File manager for virtualsites users doesn't work "Failed to list /"

Hello,

 I have a problem with filemanager not working for virtualserver users; It just says "failed to list / - permission denied".

As far as I can see everything looks corectly and as far as I could conclude this shoud work without additional configuration.

Can someone help?

Kind Regards
Kristijan

Anything? Anyone?

I have the same issue, the filemanager wont work for domain masters accounts. the error reported is (failed to list / - permission denied) like it was tring to access main / directory and not the user home.
testing main module config i can use file manager only if i log with full permissions on webmin.

Hi Giorgio,

yes problem stays ATM. I'm not trying to much to solve it, because I don't know where to start. I cheked configuration of filemanager and it looks OK. home folders are assigned to users.

I also tried to input correct path to logged user, still same error arises.

Hopefully someone will answer.

Thanks.

Hmm, we haven’t been able to reproduce this particular problem…

However, if you look in /etc/webmin/file, you’ll see a .acl file for each user on your system.

Can you post the contents of a .acl file for a user who is having this problem?

Thanks!

-Eric

It’s same for all users.

for exampl

File: epr2.com.acl Line 1 Col 0 62 bytes 100%

follow=0
noconfig=1
uid=527
goto=1
root=/home/epr2.com
home=0

Kristijan

It’s same for all users for me too.

and the content of acl file is same as nosco:

follow=0
noconfig=1
uid=***
goto=1
root=/home/*****
home=0

for more info my system is:
Operating system CentOS Linux 6.0 x64
Webmin version 1.570 Virtualmin version 3.89.gpl GPL
I hope this can help .

I have found what is my problem.
I use LES to secure my system binaries, and it is the problem.
Andreychek you can replicate the problem by following this guide and enable all options.
http://www.securecentos.com/basic-security/install-les/

If i disable it all works fine, but disable it is a security risc, so if you can tell us wich system binaries the file manager need we can set right permission only in needed binaries.

Thanks.

Yes, I also use LES :wink:

I can't believe that you have found that problem Giorgio! Great Job!

Now we can try to find solution.

Thanks

I tried to check configuration files of les and option to exclude file manager folder, but documentation is very thin, still no success.

After a bit of testing i found how to solve this problem.
This is the solution:

Remember to disable all les options befor doing this changes

Edit your /usr/local/les/opt.dat

find the line:
sec_paths="/ /home /etc /var /usr/etc /usr/local/etc /var/log /sbin /usr/sbin /usr/local/sbin"

replace with this:
sec_paths="/home /etc /var /usr/etc /usr/local/etc /var/log /sbin /usr/sbin /usr/local/sbin"

Reenable les

For Andreychek:
You need to correct your guide (Securing Your Server HOWTO) in documentation area:
http://www.virtualmin.com/documentation/id,securing_your_server_howto

Hi Giorgio,

first, great job!


but I would like to know what does that mean in terms of security regarding LES, If we remove / path?

What are repercussions? And why was / there in a first place?

Les secure-path feature change folders permission from 755 to 711, this deny the listing of content from non root users. but 755 still deny any changes of / content fron non root users.

The strong security emprovement that Les do is by enforcing immutable bit on essential rpm package and enforcing root-only permissions on critical system binaries, this is in my opinion the main security enancement of Les, it also prevent listing of critical path, but i think if someone can call the listing of your / you are already hacked.
Obviously is better have 711 then 755 but it is not essential.

I dont know why file manager need to list the / content to work, i hope someone of virtualmin team can answer us on this point.

Thanks, I couldn’t explain that better. I especially like the “you are already hacked” part ;).

Yes probably some option within file manager could solve this …

Anyway thank you for a solution.