All clients can read all logs and a lot more

Discussion in 'Installation/Configuration' started by mapalaka, Jun 18, 2018.

  1. mapalaka

    mapalaka New Member

    I installed the ispconfig according to the instructions:

    I think I did something wrong.
    the pages are run as the web1 ... webXXX user in a normal environment.

    If we place it in the page code
    var_dump(exec('cat /var/mail.log', $r));
    We list beautifully logs.
    A lot of files in the system have chmod XX4 and every client can read them.
    Just blocking the exec function in PHP will not do anything. You can still open the file using fopen.
    It seems to me that php must be run in jailkit.
    Does anyone know how to fix it?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is normal that log files on Linux systems have these permissions. Using a chroot for php is not that easy and often causes issues, but you can update ispconfig to the test version from master branch (not the stable-3.1 branch), it has a first draft for a chroot option for PHP-FPM builtin if I remember correctly.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Just as a side note: no, you can't open that file with fopen. That's why one blocks exec, passthru and other direct access commands in hosting enviroments normally if you don't want to allow access to files outside of the website that have global read permissions.
  4. mapalaka

    mapalaka New Member

    Thx till :)
    What you've written changes everything.
    I thought that using fopen I can open all XX4 files as a webX user. But I can only in /var/www/clients/clientX/web/
    I did not know about it.

    So in PHP I have to block some functions. I found this:
    Is this a good list?
    Anything else I need to know?

Share This Page