Should we modify ownerships and permissions of files in web directory or we should leave it by default? I ask because of "others" permissions: ls -la /var/www/clients/client1/web3 drwx--x--x 11 web3 client1 4096 Jan 15 10:40 web ---> shouldn't this be 710 for better security? And sample in web dir: drwxr-xr-x 12 web3 client1 4096 Jan 3 17:48 wp-includes -rw-r--r-- 1 web3 client1 8252 Dec 15 20:43 wp-mail.php -rw-r--r-- 1 web3 client1 11115 Dec 15 20:43 wp-settings.php -rw-r--r-- 1 web3 client1 25152 Dec 18 20:01 wp-signup.p Shouldn't permissions of all files and directories in web directory be 640 and 750? If someone website got hacked can the attacker read other users web directory trought it because of the read flag on "others"? What would be the case with mod-php? As another system user which is only in his own group with the same name, I cannot read /var/www/clients/client1/web3 BUT I can read the directories in it, I can see content of /var/www/clients/client1/web3/wp-includes/ and everyother directory in /var/www/clients/client1/web3
The permissions are absolutely fine and as they should be, the web folder required 711 permissions and not 710 as you wont be able to use ispconfig on larger servers aotherwise that have entwork mounted directories (e.g. nfs) for /var/www. One website user can not read the files inside the "web" folder of another website when web folder is 711. There may not be any custom directories in /var/www/clients/client1/web3/ like you did it by creating wp-includes there. The wp-includes directory has to be inside the "web" folder /var/www/clients/client1/web3/web/. Your problem is that you disabled the website folder protection and then manually created a folder /var/www/clients/client1/web3/wp-includes/ which is then visible to others instead of putting the folder in /var/www/clients/client1/web3/web/wp-includes/ which would protect it. The folder /var/www/clients/client1/web3 shhll not be hidden from others as it contains the same system folders in every web and no files, the protection is on the level of the folders that are inside /var/www/clients/client1/web3.
That was a typo, wp-includes are /var/www/clients/client1/web3/web/wp-includes. Check out the output: ls -la /var/www/clients/client1/web3/web ls: cannot open directory /var/www/clients/client1/web3/web: Permission denied ls -la /var/www/clients/client1/web3/web/wp-includes total 4092 drwxr-xr-x 12 web3 client1 4096 Jan 3 17:48 . drwx--x--x 11 web3 client1 4096 Jan 15 10:40 .. -rw-r--r-- 1 web3 client1 25332 Dec 18 20:01 admin-bar.php -rw-r--r-- 1 web3 client1 10918 Dec 15 20:47 atomlib.php -rw-r--r-- 1 web3 client1 14370 Dec 18 20:01 author-template.php -rw-r--r-- 1 web3 client1 13265 Dec 18 20:01 bookmark.php -rw-r--r-- 1 web3 client1 11497 Dec 18 20:01 bookmark-template.php -rw-r--r-- 1 web3 client1 19130 Dec 18 20:01 cache.php -rw-r--r-- 1 web3 client1 25056 Dec 18 20:01 canonical.php -rw-r--r-- 1 web3 client1 39186 Dec 18 20:01 capabilities.php -rw-r--r-- 1 web3 client1 10840 Dec 18 20:01 category.php -rw-r--r-- 1 web3 client1 44437 Dec 18 20:01 category-template.php drwxr-xr-x 2 web3 client1 4096 Jan 3 17:46 certificates ....
As a normal linux user, not a user added through ispconfig: john:x:1000:1000:john,,,:/home/john:/bin/bash
No ISPConfig user / client or website has access to such a manually created user account. Only you as root user can create such manual accounts.
Nad regarding file permissions inside the "web" folder, they are not controlled by ispconfig, you control them with FTP client. So if you dont want to have global read permissions, which makes sense, then you can configure the default chmod for the files in the pure-ftpd configuration.
Inside the web folder, yes. As long as you dont use a network filesystem like nfs, as this would require 751 and 641. But dont change the permissions of any ispconfig system folder like "web".
Nice, just content of the website. To confirm in the end I don't have to modify anything because only system user added not through ISPConfig could read those files. So in the end,all is good