Jump to content

click

Members
  • Posts

    138
  • Joined

  • Last visited

Posts posted by click

  1. On second thought, I guess suexec would give any scripts I am running complete access to ALL my files, rather than just those that are chmod 777. So, I guess my real question is whether vulnerable scripts in other users accounts can access my account.

     

    Thanks everyone.

  2. OK. That is pretty much what I was trying to figure out. So, basically (if I understand correctly), having the help desk chown nobody, chmod 755 folders (as suggested here) is only marginally more secure overall and not secure at all (same as 777) if someone is taking advantage of a vulnerable script. Does this apply to vulnerable scripts in other users accounts as well?

     

    Would putting the writable folder outside of my public_html folder help at all? Seems to me it wouldn't, but just thought I'd ask. Is there any way to secure a folder and allow php to write to it?

     

    Seems like suexec would be much more secure in a shared environment, but I'm in over my head now as I don't know all the issues with implementing that. :)

  3. Isn't 755 read & execute permission? Wouldn't 711 be just execute permission? And wouldn't executing a php file require that php be able to read it. I can still read the source of php files that I've had the help desk chown nobody, chmod 755.

  4. When a visitor comes to your site, they get there as a guest. Most of the time they only have read permissions though. If you give write and execute permissions, the last 7, then they can do whatever they want with that file.
    When a user comes to my site, they are interacting with apache which is "logged in" as user "nobody"

     

    [Edit] One other thing... The recomended way of securing these folders has been to change the owner to "nobody" and chmod 755, but if apache, php, etc is running as nobody, then they'd have write acess anyhow.[/Edit]

    If a file has 755 perms then they cannot change it unless they compromise your account in some other way so that the server thinks you are the owner and they chmod the file to 777 as owner.

    But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?

  5. If a folder has 777 permissions anyone can write to it. This means my next door neighbor could upload a file to that folder and run it from a browser and thus execute that particular file on the server.

    But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server.

     

    There at one point was a PHP (4.3.11) issue that would give a remote user full read/write permission to a 777 folder even if the folder was located in a 700 folder. This issue was corrected with the newest release of 4.4.1 PHP so that can not occur any longer. The new version of PHP respects top level paths.
    That seems like a bad thing. :) But chmod 777 wouldn't have made a bit of difference in this case

     

    People are gaining access to these files because the person or script that created the folders or files created them with world writable permissions. It really is that simple. I could change any of your files in a folder you set to 777. :)

    This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything. Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc?

     

    Again... not trying to be a pest... (getting hard to believe, I'm sure ;) ) I just want to understand how these sites are getting hacked so mine doesn't join them!

  6. Not the first time we have seen this issue.

     

    In your case it was caused by 777 permissions on a publicly accessible folder.

     

    Watch your permisssions in the future.

    Sorry to butt in, but I'm still a little confused by this. Does this mean that someone else on the server is doing this? Wouldn't they have to be logged onto the server before they could write to files, even if they are chmod 777? Also, the suggestion has been to have the help desk change any folders that need to be writable by scripts to be owned by "nobody" and chmod 755, which I have done. But, it seems to me that the most likely way a hacker would get access to the server would be through a vulnerablilty in a script, in which case, wouldn't they be accessing things as user "nobody" anyhow?

     

    Sorry if I'm being a pain (and if I am, just say so and I'll go away :) ) but I still don't quite understand how people are getting access to these files and how to stop it.

  7. Yeah mine started doing this over the past 48hrs out of nowhere...
    Fatal error: Maximum execution time of 30 seconds exceeded in /usr/local/squirrelmail-1.4.3a/src/read_body.php on line 95

    :blink:

    That is the same error I was getting. $allow_server_sort=true should fix it.

     

    BTW, 1.4.3a is an old version. Latest is 1.4.5 with, it looks like, several security fixes since 1.4.3. Looks like this is TCH's install???

  8. Thank you for this fix! I was wondering why I couldn't read emails all the sudden!

     

    What is the implication of not tweaking the download.php lines?

    Honestly, I'm not real sure... The SquirrelMail site just says:

    PHP 4.4.0 and register_globals=on + SquirrelMail 1.4.5 or older

     

    * Variable corruption in messages with attachments.

  9. There is a bug in PHP 4.4.1 that TCH recently upgraded to that will cause SquirrelMail to timeout when opening messages. If it's a stand alone copy you installed, try setting "$allow_server_sort = true" in config.php otherwise, you should probably open a support ticket to have the techs look at it.

     

    There are also a couple lines in download.php that need to be tweaked. Details here

  10. Thinking about this some more... you'll want to research it some before you try disabling the DHCP server. Make sure you know how to get back into the router config after it's been disabled since you won't be in the 192.168.x.x or whatever subnet with the router anymore. I don't know how much you know about networking and setting up the router.

  11. I don't know how much help this will be, but I think it may depend on how your ISP has things setup. I have 2 computers connected to my dsl modem with a simple ethernet hub (no DHCP server) so each computer gets it own IP from my ISP's DHCP server. You could possibly try turning off the DHCP server in your wireless router so that it acts as a simple access point/hub. I think you would then plug your DSL modem into the hub portion of your router rather than the "Internet" port.

