Hi! Can anyone tell me please which are the correct permissions of the 'web' dir of an ISPconfig site? I found documentation in the Appendix of the manual, section 'Permissions of Folders in a Web created by ISPConfig' where it says it should be 0775, but if that's the case, how are files protected from being read by PHP scripts of another site? The open_basedir directive protects against direct opening of files, but not against doing system('cat ...'), right? Thanks in advance, Roel
There isn't a single correct permission, "it depends" on what the site is doing and such. For a standard php site running anything but mod_php (which in my opinion should be purged from all systems these days) and with suexec on, you can likely get away with 750 or maybe 770 if you need group write access for something (eg. file uploads via group permissions from ftp or such). Correct. Take the extra step to run all your sites in php-fpm mode with chroot enabled and it will help here, but given a rich enough jail environment there are known ways to break a chroot(2).
Every 'web' dir we have has the execute bit set for other, and if I remove that the sites no longer work. I haven't looked into that yet, but will soon, now that I know that it should not be necessary, thanks! Is there a place where I can configure the permissions on this dir for new sites? I was surprised that the default permissions seem to be unsafe. Can this be enabled easily? Currently we're not using it, and with the world-executable permissions that does mean sites can read each others files if the names are known.
Yes, as long as you have jailkit installed/configured, it is just a checkbox in the site options tab to enable chroot. Note that this changes the path name by which the site is available from the perspective of php - this breaks anything which has the old server path name saved, and that will need updated.