Good evening, I just installed the last ISPConfig-Version (3) onto a fresh debian lenny installation. Then I created 2 Clients with 1 Website per Client. I enabled SSH-Access for both webpages. When I log in into the server as website1, i can read all files owned by other users. This shouldn't be possible. Even the /root-directory is readable. I don't want to use chroot-access. How can I prevent my users from reading in the directories of others? Greets, max06
Unfortunately without chrooting, I don't believe there is another way of doing this. Scratch that, there might be a way by using mpm-itk and changing the permissions of their folders... WARNING: I have not tested this as this may have unforeseen consequences. Follow this at your own risk! Use the command below to reset the permissions so only the owner can read them. Code: chmod -R og-rwx $web_root After doing this you will have to change pure-ftpd's default umask Code: echo 077:077 >/etc/pure-ftpd/conf/Umask /etc/init.d/pure-ftpd-mysql restart This configures pure-ftpd to only allow the owner to read the files. Finally insert this code into /usr/local/ispconfig/server/conf/vhost.conf.master on line 96 and 192 before </VirtualHost> and after <tmpl_var name='apache_directives'> Code: <IfModule mpm_itk_module> AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'> </IfModule> BTW, In my experience the above modifications don't update existing websites. only new websites will contain the new code. Question: Why don't you want to use a chroot configuration?
Good morning, i tried to use chroot and jailkit, none of them prevented me from searching files in directories not owned by me. I could change into every directory I wanted and read every file... it isn't good, when somebody can read your mysql.inc.php Now I try the mpm-itk-package, will post it here, if it works. Thank you max06
kailkit prevents the behaviour that you decribed above if it is installed properly. So if you see other directorys, kailkit is not installed properly on your system. make sure that you insall the latest jailkit version from source before you install ispconfig. If Jailkit is installed after ISPConfig, it will not work. apache mpm-itk is not supported with ISPConfig 3, you will have to apply the patches that are posted abocve but they will be overrideen on updates. I recommend to run php scipts with suphp or suexec + fcgi for example, which is both supported by ispconfig and gives you the same result.
Hm... I don't want to prevent php-scripts from using foreign files. I need to secure the files and folders of my clients from accessing over ssh by other users.
Hi again, Jailkit is working now. There are two questions left... Is it possible to allow normal users only to change their passwords? When I set the limit of the ssh-accounts to 0, the user can't add new one. But he can edit the options for his existing accounts, including disabling the jailkit. When I delete a ssh-account called "test_ssh", which was used with Jailkit and I create it again with Jailkit, there isn't any active chroot. Thinking there's a problem with removing the account from the Jailkit-configuration. Thanks, max06
It is planned to optionally force chrooting for all SSH users of a client. I've added this to the bugtracker.
