hi,

i'm using DA on FreeBSD. i have found that the /usr/local/directadmin/data/users/*/httpd.conf files are world-readable. i believe it's a good practice to restrict it to be viewable to root only. while it isn't critical, having world-readable permissions allows a local user to get a list of hosted domains for each user.

the same goes to the /etc/exim.* files. although this isn't so important, since the configs are based around a template anyway.

I don't think its possible because then either Directadmin won't be able to read write to it, apache won't be able to access it etc.

This is why most people using DA have ssh disabled until a jail system is finished.

Originally posted by jmstacey
I don't think its possible because then either

1) Directadmin won't be able to read write to it
2) apache won't be able to access it etc.

3) This is why most people using DA have ssh disabled until a jail system is finished. 1) what do world-readable permissions have anything to do with directadmin writing the file? :)

2) N/A here. apache starts as root and can read any file it likes.

3) a customer will still have local access to the system, via PHP or Perl scripting. try this for size:


#!/usr/bin/perl

print "Content-type: text/plain\n\n";

open(PASSWD, "/etc/passwd");
@passwds=<PASSWD>;

foreach $passwd (@passwds) {
($uname, $pass, $uid, $gid, $name, $home, $sh) = split(/:/, $passwd);

if ($uid >= 1000) {
print "$uname - $uid\n";

open(APACHE, "/usr/local/directadmin/data/users/$uname/httpd.conf");
while (<APACHE>) { print $_ if /ServerName/; }
close(APACHE);
}
}

close(PASSWD);

DA runs as root, correct? So /usr/local/directadmin/data/users/*/httpd.conf could be chmod 400 apache? Right?

Phi1.

I just wonder why people worried about such harmless issues as world-readable httpd.conf and exim.conf, while it's so many much more important security problems around...

you never know when something as 'harmless' like this comes back to bite you.

if you don't mind, please do not post in my thread until you have something constructive to add. thank you.

Originally posted by l0rdphi1
DA runs as root, correct? So /usr/local/directadmin/data/users/*/httpd.conf could be chmod 400 apache? Right?
Phil,

I don't know about on a FreeBSD system, but on RHL, my directadmin daemons run as nobody:

[jlasman@da1 users]$ ps waux | grep directadmin
root 1370 0.0 0.0 2004 300 ? S Mar27 0:07 /usr/local/directadmin/da-popb4smtp
nobody 29362 0.0 0.0 3952 12 ? S Aug01 0:00 /usr/local/directadmin/directadmin d
nobody 1128 0.0 0.0 3952 12 ? S Aug04 0:00 /usr/local/directadmin/directadmin d
nobody 1129 0.0 0.0 3952 12 ? S Aug04 0:00 /usr/local/directadmin/directadmin d
nobody 1130 0.0 0.0 3952 12 ? S Aug04 0:00 /usr/local/directadmin/directadmin d
nobody 2564 0.0 0.0 3952 12 ? S Aug04 0:00 /usr/local/directadmin/directadmin d
nobody 2565 0.0 0.0 3952 12 ? S Aug04 0:00 /usr/local/directadmin/directadmin d
My guess is that the directadmin instance that runs every minute does run as root; I just wanted to clear the point for the forum archive.

Jeff

Originally posted by wKkaY
please do not post in my thread
With all due respect (which may not be much, wKkaY), it's not yourthread. It's everyone's thread, and it's on the DirectAdmin forum.

Please do not bring to the DirectAdmin community the kind of arrogance the FreeBSD mailing lists are well known for.

If you insist on doing that, you'll find that those of us who can help you, won't.

You're certainly welcome to try changing the file permissions to see whether or not you break anything.

Please let us know what you find.

Edited 08/05/04 16:09 to add:
For what it's worth, /etc/httpd/conf/httpd.conf on all installations I've looked at are all owned root:root and are world readable.

Perhaps you want to try something different. Fine. Please let us know if it impacts the system or not, so we can decide whether or not we like it, and so that we can carry on an intelligent discussion with DA rather than just make unproved assertions.

Jeff

fine, be pedantic if you wish. s/my/this/g.

anyway, i have tested /etc/exim.conf and /usr/local/directadmin/data/users/*/httpd.conf with 600 permissions and it the following two still function:

1) starting/stopping exim/apache
2) making apache-related changes (to vhosts and such)

changing to 600 also works for me. As such there are two options.

1. Chmod all files manually
2. Wait and see if DA approves this and makes an update.

The third option is:
Simple add line
chmod 600 /usr/local/directadmin/data/users/$username/httpd.confto /usr/local/directadmin/scripts/custom/domain_create_post.sh

I've done a bit of studying this morning.

The /etc/httpd/conf/httpd.conf file is owned by root.

The /usr/local/directadmin/data/users/*/httpd.conf files are owned by directadmin.

Yet apache's preforked daemons are running as apache.

I don't know how apache can be reading httpd.conf under the circumstances wKkaY and jmstacey describe.

So I've posted to some isp lists I belong to, to see what others are doing.

Jeff

Hey,

This might help:

http://httpd.apache.org/docs/invoking.html

If I read it right, the main httpd actually runs as root and the child processes run at a lesser value...

David

clayrabbit: thanks :) and sorry for being rude before as jlasman has pointed out.

skurf: yups, you've pointed out the right page!