Hi to all, I setup a multi server ispconfig with several server and services. Web servers use a nfs share on /var/www , and i have to add a chmod o+x on web folder otherwise i get a 403 forbidden, same configuration on locale disk work without any problem and whitout any permission modification. There is any way to resolve this issue without adding o+x on web folders ?
Did you try Code: chown www-data:www-data /var/www -R or whatever your web user and group is depending on the distro used? Afterwards it is advisable to set directories permissions to 755 and files 644: Code: find /var/www/clients/client1/web1/web -type d -exec chmod 0755 {} \; find /var/www/clients/client1/web1/web -type f -exec chmod 0644 {} \;
Do not do that! It will break your whole web server and destroy all websites created with ispconfig irreversibly! If you did that already, you have to restore a full backup of all files with correct permissions. The find commands will breaky everything too, so dont execite them!
Have you tried to disable the web folder protection under System > server config > web? NFS is not capable to handle extended file attributes correctly, so the protetion wont work over nfs anyway.
Hi Till, I have try to disable web folder protection, but i'm still stuck on 403 forbidden with nfs share This is my share option on NFS Server /home/NFS/WEB-01 172.31.255.3/32(rw,sync,fsid=0,no_root_squash,no_subtree_check) On client i haven't use any special mount option 172.31.255.1:/home/NFS/WEB-01/WEB on /var/www type nfs (rw,addr=172.31.255.1) All distro are Ubuntu 12.04 LTS Any ideas ? Thanks
Hi Till, Why is that? I just migrated my old ispconfig to new servers last week with nfs shares using this method and it works perfect. After struggeling a bit I was able to configure dovecot to work correctly on the nfs share. Your afirmation got me a bit concerned now.
In ISPConfig, each website runs under a different user (not www-data) and has folder permissions to prevent access from other hosted sites. Your chmod killed all security features like user separation of websites, ssh jails, jailed cronjobs and opened webiste dirs for access by all clients and killed ftp. So Each client is able to get access to all other websites of other clients now and when a hacker is able to get access to one website e.g. by hacking a installed cms, he can manipúuate all other websites as well.
That should be an easy fix on the permissions then. I'm running only 4 sites hosting saas. There are no clients in ispconfig - just mine. I can easily replicate it on a VM and test. Never used ftp, I only upload data by scp and nobody has access to the ispconfig interface. Do you think it will work? Sorry dr-l3x for spamming your post.
