so only folders in /var/www/clients/* needs secure permission of 711 are web and 710 for private folders of each customer.
    and if i understand correctly it is fine to have 755 on other folders.


    In that case i think it was false alarm since i did better workaround and found out that only two "web" folders were set to 755 and i believe this is my fault!

    Thank you so much again you truly have saved my day!

    One more question if i may ask, which has lead me to this topic from google.

    Is 711 folder permission on correct user:usergroup bullet prof security if it comes to uploading malicious scripts to client web /var/www/clients/client*/web*/web* folders ? i mean can the script find its way out to other folders and files outside client folder ?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions of a folder basically define what can go in, and not what can go out. There is actually no bulletproof way as many different software plays together and needs to access folders. For example, the web folder must be accessible by the user that runs apache or nginx to read static (image) files, so we can not just chown it to the web user and make it 700. This means we need at least 710. Larger setups use a network filesystem for /var/www, after we set web permission to 710, many of them failed as they need at least 711, so we had to go with 711 for the web folder and 710 for the private folder. It's always a combination of settings that makes a server as secure as possible. These are:

    1) Use a good PHP mode like PHP-FPM for all websites and idsable executable functions like exec. passtrough, etc. for that PHP method.
    2) Use php open_basedir (is set by default) to restrict the php file open functions to the website.
    3) Always enable suexec in the website.
    4) Limit cronjobs to URL cron and jailed cron.
    5) Limit shell users to jailed shell users.
     

Share This Page