New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: apache mod_chroot #545

Open
solkmaaker opened this Issue Apr 18, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@solkmaaker

solkmaaker commented Apr 18, 2018

System information

  • Froxlor version: 0.9.39.5 (DB: 201802130)
  • Web server: apache2
  • OS/Version: Debian 9

Implement apache mod_chroot usage.

Current problem, when using mpm_itk is that, although every apache process will run as its owner when virtualhost config states:
<IfModule mpm_itk_module> AssignUserID $USER $GROUP </IfModule>
users are not isolated from each other and all users are able to view system files and other user files when they upload some sort of php file manager.

mod_chroot itself resolves problem that user is able to view system files by jailing apache master process.
It will require to state global chroot folder, in froxlor case it will probably be /var/customer/webs, also some libraries must be preloaded, for php name resolving, and timezone files, resolv.conf, and some other config files must be present in chroot jail.
Since server reconfiguration is done by cron (and run by root using cli php), this will not affected by apache module.

Also, user folders must be created as 750, currently they are created as 755

This setup will result that users are able to view all folders in /var/customer/webs, but they cannot look into folders, and folder /var/customer/webs looks to them as root folder (/)
Apache virtual host DocumentRoot in this case will be /$USER

@JB1985

This comment has been minimized.

Contributor

JB1985 commented Apr 25, 2018

Do you use PHP Openbasedir?

@solkmaaker

This comment has been minimized.

solkmaaker commented Apr 25, 2018

Yes, i do, and i see what you are saying.

File manager i used:
https://github.com/Rugoals/phpFileManager

Indeed, when i try to access upper folder, php file manager gives me:

I/O Error./var/customers/webs/
--

But, if i use "shell" in that particular file manager, i can do:

# pwd
/var/customers/webs/testuser/fm
# ls ../../../../../
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

I have another web server instance which uses mpm_itk with mod_chroot (no froxlor), and there, same file manager is unable to "see" folder listings (in froxlor case this would be folders with usernames), but it cannot go up because of mod_chroot.
And manager cannot look into other users folders because of folder permissions (700) and every user apache vhost is running as that particular user, so no access to other user folders.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment