The solution is easy. Only need some changes in ISPconfig core and will work in all systems =) 1) Install ISPconfig 3 into chroot with mod_chroot its possible, i tested and work. Doesn't need change ISPconfig code only create 2 simbolic links 2) I have 2 security solutions: suphp and other one for the rest. Mod_php, Fastcgi, cgi (i only tested on mod_php but is the same) - We disable all execute command functions Add this to php.ini (or in httpd configuration) disable_functions = exec, system, shell_exec, readfile, passthru, escapeshellcmd, proc_open, posix_uname, posix_getuid, posix_geteuid, posix_getgid, getcwdi, show_source, proc_open - Now only need fix include(), require() blackhole Add in master.vhost template: php_admin_value open_basedir /var/www/bb.com/web:/var/www/bb.com/tmp Suphp We can allow all php function that some banks need for transactions, we only need change few permisions (is good idea that mod_php use the same permissions) chmod 711 /var/www/clients/ chmod 711 /var/www/clients/* chown webX:www-data /var/www/chroot/var/www/clients/clientXX/webX chmod 710 /var/www/chroot/var/www/clients/clientXX/webX With 711 we dont show information for possible attacker With 710 deny access for !=userpage or apacheuser It solve all security problems. Only need add few checks when you add new cliente and/or sites for fix permisions, add open_basedir to vhost template and disable php functions for mod_php 3) Create a general chroot for all users and limiting resources. When create a shell user add to sshuser group for example. Edit /etc/security/limits.conf and add: @sshusers hard core 1 @sshusers hard nofile 40000 @sshusers hard nproc 90 @sshusers - maxlogins 5 @sshusers hard nice 1 @sshusers - chroot /var/www/chroot Any suggestion? Every problem can be fixed with few changes.
Thnks, I will test this if it has any side affects on existing installations. Added it to the bugtracker as feature request.
HI, I tested new security solution (of SVN) and work very good on debian 5.1 upgrading from stable ispconfig. BUT: I created a domain aa.com with Magento (online shop like oscommerce) with suphp and ISPconfig stable, after i updated to svn version and work perfect BUT, i changed to mod_php and has a problem: In apache config i can see: If we add ":/tmp" we fix the problem. (We must mount /tmp with noexec flag for add a little protection for trojans for example) And other issue is clients directory has 755, i think is good idea hidden client list with 711 (yes i known attacker can see it in /etc/passwd) Now i will try configure under mod_chroot Thanks.
hehe! 1 problem with ftp. Example: home dir for ftp is: /var/www/html/home1/u2/web2 root:root and chmod 711 ftpuser can not list the dir. My solution: chown root:client2 /var/www/html/home1/u2/web* chmod 751 /var/www/html/home1/u2/web* Now ftp user can list home dir.
Owner root:root is a requirement for a save jail enviroment for jailkit. As far as I know, jailkit will stop working when you change the owner to a different user or group.
yes. When you enable Jailkit, it reset permision in home dir to root:root, BUT after i change it and work perfect: If is root:root 711, dont have permission. I known it's a hack for jailkit When we fix security apache problem i will show 2 solutions: mod_chroot and a chroot for all shell users, but i think with this "hack" it can be compatible. ERROR. If you change root:root it stop working like you said Till. I dont like exceptions, but we can create an exception if you are using jailkit for setup root:root 755, if not use root:clientgroup 751
Ok. I will try to implement it like that. Such a setup consisting of a lot of applications is always a very fragile thing, if you change a permission of a directory for one software you might get problems with a completely different software on another end...
Hi, This post has some months, i think maybe we can find a 'bug' and try better configuration fixing some permision. I will test when i have time, but please try hack it.
