yes indeed. And not being experienced (i guess there are many others out there) and not knowing about open_basedir, the default install let’s that of course wide open.
Im wondering if this could be set somehow during an installation (at least have ${HOME} in it) or give a warning when the field in the template is left blank.
This setting can also be done afterwards through the server template "PHP configuration variables for scripts" in the Pro version.
Also enable_dl must be set to Off else a user can upload and execute any module and without open_basedir set I don’t want to think of the consequences :).
I’m just saying, if talking about security then lets presume system admins are not experienced at all. I’m guessing there must be many current resellers who upgrade themselfs to “webhosts” and as you say: a system is as safe as the admin running it.
“what I did was create a new user group called ‘hosting’ and went though all the ACL’s for each module and disabled or enforced what they could do in them.”
I can see one can do this for a group in file manager settings for the group, but, can’t figure out what to put in the box that says “ONLY ALLOW ACCESS TO DIRECTORIES”. Without this box, the user can get anywhere in file manager.
Yeah, CentOS definitely doesn’t have mod_security in it’s repository. Installing manually by downloading it from the mod_security site and following their instructions is a common way to do that.
I think there are third party repositories that package mod_security and make it simpler to install, but I’m not familiar with any of them… I’d certainly suggest caution in what repositories you enable, as some can cause problems of various sorts. But if you run into one you trust that provides mod_security, that may save you some time
