Jump to content
Froxlor Forum
  • 0

Run scripts with the rights of the FTP user


Exploit

Question

The user frendly interface makes Froxler to a very interesting project. I installed it to setup a shared-hosting server.

 

Since I cannot trust any script uploaded by unknown users, I miss some important security features.

  1. The first and most important is to run them with mod_suexec.
  2. The second is to use virtual directories.

Is there any work in progress to get Froxler secure for shared hosts? If I can help with some PHP programming on that, just let me know where to start.

 

Keep going on with the good work.

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

Step 1 is done so far, The sites are running with suEXEC and FCGID.

 

I followed the steps from:

http://wiki.froxlor.org/contrib/german/de-fcgid-handbook

(why is it so hard to find documentation like this on this website???)

 

It worked fine, exept the steps of point 8 to run froxler from user froxlorlocal. I ended up with a white screen with the message:

You have to make the file "./lib/userdata.inc.php" readable for the http-process!

 

after "a2dismod php5" I can download the php-code with the browser. So it seems that the checkbox to run Froxler under FCGID isn't working.

 

 

Off course, safe_mode like suggested above isn't an option for a serious hosting project. :blink:

Link to comment
Share on other sites

(why is it so hard to find documentation like this on this website???)

 

It's going to change, just wait :)

 

It worked fine, exept the steps of point 8 to run froxler from user froxlorlocal. I ended up with a white screen with the message:

You have to make the file "./lib/userdata.inc.php" readable for the http-process!

 

Well, isn't there also a point in the handbook which sais: "chown -R froxlorlocal:froxlorlocal /var/www/froxlor" ?

 

after "a2dismod php5" I can download the php-code with the browser. So it seems that the checkbox to run Froxler under FCGID isn't working.

 

Then you either did something wrong, or the cronjob didn't run, etc. Please post logs and the Froxlor-Vhost Configuration (either in /etc/apache2/sites-enabled/10_*.conf or /etc/apache2/sites-enabled/99-*.conf [at the top])

 

Off course, safe_mode like suggested above isn't an option for a serious hosting project. :blink:

 

Don't use it then

Link to comment
Share on other sites

The problem was a conflict with the default apache .conf files

The following steps solved it for me: (on Debian)

 

1. Prevent that Cron will crash the server while you're changing this settings

/etc/init.d/cron stop

 

2. Comment out the line "Include /etc/apache2/ports.conf" in "/etc/apache2/apache2.conf"

 

3. remove the default apache configs from "/etc/apache2/sites-enabled"

a2dissite 000-default
a2dissite 000-default-ssl

 

4. In froxlor, go to "IPs und Ports" and make sure that Listen and NameVirtualHost are enabled for all IP's

 

5. execute the Cron-job to apply the Froxlor-settings

/usr/bin/php5 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php

 

6. Test the new config and restart Apache and Cron

apache2ctl configtest
apache2ctl graceful
/etc/init.d/cron start

 

Hope it saves some time for the next one with te same problem ;)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...