ah in reference of not setting the open_basedir, a user with such script as above could dwell through the system with no restriction at all, go to a .usermin folder-mailbox, look inside inbox.imap and see the password…so he would be able to log in to any account. This is with suexec/fcgi enabled
I dont know but i am not experienced sys admin and had about everything set to default and was shocked when i discovered this.
Also this is not the first time i found out accidentally about major security risks, as in exposing master admins passwords in some situations. (these have been resolved with webmin 1.42 and VM 3.58)
yes i have.
i browsed to the test domain, and i could go through the whole server and do ‘anything’ with the files from 2 different locations/computers/browser.
I could open any inbox.imap file and get the password of that user.
Well you can do what I did — make a copy of the php.ini file then add all you custom paths to it with the right VM variables then when a new server is created all is good.
hehe actually i did a few days ago and scratched my ear after reading : "and understand how perl works"
anyway the “chattr +i” is an important one if you have ‘untrusted users’ defined by malicious people and users unknowingly experimenting with available options.
A regular user who will simply publish his site about his upcoming wedding will likely not have any intention to abuse your system
Normally a usrs php.ini has root root 733 which can then be rewritten/recreated. with the offered solution "chattr +i" this will be prevented.
I modified my code to fit my servers. So this solution is just great because you can’t go wrong.
I modified functions.les and opt.dat to fit the exact path I used in setting up my server. A person only has to think outside the box because you can adapt LES for nearly anything you want to secure.
what if you have a trusted user and set the php configuration module (or set it in the template) to On.
Would the user then get the privilege or need you to run the -i cmd on his account afterwards?
i think not only the file but also the folders need +i as they can still be renamed and recreated.
Actually no – since php.ini is set +i you can’t do anything including deleting the folder or renaming it because php.ini is under that path which stops what you just said.
Oops. Actually I misspoke. We are not setting +i on php.ini. We’re setting it on the fcgi-bin directory. Setting it on the users php.ini would be kind of stupid, as the whole point is to allow users to control their own PHP destiny.