  12. Dangit - I really thought I was on to something there. :) I read somewhere that cpanel sets public_html to USER:nobody 750 to give apache access but keep other users out and ran with it. I guess that's why you get to administer the servers and I... well... don't. :D

     

    Anyhow, I think it's time to finally let this thread die. :blush:

     

    Thanks so much for your patience.

     

    Oh yeah, and... :naughty:

  13. Just kidding... one more quick question. I promise. :thumbup1:

     

    Would having the help desk chown user:nobody the directories work? That way, I could chmod 775 them so that php could write to them, but I would still own them?

  14. If you need to manipulate any directories that are owned by "nobody", please just open a ticket at the help desk. Creating a php script to effectively perform shell commands would be against out AUP and ToS.

    Doh! Now this conversation can be complete. If there's a way to get into trouble, somehow I manage to find it. :thumbup1:

     

    Yes, 777 allows anyone to write to them. 755 is restricting write access to the owner, but you have still given read access to group and world - (owner,group,world). We do have protection on the servers though preventing access between accounts.

     

    In terms of 100% security - if you want to be 100% certain that no-one else can ever read it, then don't put it on a computer connected to the internet :angry: If you want a realistic balance of security, then simply changing to 755 from 777 will be a good start.

    That's what I figured. I just wanted to make sure I wasn't doing something that I shouldn't be. I didn't want to do something that compromised the server for everyone because I didn't bother to figure out how to do it correctly.

     

    Again, thank you for taking the time... it's very much appreciated.

  15. So, basically, I just create a temporary php script to create/manipulate any directories I need php scripts to have write access to?

     

    Also, is avoiding chmod 777 simply for redundancy or are you saying that making files/directories 777 allows anyone on the server to write to them? Is there anything that stops users from accessing files outside their home directories? I ask because my scripts are chmod 755 and contain login info for mysql databases that I wouldn't want others to be able to read.

     

    Thanks for all your help. The more secure the better...

  16. I was away for a few days over the festive season - hence a shortage of replies....

    That's no problem at all, I certainly wasn't complaining. I was just a bit perplexed when I came back to check the thread for replies and found that it seems to have been removed or something??? Oh well... Hope you had a wonderful Christmas.

     

    If you set the user of the directory to "nobody" (assuming you are uploading via the script), you can then set the permissions to 755. This will allow the script running on the server to write, but provide you some protection against anybody being able to write.

    Now, on to my next obvious question. :) How do I change the user? And will that affect me being able to work with it later, since I won't be the owner any more?

     

    Thanks...

  17. Anyone have any idea where the topic "777 And Some Files Created Yesterday" went? I had been anticipating a reply from TCH-Andy about this issue but that thread seems to have vanished.

     

    Anyhow, on to my question... TCH-Andy seemed to say in that thread that php scripts could edit files as their owner without resorting to chmod 777. Is that correct? And if so, how would I do that? I searched the forums and found a couple threads that said that TCH doesn't use suexec due to compatibility problems. Right now, if I want users to be able to upload anything (forum avatars, photos, etc) I have to chmod 777 those directories which I would rather not do if I don't have to.

     

    Thanks...

     

    -Steven

  18. I'm a bit of a webmaster newbie myself and it has taken me a while to figure out some of the terminology that the more experienced folks here throw around. I think you might be getting confused by the "park" terminology.

     

    From what I understand, "parking" a domain name allows a site to have more than one domain name, so that when a user enters either the main site address or one of the parked addresses, they end up at the same page. I think this is what you want to do. You would setup your new site with the new domain name and then "park" the old domain name on the new site. You would also have to edit the old domain registration info so that the old domain points to TCH's server.

     

    -Steven

  19. I made a seperate install of squirrelmail so I could install plug-ins, etc. It works fine for me but I have a user that is generating a session_start() error when they try to access it. The error from the log is:

     

    [error] PHP Warning: session_start(): open(/tmp/sess_d13d6d880bf1e4d0c4e522586724816e, O_RDWR) failed: Permission denied (13) in /home/jgkpipe/public_html/squirrelmail/functions/global.php on line 333

     

    followed by several "headers already sent" errors.

     

    Any idea what the problem could be?

     

    Thanks a bunch...

     

    -Steven

     

    PS - Great forum!

  20. it would be best if you opened a help desk ticket about this.

    Already tried that. The response I got was:

    Hello,

     

    We have not come across any problems for users of AOL to access the webmail.

    Please check out the forums at http://www.totalchoicehosting.com/forums for more information in this regard.

     

    Thanks for choosing TotalChoice Hosting

     

    Sincerely,

    Kris B

    Technical Support

    Thanks for the link... I'll check it out.

     

    -Steven

  21. My users are having problems logging in to Horde and Neomail (SquirrelMail works fine.) When they go to domain-name/webmail, they can login and choose a webmail program, but when they choose horde, and i believe neomail, they are immediately logged out (they get the logged out screen as though they clicked logout.) I don't know if it is related, but they are using AOL; I can login to their accounts fine from my computer using another ISP. Anyone know what might be causing this?

     

    Additionally, they want direct access to the webmail, without having to choose which program to use -- apparently that's "way to complicated" -- so I setup direct access to SquirrelMail. This works fine, but there doesn't seem to be a way for them to change their email password through squirrelmail. There is a plugin available to allow users to change their password, but I think I would have to make a completely seperate installation to use it. Is that correct?

     

    Thanks...

     

    -Steven

×
×
  • Create New...