Security question

Discussion in 'Installation/Configuration' started by Clouseau, Jan 16, 2015.

  1. Clouseau

    Clouseau Member

    Should we modify ownerships and permissions of files in web directory or we should leave it by default? I ask because of "others" permissions:
    ls -la /var/www/clients/client1/web3
    drwx--x--x 11 web3 client1 4096 Jan 15 10:40 web ---> shouldn't this be 710 for better security?
    And sample in web dir:
    drwxr-xr-x 12 web3 client1 4096 Jan 3 17:48 wp-includes
    -rw-r--r-- 1 web3 client1 8252 Dec 15 20:43 wp-mail.php
    -rw-r--r-- 1 web3 client1 11115 Dec 15 20:43 wp-settings.php
    -rw-r--r-- 1 web3 client1 25152 Dec 18 20:01 wp-signup.p

    Shouldn't permissions of all files and directories in web directory be 640 and 750? If someone website got hacked can the attacker read other users web directory trought it because of the read flag on "others"? What would be the case with mod-php?

    As another system user which is only in his own group with the same name, I cannot read /var/www/clients/client1/web3 BUT I can read the directories in it, I can see content of /var/www/clients/client1/web3/wp-includes/ and everyother directory in /var/www/clients/client1/web3
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions are absolutely fine and as they should be, the web folder required 711 permissions and not 710 as you wont be able to use ispconfig on larger servers aotherwise that have entwork mounted directories (e.g. nfs) for /var/www. One website user can not read the files inside the "web" folder of another website when web folder is 711.

    There may not be any custom directories in /var/www/clients/client1/web3/ like you did it by creating wp-includes there. The wp-includes directory has to be inside the "web" folder /var/www/clients/client1/web3/web/. Your problem is that you disabled the website folder protection and then manually created a folder /var/www/clients/client1/web3/wp-includes/ which is then visible to others instead of putting the folder in /var/www/clients/client1/web3/web/wp-includes/ which would protect it. The folder /var/www/clients/client1/web3 shhll not be hidden from others as it contains the same system folders in every web and no files, the protection is on the level of the folders that are inside /var/www/clients/client1/web3.
     
  3. Clouseau

    Clouseau Member

    That was a typo, wp-includes are /var/www/clients/client1/web3/web/wp-includes. Check out the output:
    ls -la /var/www/clients/client1/web3/web
    ls: cannot open directory /var/www/clients/client1/web3/web: Permission denied

    ls -la /var/www/clients/client1/web3/web/wp-includes
    total 4092
    drwxr-xr-x 12 web3 client1 4096 Jan 3 17:48 .
    drwx--x--x 11 web3 client1 4096 Jan 15 10:40 ..
    -rw-r--r-- 1 web3 client1 25332 Dec 18 20:01 admin-bar.php
    -rw-r--r-- 1 web3 client1 10918 Dec 15 20:47 atomlib.php
    -rw-r--r-- 1 web3 client1 14370 Dec 18 20:01 author-template.php
    -rw-r--r-- 1 web3 client1 13265 Dec 18 20:01 bookmark.php
    -rw-r--r-- 1 web3 client1 11497 Dec 18 20:01 bookmark-template.php
    -rw-r--r-- 1 web3 client1 19130 Dec 18 20:01 cache.php
    -rw-r--r-- 1 web3 client1 25056 Dec 18 20:01 canonical.php
    -rw-r--r-- 1 web3 client1 39186 Dec 18 20:01 capabilities.php
    -rw-r--r-- 1 web3 client1 10840 Dec 18 20:01 category.php
    -rw-r--r-- 1 web3 client1 44437 Dec 18 20:01 category-template.php
    drwxr-xr-x 2 web3 client1 4096 Jan 3 17:46 certificates
    ....
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As which user are you logged in?
     
  5. Clouseau

    Clouseau Member

    As a normal linux user, not a user added through ispconfig:
    john:x:1000:1000:john,,,:/home/john:/bin/bash
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    No ISPConfig user / client or website has access to such a manually created user account. Only you as root user can create such manual accounts.
     
  7. Clouseau

    Clouseau Member

    OK, tnx.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Nad regarding file permissions inside the "web" folder, they are not controlled by ispconfig, you control them with FTP client. So if you dont want to have global read permissions, which makes sense, then you can configure the default chmod for the files in the pure-ftpd configuration.
     
  9. Clouseau

    Clouseau Member

    So I can do chmod 750 on dirs, and 640 on files in "web" and everythings gonna work?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Inside the web folder, yes. As long as you dont use a network filesystem like nfs, as this would require 751 and 641. But dont change the permissions of any ispconfig system folder like "web".
     
  11. Clouseau

    Clouseau Member

    Nice, just content of the website. To confirm in the end I don't have to modify anything because only system user added not through ISPConfig could read those files. So in the end,all is good :)
     

Share This Page