Security issues

Discussion in 'Installation/Configuration' started by dxr, Jun 24, 2009.

  1. dxr

    dxr ISPConfig Developer ISPConfig Developer

    The solution is easy. Only need some changes in ISPconfig core and will work in all systems =)

    1) Install ISPconfig 3 into chroot with mod_chroot its possible, i tested and work. Doesn't need change ISPconfig code only create 2 simbolic links

    2) I have 2 security solutions: suphp and other one for the rest.

    Mod_php, Fastcgi, cgi (i only tested on mod_php but is the same)

    - We disable all execute command functions
    Add this to php.ini (or in httpd configuration) disable_functions = exec, system, shell_exec, readfile, passthru, escapeshellcmd, proc_open, posix_uname, posix_getuid, posix_geteuid, posix_getgid, getcwdi, show_source, proc_open

    - Now only need fix include(), require() blackhole
    Add in master.vhost template: php_admin_value open_basedir /var/www/


    We can allow all php function that some banks need for transactions, we only need change few permisions (is good idea that mod_php use the same permissions)

    chmod 711 /var/www/clients/
    chmod 711 /var/www/clients/*
    chown webX:www-data /var/www/chroot/var/www/clients/clientXX/webX
    chmod 710 /var/www/chroot/var/www/clients/clientXX/webX

    With 711 we dont show information for possible attacker
    With 710 deny access for !=userpage or apacheuser

    It solve all security problems.

    Only need add few checks when you add new cliente and/or sites for fix permisions, add open_basedir to vhost template and disable php functions for mod_php

    3) Create a general chroot for all users and limiting resources.

    When create a shell user add to sshuser group for example. Edit /etc/security/limits.conf and add:

    @sshusers hard core 1
    @sshusers hard nofile 40000
    @sshusers hard nproc 90
    @sshusers - maxlogins 5
    @sshusers hard nice 1
    @sshusers - chroot /var/www/chroot

    Any suggestion?

    Every problem can be fixed with few changes.
    Last edited: Jun 25, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thnks, I will test this if it has any side affects on existing installations. Added it to the bugtracker as feature request.
  3. dxr

    dxr ISPConfig Developer ISPConfig Developer


    I tested new security solution (of SVN) and work very good on debian 5.1 upgrading from stable ispconfig.


    I created a domain with Magento (online shop like oscommerce) with suphp and ISPconfig stable, after i updated to svn version and work perfect BUT, i changed to mod_php and has a problem:

    In apache config i can see:

    If we add ":/tmp" we fix the problem. (We must mount /tmp with noexec flag for add a little protection for trojans for example)

    And other issue is clients directory has 755, i think is good idea hidden client list with 711 (yes i known attacker can see it in /etc/passwd)

    Now i will try configure under mod_chroot

  4. dxr

    dxr ISPConfig Developer ISPConfig Developer


    1 problem with ftp. Example:

    home dir for ftp is:


    root:root and chmod 711

    ftpuser can not list the dir. My solution:

    chown root:client2 /var/www/html/home1/u2/web*
    chmod 751 /var/www/html/home1/u2/web*

    Now ftp user can list home dir.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Owner root:root is a requirement for a save jail enviroment for jailkit. As far as I know, jailkit will stop working when you change the owner to a different user or group.
  6. dxr

    dxr ISPConfig Developer ISPConfig Developer


    When you enable Jailkit, it reset permision in home dir to root:root, BUT after i change it and work perfect:

    If is root:root 711, dont have permission. I known it's a hack for jailkit :(

    When we fix security apache problem i will show 2 solutions: mod_chroot and a chroot for all shell users, but i think with this "hack" it can be compatible.


    If you change root:root it stop working like you said Till.

    I dont like exceptions, but we can create an exception if you are using jailkit for setup root:root 755, if not use root:clientgroup 751
    Last edited: Jul 23, 2009
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. I will try to implement it like that.

    Such a setup consisting of a lot of applications is always a very fragile thing, if you change a permission of a directory for one software you might get problems with a completely different software on another end... :(
  8. dxr

    dxr ISPConfig Developer ISPConfig Developer

    Ok, when you implement new things tell me for test, please.
  9. jim-locksmith

    jim-locksmith New Member


    I have tested that and it really works out to be best
  10. dxr

    dxr ISPConfig Developer ISPConfig Developer


    This post has some months, i think maybe we can find a 'bug' and try better configuration fixing some permision. I will test when i have time, but please try hack it.

Share This Page