You are invited to Log in or Register a free Frihost Account!

Huge security issue, users can delete other users files,....

After our web server crash becouse of the (assumebly intentionaly deployed) linuxrst.b i have taken over the server administration from a guy that doesent work here anymore... the situation was critical, server was down, it needed to be set up fast...

anyway we got it all working and brought the server back to our remote location... sometime later, i figure out that if you setup a php application on the server, users can access and delete files on other user accounts...

all the fs access rights are set up right, and users are chrooted to their home directories...

i would asume that they can access and delete other files becouse they access the system as the apache user, but how can you set up apache to run on each domain as a system user of that domain and not as apache user... or is there another way of fixing this?

i know i could .htaccess the apache root dir, but that would only permit them from browsing the root dir, but could still get em access to other dirs if they inputed the path, right?

anyway im a bit new to apache, and i needed to learn fast, ive set a ton of things up but yeah, im totaly clueless about some, so i really hope that someone helps me fix this issue before somebody besides me discovers it =D
Are you saying that users have write rights on the apache directory? Why? This should be owned by root and no one else should write there!
They should keep their personal files in ~/public_html. Or are you telling that they can write each other's home directories?
Sounds like the latter. Can't help, just trying to give you a faster answer.
i've read all of it...But i couldn't find a solution..Because i haven't seen any problem as interesting as your problem.But i think you should look for permissions of users. Shocked
permissions of all users are ok and users cannot write over eachothers files, however, if you intall for example, joomla explorer, which browses the filesystem as user apache (wwwrun) you can access home direcrotires of all users since youre using apache user/group and not the site owners....
You may try to remove the wwwrun user from the users group, or whatever group your users are in, and their files belong to. Some systems create a group for every user, that can be also a solution. (Depending how many users you have, of course... if more than 10, it will be very time-consuming.)
well removing users isnt an issue, dont think group permission is either, the issue is how to make apache run as a seperate user under each domain
You may change the permissions of the files from 775 (I assume they are) to 755. So the user wwwrun won't have permissions to write even if it's part of the users group.
I think you should check the permissions of the users on the server. May be you can modify the /etc/passwd file for the apache user.

Abhinav Shah
permissions are set to 777, not 755, but shouldnt there be a way in apache configuration that would block accessing directories of other users via php?
Permissions set to 777 means that anyone can write everywhere. They should be set to 775 or 755 or 750, depending on group policies. Setting permissions to 777 is a security issue itself.
Are you saying you *WANT* perms to be 777 *AND* not let people access each other's homes? Tricky, and I wouldn't find that much useful.

If that's not the case, all I'd say is the first thing to do is to make sure that almost nothing has 777 permissions.
Related topics
Booting time
Setting up Ftp Server
Deleting files?
How to delete files/folders permanently in os x?
cant delete files
Why can't I ever delete my files anymore
What Are Viruses
Cannot Unzip from DirectAdmin / delete files error
At school, Snapped for hacking.. have you been caught?
I need step to step directions on installing a MyBB forum.
Best filemanager?
I cant delete files..
What do you consider to be the most important security issue
Can't Delete files from my site
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

© 2005-2011 Frihost, forums powered by phpBB.