SSH users should be able to write in the /var/www/clientX/webX/ folder to enable deployments etc.

Hello We offer our ssh config to professional clients. These clients use deployment scripts so they can deploy new versions of their applications and easily revert to an old applications if needed.

What I noticed is that the /var/www/clientX/webX/ folder has root:root permissions. This feels wrong and unnatural to me since it's the SSH users home folder. The problem is also that deploy scripts won't work because they have to be able to deploy to a private location AND symlink the web folder.

Because of the permissions you can't edit the web folder and you are forced to deploy in the provate folder.

I know you do this most likely because of security but I fail to see how making the /var/www/clientX/webX/ folder permission webX:clientX would compromise security.

Also all folders like SSL and log should be webX:clientX. People should be able to modify them when they want.

The permissions are set like this for security reasons, so the owner cant be changed without opening varius severe security holes in the server.

What I noticed is that the /var/www/clientX/webX/ folder has root:root permissions. This feels wrong and unnatural to me since it's the SSH users home folder.

No, its not thehomefolder of the ssh user, its the / directory of the ssh jail of the website. The home folder of the ssh user is /var/www/clientX/webX/home/username and this folder is writable for the ssh user.

The problem is also that deploy scripts won't work because they have to be able to deploy to a private location

There is aprivate location for exact that reason in ispconfig. See folder /var/www/clientX/webX/private

I know you do this most likely because of security but I fail to see how making the /var/www/clientX/webX/ folder permission webX:clientX would compromise security.

1. The ssh users could not be jailed then, as the / of a jail has to be owned by root.
2. If /var/www/clientX/webX/ is owned by root, then the ssh user would be able to rename or delete subfolders in that directory even if these subfolders are owned by root. This means that he would be able to bring down apache easily bye.g. renaming the web or ssl directory.

Hello Till,

Thank you for your reply. The problem with deploy scripts is that they need to symlink the web of the public_html folder. What solution would you suggest to be able to use deploy scripts with ISPConfig?

If the "web" folder is a symlink which can be changed by a script that runs as the web user, then this script would be able to take down the apache server for all sites. So every client or a malicious script would be able to bring down all sites of all other clients on that server as apache is not fault tolerant when it comes to missing DocumentRoot directories in vhosts. I would love to implement that in ispconfig but its not possible until the apache developers make their http server more fault tolerant e.g. ina way that it skips a vhost configuration when a folder is missing instead of halting all vhosts.

Till wouldn't there be a way to set apache to not throw an error but a warning or to check if the directory exists. My experiences are that apache keeps running but just throws some errors when starting and DocumentRoot directories are missing.

My experiences are that apache keeps running but just throws some errors when starting and DocumentRoot directories are missing.

Thn remove the ssl cert directory as well of a vhost that has ssl enabled and restart apache.

Hey Till, Thank you again for answering my questions.

Ok I understand that then it will crash. Isn't there a way to make checks so Apache won't crash? Atm I'm also using directadmin and never had any troubles with people deleting the public_html or private_html.

There should be a way to make apache more error recilient and still enable people to edit their homedir. Like a fallback or something.

I'am not aware of a config option in apache to make it more fault tolerant and checking the existence of all folders for all sites e.g. in the apache init script is not a good option in my opinion as it will use a lot of resources to check hundreds of directories and it is not 100% save as a directory might be removed in the meantime.

Maybe directadmin uses its own apache binary were they patched it and not the binarys of the linux distributions. If you find a way that apache handles this better when web or ssl dir are missing, please let me know.

Regardin the permissions of the /var/www/clientX/webX dir, to jail user, this has to be owned by root in any case. Otherwise the jail wont work. Also the jailkit chell checks its permissions to ensure that its a safe enviroment.

I've checked the directadmin configuration and they use allias match I will throw here some examples of directadmin uses directory linking:

The general Vhost configuration <VirtualHost [server-ip]:80> ServerAdmin webmaster@localhost AliasMatch ^/~([^/]+)(/.) /home/$1/public_html$2 DocumentRoot /var/www/html ServerName localhost ScriptAlias /cgi-bin/ /var/www/cgi-bin/ CustomLog /var/log/httpd/homedir.log homedir

<VirtualHost [server-ip]:443> ServerAdmin webmaster@localhost AliasMatch ^/~([^/]+)(/.) "/home/$1/public_html$2" DocumentRoot /var/www/html ServerName localhost ScriptAlias /cgi-bin/ /var/www/cgi-bin/ CustomLog /var/log/httpd/homedir.log homedir

