Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by click

  1. On second thought, I guess suexec would give any scripts I am running complete access to ALL my files, rather than just those that are chmod 777. So, I guess my real question is whether vulnerable scripts in other users accounts can access my account. Thanks everyone.
  2. OK. That is pretty much what I was trying to figure out. So, basically (if I understand correctly), having the help desk chown nobody, chmod 755 folders (as suggested here) is only marginally more secure overall and not secure at all (same as 777) if someone is taking advantage of a vulnerable script. Does this apply to vulnerable scripts in other users accounts as well? Would putting the writable folder outside of my public_html folder help at all? Seems to me it wouldn't, but just thought I'd ask. Is there any way to secure a folder and allow php to write to it? Seems like suexec would be much more secure in a shared environment, but I'm in over my head now as I don't know all the issues with implementing that.
  3. Isn't 755 read & execute permission? Wouldn't 711 be just execute permission? And wouldn't executing a php file require that php be able to read it. I can still read the source of php files that I've had the help desk chown nobody, chmod 755.
  4. When a user comes to my site, they are interacting with apache which is "logged in" as user "nobody" [Edit] One other thing... The recomended way of securing these folders has been to change the owner to "nobody" and chmod 755, but if apache, php, etc is running as nobody, then they'd have write acess anyhow.[/Edit] But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?
  5. But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server. That seems like a bad thing. But chmod 777 wouldn't have made a bit of difference in this case This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything. Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc? Again... not trying to be a pest... (getting hard to believe, I'm sure ) I just want to understand how these sites are getting hacked so mine doesn't join them!
  6. Sorry to butt in, but I'm still a little confused by this. Does this mean that someone else on the server is doing this? Wouldn't they have to be logged onto the server before they could write to files, even if they are chmod 777? Also, the suggestion has been to have the help desk change any folders that need to be writable by scripts to be owned by "nobody" and chmod 755, which I have done. But, it seems to me that the most likely way a hacker would get access to the server would be through a vulnerablilty in a script, in which case, wouldn't they be accessing things as user "nobody" anyhow? Sorry if I'm being a pain (and if I am, just say so and I'll go away ) but I still don't quite understand how people are getting access to these files and how to stop it.
  7. That is the same error I was getting. $allow_server_sort=true should fix it. BTW, 1.4.3a is an old version. Latest is 1.4.5 with, it looks like, several security fixes since 1.4.3. Looks like this is TCH's install???
  8. Honestly, I'm not real sure... The SquirrelMail site just says:
  9. There is a bug in PHP 4.4.1 that TCH recently upgraded to that will cause SquirrelMail to timeout when opening messages. If it's a stand alone copy you installed, try setting "$allow_server_sort = true" in config.php otherwise, you should probably open a support ticket to have the techs look at it. There are also a couple lines in download.php that need to be tweaked. Details here
  10. Thinking about this some more... you'll want to research it some before you try disabling the DHCP server. Make sure you know how to get back into the router config after it's been disabled since you won't be in the 192.168.x.x or whatever subnet with the router anymore. I don't know how much you know about networking and setting up the router.
  11. I don't know how much help this will be, but I think it may depend on how your ISP has things setup. I have 2 computers connected to my dsl modem with a simple ethernet hub (no DHCP server) so each computer gets it own IP from my ISP's DHCP server. You could possibly try turning off the DHCP server in your wireless router so that it acts as a simple access point/hub. I think you would then plug your DSL modem into the hub portion of your router rather than the "Internet" port.
  12. click

    Win 98

    I would also boot into safe mode and run the scanner at housecall.trendmicro.com.
  13. Dangit - I really thought I was on to something there. I read somewhere that cpanel sets public_html to USER:nobody 750 to give apache access but keep other users out and ran with it. I guess that's why you get to administer the servers and I... well... don't. Anyhow, I think it's time to finally let this thread die. Thanks so much for your patience. Oh yeah, and...
  14. Just kidding... one more quick question. I promise. Would having the help desk chown user:nobody the directories work? That way, I could chmod 775 them so that php could write to them, but I would still own them?
  15. Doh! Now this conversation can be complete. If there's a way to get into trouble, somehow I manage to find it. That's what I figured. I just wanted to make sure I wasn't doing something that I shouldn't be. I didn't want to do something that compromised the server for everyone because I didn't bother to figure out how to do it correctly. Again, thank you for taking the time... it's very much appreciated.
  16. So, basically, I just create a temporary php script to create/manipulate any directories I need php scripts to have write access to? Also, is avoiding chmod 777 simply for redundancy or are you saying that making files/directories 777 allows anyone on the server to write to them? Is there anything that stops users from accessing files outside their home directories? I ask because my scripts are chmod 755 and contain login info for mysql databases that I wouldn't want others to be able to read. Thanks for all your help. The more secure the better...
  17. That's no problem at all, I certainly wasn't complaining. I was just a bit perplexed when I came back to check the thread for replies and found that it seems to have been removed or something??? Oh well... Hope you had a wonderful Christmas. Now, on to my next obvious question. How do I change the user? And will that affect me being able to work with it later, since I won't be the owner any more? Thanks...
  18. Anyone have any idea where the topic "777 And Some Files Created Yesterday" went? I had been anticipating a reply from TCH-Andy about this issue but that thread seems to have vanished. Anyhow, on to my question... TCH-Andy seemed to say in that thread that php scripts could edit files as their owner without resorting to chmod 777. Is that correct? And if so, how would I do that? I searched the forums and found a couple threads that said that TCH doesn't use suexec due to compatibility problems. Right now, if I want users to be able to upload anything (forum avatars, photos, etc) I have to chmod 777 those directories which I would rather not do if I don't have to. Thanks... -Steven
  19. I'm a bit of a webmaster newbie myself and it has taken me a while to figure out some of the terminology that the more experienced folks here throw around. I think you might be getting confused by the "park" terminology. From what I understand, "parking" a domain name allows a site to have more than one domain name, so that when a user enters either the main site address or one of the parked addresses, they end up at the same page. I think this is what you want to do. You would setup your new site with the new domain name and then "park" the old domain name on the new site. You would also have to edit the old domain registration info so that the old domain points to TCH's server. -Steven
  20. Nevermind.... Deleted the cookies and everything seems to be working now.
  21. I made a seperate install of squirrelmail so I could install plug-ins, etc. It works fine for me but I have a user that is generating a session_start() error when they try to access it. The error from the log is: [error] PHP Warning: session_start(): open(/tmp/sess_d13d6d880bf1e4d0c4e522586724816e, O_RDWR) failed: Permission denied (13) in /home/jgkpipe/public_html/squirrelmail/functions/global.php on line 333 followed by several "headers already sent" errors. Any idea what the problem could be? Thanks a bunch... -Steven PS - Great forum!
  22. Already tried that. The response I got was: Thanks for the link... I'll check it out. -Steven
  23. My users are having problems logging in to Horde and Neomail (SquirrelMail works fine.) When they go to domain-name/webmail, they can login and choose a webmail program, but when they choose horde, and i believe neomail, they are immediately logged out (they get the logged out screen as though they clicked logout.) I don't know if it is related, but they are using AOL; I can login to their accounts fine from my computer using another ISP. Anyone know what might be causing this? Additionally, they want direct access to the webmail, without having to choose which program to use -- apparently that's "way to complicated" -- so I setup direct access to SquirrelMail. This works fine, but there doesn't seem to be a way for them to change their email password through squirrelmail. There is a plugin available to allow users to change their password, but I think I would have to make a completely seperate installation to use it. Is that correct? Thanks... -Steven
  • Create New...