Folder / File permissions problem

Discussion in 'Installation/Configuration' started by Peter Arany, Jun 1, 2022.

Tags:
  1. Peter Arany

    Peter Arany New Member

    i have ISPConfig Version: 3.1.13 installed on my servers, all of them modified, so I cannot upgrade them.

    I have found a big problem:
    You can read other clients web folder's files if you know what you are looking for.
    For example if you know that there is an index.html you can read the file.
    All the client's web folders has 751 drwxr-x--x 9 web1506 client318 4.0K Jan 18 2017 web
    And all the files inside the web has 755 by default -rw-rw-rw- 1 web1506 client318 19K Jan 1 2011 index.php

    Is there a way (workaround without upgrade) to modify the default file permissions on existing files and for future uploaded files?
    If yes what would you offer to use? 771?

    best regards,
    Peter Arany
     
    Peter Arany, Jun 1, 2022
    #1
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i believe the web folder itself should be 711, the folders within the website, 755 should be ok.
    most files should be 644, some should be 600 (anything that contains access credentials)

    you could try from /var/www
    Code:
    find ./clients/client*/web*/web/ -type f -exec chmod 644 {} \;
    that will change all files to 644.
    you could then try
    Code:
     find . -type f -name 'wp-config.php' -exec chmod 600 {} \;
    to change, in this example every wordpress wp-config.php file.
    you'd have to change the filename to match whatever any other of your websites / CMS's use.
     
    nhybgtvfr, Jun 1, 2022
    #2
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    if you want to change the default file / folder permissions. i believe they are set in /usr/local/ispconfig/server/plugins-available/
    apache2_plugin.inc.php or nginx_plugin.inc.php.
    * these will get overwritten if ispconfig is updated. i'm not sure if putting a copy of these under conf-custom and making changes to them there will work.
     
    nhybgtvfr, Jun 1, 2022
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    ISPConfig doesn't add an index.php to websites anymore, though it may still have in that old of a release. There are many security fixes in current releases, quite possibly including improvements to default permissions, but there's nothing that sets file permissions for uploaded files except the software used to upload them (ftp, ssh, maybe even php), and you would need to see to any corrections yourself (easy to script). I would even use mode 750 for all web folders unless you have some unusual config where that causes an issue.
     
    Jesse Norell, Jun 2, 2022
    #4
  5. rasos

    rasos New Member

    If you do not set chroot and put an ssh user into jailkit, then this user can read all clients and their websites. At least this was the case at two (often updated) ISPconfig servers with standard permissions. This should prevent it:
    Code:
    /var/www/clients# chmod o-r *` -R
    I am not sure if the setting Server Config / Permissions / Set folder permissions on update would do the same job? Is it done every some minutes or only when ISPconfig is updated?
    It is still good practice to put ssh users in their own jailkit environment. However, here we have seen that it requires an additional manual step:
    Code:
     root@webserver:/var/www/clients/client2/web233# ln -s /var/www/clients/client12/web233/web /var/www/clients/client12/web233/home/username/web
     
    rasos, Sep 3, 2024
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    No permission change or manual step is required for properly installed and unmodified ISPConfig systems. In ISPConfig, jailkit and chroot for ssh users are always combined, so if you select jailkit for an SSH user, that user will be automatically chrooted. You can not select jailkit without chroot, there is no such option available. Clients can also not create a non-jailed and non-chrooted SSH user if you do not allow it to them in the client settings.

    Here is the proof:

    1) Create a website in ISPConfig.
    2) Create an SSH user in ISPConfig and select jailkit for him.
    3) Log in as this ssh user and run:

    ls -la /var/www

    and

    ls /

    As you can see, that user cannot see any of the other clients or sites.

    2024-09-03 09_35_23-defaultssh@ssh.test_ _home_defaultssh.png

    Besides that, there is no other-read permission set for the web folder of the sites anyway.
     
    till, Sep 3, 2024
    #6
    ahrasis likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    First of all, this step is not required, even though some user might find it useful to have such a symlink to avoid that one has to use cd ../../web/ instead of cd /web. And for this reason, ISPConfig creates such a symlink automatically together with symlinks for the log and private folder. Therefore, the command you mentioned is also unnecessary on any recent ISPConfig system.

    2024-09-03 09_39_31-.png
     
    till, Sep 3, 2024
    #7
    ahrasis likes this.

Share This Page