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

And the specific domain settings look like this: <VirtualHost [server-ip]:80 > ServerName www.[domain-name] ServerAlias www.[domain-name] [domain-name] ServerAdmin webmaster@[domain-name] DocumentRoot /home/[username]/domains/[domain-name]/public_html

    UseCanonicalName OFF

    <IfModule !mod_ruid2.c>
            SuexecUserGroup [username] [username]
    </IfModule>

    <Directory /home/admin/domains/[domain-name]/public_html>
            AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
            Options -ExecCGI

            php_admin_flag engine ON
            php_admin_value open_basedir /home/[username]/:/tmp:/var/tmp:/usr/local/lib/php/

    </Directory>

I'm not sure if they patched apache. That could be ofcourse but I tested changing directories and it only threw an warning but still booted ok: AH00112: Warning: DocumentRoot [/home/[username]/domains/[domain-name]/private_html] does not exist

Also maybe this could be the soultion to the strict rules problem. Disabling SELinux: http://stackoverflow.com/questions/14786881/apache-restart-causes-documentroot-must-be-a-directory-even-though-it-is-a-dire

SELinux should alwys be off when you followed the installation instructions as selinux causes various problems.

Hey Till,

I've tested what you are saying with ISPconfig but the same result. It does throw warnings but no errors and apache just keeps starting. Are you sure apache crashes or are there other situations it will since I don't have these issues.

Create a ssl cert for the site in ispconfig, then delete the ssl directory and restart apache. If the ssl directory is owned by the user of the site, he can delete it and bring down apache. The same happens when /var/www/clientX/webX/ is owned by the web user and just the ssl dir is owned by root as a user can delete files and folders ina directory he owns even if thes efiles are owned by root. But it is not just apache, also jailkit will not work if /var/www/clientX/webX/ is owned by the user and group of the site, so you wont be able to provide any secure shell logins in that case.

I will consider to make the vhost docroot configurable to a subfolder of the "web" directory, but the permisisons of the directory /var/www/clientX/webX/ cant be changed without opening security holes.

Till, Maybe it's an idea to move the directory structure 1 directory deeper for the web so that people can make private directories next to the web directory. I understand the SSL part I think that is acceptable maybe it's an idea to make it configurable in ISPconfig so you can point it to web if you want by changing a switch.

BTW is there a way to reach you in IRC I would like it discuss this further.

Till, Maybe it's an idea to move the directory structure 1 directory deeper for the web so that people can make private directories next to the web directory.

Yes, thats what I planned as an option.

BTW is there a way to reach you in IRC I would like it discuss this further.

No, I dont use IRC. You can reach me here, in the ispconfig developer forum or by email to dev [at] ispconfig [dot] org

Something like this worked before for me : redirecting the SSH user home directory from clientX/webY > clientX/webY/private as most applications would use the ~ abbreviation to get write and read there.

Unfortunately FS3089 also seems to apply to SSH users, but I'll file another bugreport for this if I don't find a topic already discussing it.

As this behaviour is still annoying, some more actual comments:

The home folder of the ssh user is /var/www/clientX/webX/home/username and this folder is writable for the ssh user.

These folders do just not exist. Did you mean the ~/private one? I'm currently using "Shell user" > "Options" > "Dir" and append the /private/ part.

Yes, thats what I planned as an option.

I'd love to see this option. Also npm is having problems with trying to write to a Dotfolder, as many other tools are.

Hi. Thank you all for the great job you do.

I am dealing with the user home dir issue. I set the home dir for a shell user to clientX/webY/private. I tried to remove an SSH key using ssh-keygen -R servername.hostname.net But it gives me the error message: /var/www/clients/clientX/web3/.ssh/known_hosts: No such file or directory At first I thought the problem came from ssh-keygen command. I looked in /etc/passwd and saw that the home dir of the user web3 is /var/www/clients/clientX/web3 But that of the shell user I created thru ISConfig interface for the same website is /var/www/clients/clientX/web3/private. I am connected to the server using a private key and the shell user name 'projet_prod' : ssh -i ~/.ssh/project_prod_key project_prod@servername.hostname.net I changed web3 home dir to /var/www/clients/clientX/web3/private (using root). This solved the problem. Is there a more straightforward way to do it using ISPConfig ?

added Stale label

closed

changed the description