user_dir : Be CARREFUL

Hello,

Since the 1.9 interworx release users may access to their website by using the IP and their account name

http://xxx.xxx.xxx.xxx/~account

We will name this method the user_dir method.

It’s ok, but if you do not modifiy the httpd.conf file it may cause a huge security break

Indeed, if you protect a folder with htaccess and htpasswd files this protection will not work when users will access to your website by using the ‘user_dir’ method.

–> see my previous post : http://interworx.info/forums/showthread.php?t=514 and how we resolved this pbm

In fact when a user access to the website using the user_dir method Apache take in account the option in <directory /home/*/publi_html> and not the definition of the virtualhost.

An other problem with this solution is that, in fact, apache take the first virtualhost definition found on this IP.

For example, I have edited my Apache domain.tld.conf file to add this line :
php_value include_path “.:/home/xxx/yyy/zzz”

Now if we look at a phpinfo we will see that we don’t have the good include path when accessing to our website by using the user_dir method but we have the good one when accessing to our website by using the normal method (http://domain.tld)

Http://65.110.36.145/~hebergem/info.php
–> look at the include_path it is false, in fact it is the default one

Http://hebegrement-siteweb.fr/info.php
–> The include_path is the good one.

If you look well at the phpinfo with the user_dir method there is something very bad.

Server Administrator webmaster@aides-zen.net
Hostname:Port aides-zen.net:0
DOCUMENT_ROOT /home/aideszen/aides-zen.net/html
SERVER_ADMIN webmaster@aides-zen.net
SCRIPT_FILENAME /home/hebergem/public_html/info.php

it takes as Server Administrator, hostname, document_root and server_admin the data of the first virtualhost hosted on this IP. The script filename is OK.

I afraid. Does it means that it takes all the virtualhost configuration ? YES

It also means that even if the user has the allowoverride options set on, he couldn’t create all php_value/flag htaccess data won’t work well.

So be very carreful when you give this access method to your users.

All comments on how to setup the user_dir correctly to have exactly the same options/rights than the virtualhost are really welcomed

Pascal

It could be great to have the iworx team words :slight_smile:

Pascal,

I’d simply recommend against using the user_dir and use a temp domain based on a pointer domain instead. I’ll ponder the best way to solve this with iworx-cp.

Chris

One thing you can do is only allow the UserDir on specific accounts. This isn’t the most user friendly way if you have to do this manually.

Myabe Iworx could do this with a cron job. It could be part of the --daily. It would check if an account has been created in the last 72 hours. If an account is still in the new period then it will still have the UserDir enabled. After 72 hours the cron job would remove this from the apache config file and since apache is restarted anyway it will take effect right then.

This way you give the new accounts access for a limited time, but once they should be able to use the regular domain name then there is no need for the userDir.

Sorry Chris but I don’t understand what you mean :-p

You tell to create a “temp domain” and create a pointer domain thta point to this temp domain ?

heu, ok but I can’t figure out why and to do what ?

lol

could you please be more explicit :-p

Thanks

Pascal

Hi

This thread is old, but I reopen it, as it is still actual.

There is some solutions, to not have the first virtualhost def. See my post here : http://www.interworx.com/forums/showthread.php?t=1755

[QUOTE=IWorx-Chris;3289]Pascal,

I’d simply recommend against using the user_dir and use a temp domain based on a pointer domain instead. I’ll ponder the best way to solve this with iworx-cp.

Chris[/QUOTE]

I do not understand what mean Chris, somebody could explain it ?

[QUOTE=Justec;3291]One thing you can do is only allow the UserDir on specific accounts. This isn’t the most user friendly way if you have to do this manually.

Myabe Iworx could do this with a cron job. It could be part of the --daily. It would check if an account has been created in the last 72 hours. If an account is still in the new period then it will still have the UserDir enabled. After 72 hours the cron job would remove this from the apache config file and since apache is restarted anyway it will take effect right then.

This way you give the new accounts access for a limited time, but once they should be able to use the regular domain name then there is no need for the userDir.[/QUOTE]

In fact it is a real good idea.

Maybe interworx could allow to set the user_dir on or off per virtualhost.
Iyt could be a new page in nodeworx that list of all siteworx accounts and give for every of them some “virtualhost” settings like :
user_dir : on/off
safe_mod : on/off
open_basedir : define
etc…

It could have soem default option like : User_dir On by default or off, open_basedir by default etc…

And as Justec told, it might be great to allow for example to have user_dir On by default for every new siteworx and for a certain amount of time, like 72h00 for example !

What do you think about this ?

Pascal

Arfff this option is need.

These last days some bad boys used the user_dir option to use our server to perform some mail bombing !

142800 mails sent :\

How ? really easy. It’s true it is our fault, or more the way how we give access to an account.

A client pay for an account and a domain. Our home made soft automaticly create the account in nodeworx and send an email to the user telling him he can access his web site now with http://100.100.1.1/~account

So before we registre the domain name the user can upload a script on the server then run it from the web. It’s what they did !

They installed a mail bombing soft and send hundred thousand mails !
We have quickly seen this and stopped everything (flushing the mail queue, etc)

So the solution could be to have an option to set this off by default and open a user_dir only for one account. Like this we could open the user_dir just on demand.

It is what we do know.

Userdir Disabled
UserDir enabled account1 accont2 etc

Hope it might help some of you before it arrives on your server :wink:

Pascal

Hi Interworx team :wink:

Do you think an option like this one would be integrated one day ?

Just to know if we try to develop a solution or if we stay with a manual solution and wait for a futur soon minor release ?

Thanks

Pascal

It’s still unresolved issue and creates pretty serious security hole.