Mod_Security install?

ah in reference of not setting the open_basedir, a user with such script as above could dwell through the system with no restriction at all, go to a .usermin folder-mailbox, look inside inbox.imap and see the password…so he would be able to log in to any account. This is with suexec/fcgi enabled

I dont know but i am not experienced sys admin and had about everything set to default and was shocked when i discovered this.
Also this is not the first time i found out accidentally about major security risks, as in exposing master admins passwords in some situations. (these have been resolved with webmin 1.42 and VM 3.58)

hmm you actually tested this?

yes i have.
i browsed to the test domain, and i could go through the whole server and do ‘anything’ with the files from 2 different locations/computers/browser.
I could open any inbox.imap file and get the password of that user.

hmm so it seems you can – not a good thing. I have set all my domains to a restricted open_basedir

Well you can do what I did — make a copy of the php.ini file then add all you custom paths to it with the right VM variables then when a new server is created all is good.

on the other hand running mod_fcgi lets a user edit its own php.ini file and could remove the open_basedir throwing the server wide open again.

so i have now switched to mod_php with only a master php.ini and made it immutable.

apparently you have not read http://www.virtualmin.com/documentation/id,securing_your_server_howto/

hehe actually i did a few days ago and scratched my ear after reading : "and understand how perl works"

anyway the “chattr +i” is an important one if you have ‘untrusted users’ defined by malicious people and users unknowingly experimenting with available options.

A regular user who will simply publish his site about his upcoming wedding will likely not have any intention to abuse your system :slight_smile:

Normally a usrs php.ini has root root 733 which can then be rewritten/recreated. with the offered solution "chattr +i" this will be prevented.

but you know how people do not read :slight_smile:

I modified my code to fit my servers. So this solution is just great because you can’t go wrong.

I modified functions.les and opt.dat to fit the exact path I used in setting up my server. A person only has to think outside the box because you can adapt LES for nearly anything you want to secure.

that looks good.

what if you have a trusted user and set the php configuration module (or set it in the template) to On.
Would the user then get the privilege or need you to run the -i cmd on his account afterwards?

use sudo for them and add there access to /etc/sudoers

Can a script running under mod_fcgid+mod_suexec see higher than home?

Of course.

i think not only the file but also the folders need +i as they can still be renamed and recreated.

always could happen – whats nice about setting a directory +i all the files/directories under it are also protected.

i think not only the file but also the folders need +i as they can still be renamed and recreated.

Actually no – since php.ini is set +i you can’t do anything including deleting the folder or renaming it because php.ini is under that path which stops what you just said.

Just to prove that you can’t rename a directory if a file under is +i

[sgrayban@borgnet ~] $ mkdir test [sgrayban@borgnet ~] $ touch test/test.txt [sgrayban@borgnet ~] $ sudo chattr +i test/test.txt [sgrayban@borgnet ~] $ lsattr test/ ----i--------- test/test.txt [sgrayban@borgnet ~] $ rm-fr test/ bash: rm-fr: command not found [sgrayban@borgnet ~] $ rm -fr test/ rm: cannot remove `test/test.txt': Operation not permitted
Normally a usrs php.ini has root root 733 which can then be rewritten/recreated. with the offered solution "chattr +i" this will be prevented.

but you know how people do not read :slight_smile:

People don’t have to read. This is automatic in 3.58+ (coming out today).

What prompted you to add that to VM Joe ?

BTW velvetpixel – sorry we took over your thread. It just got really good about security overall, although we should have made a new thread for it.

Oops. Actually I misspoke. We are not setting +i on php.ini. We’re setting it on the fcgi-bin directory. Setting it on the users php.ini would be kind of stupid, as the whole point is to allow users to control their own PHP destiny. :wink: