Author Topic: Serious file owning issues (CWP Users own installation files)  (Read 12684 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Serious file owning issues (CWP Users own installation files)
« on: February 11, 2016, 06:03:16 AM »
Hello, all my users share the same "default" package.

Code: [Select]
*** Report for user quotas on device /dev/vzfs
Block grace time: 00:00; Inode grace time: 00:00
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
[...]
amira     --    111M   1000M   1000M           8070     0     0
vgs       --    134M   1000M   1000M          16303     0     0
srdent    --    137M   1000M   1000M          16492     0     0
[...]

I created the user amira first and uploaded over 40 MB
Then I created vgs, which atm should be empty.
Then I creaded srdent, which should be empty too atm.

How is this even possible :O

The only awkward things I did is
- edited the package after and "(Update quota for all users using this package, also disables inode limits !)"
- entered CWP users using the root pw

Edit: I am using CWP version: 0.9.8.11
« Last Edit: February 11, 2016, 07:37:57 AM by ripieces »

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #1 on: February 11, 2016, 06:43:30 AM »
I did a

find / --user srdent
and it owned the whole
/tmp/php-build/

and

find / --user vgs
and it owned thw whole
/usr/local/src/cwp/php-5.4.27/

and

find / --user amira
and it owned the whole
/tmp/apache-build/httpd-2.2.27
/usr/local/apache/man/man1/*
/usr/local/apache/man/man8/*
/usr/local/apache/cgi-bin/*
/usr/local/apache/error/*
/usr/local/apache/icons/*
/usr/local/cwpsrv/man/man1/*
/usr/local/cwpsrv/man/man8/*
/usr/local/cwpsrv/cgi-bin/*
/usr/local/cwpsrv/error/*
/usr/local/cwpsrv/icons/*
/usr/local/src/cwp/httpd-2.2.27/


example:
Code: [Select]
[root@xxx cwp]# pwd
/usr/local/src/cwp
[root@xxx cwp]# ls -la
total 24200
drwxr-xr-x  6 root  root      4096 Feb  8 19:34 .
drwxr-xr-x  4 root  root      4096 Feb  8 19:38 ..
drwxr-xr-x 28  1000  1000     4096 Feb  8 19:32 apr-1.5.1
-rw-r--r--  1 root  root   1020833 Apr 19  2014 apr-1.5.1.tar.gz
drwxr-xr-x 20  1000  1000     4096 Feb  8 19:33 apr-util-1.5.3
-rw-r--r--  1 root  root    874462 Nov 16  2013 apr-util-1.5.3.tar.gz
drwxr-xr-x 12 amira amira     4096 Feb  8 19:33 httpd-2.2.27
-rw-r--r--  1 root  root   7519677 Mar 18  2014 httpd-2.2.27.tar.gz
drwxr-xr-x 17 vgs   games     4096 Feb  8 19:37 php-5.4.27
-rw-r--r--  1 root  root  15333755 Apr  4  2014 php-5.4.27.tar.gz

« Last Edit: February 11, 2016, 07:26:56 AM by ripieces »

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #2 on: February 11, 2016, 07:33:21 AM »
I fixed the permissions and ownership manually and now the quotas make much more sense:
Code: [Select]
[root@xxx /]# repquota  -a -s
*** Report for user quotas on device /dev/vzfs
Block grace time: 00:00; Inode grace time: 00:00
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
...
amira     --   49536   1000M   1000M           1449     0     0
vgs       --      40   1000M   1000M              9     0     0
srdent    --      40   1000M   1000M              9     0     0
...
#119      --    8420       0       0            345     0     0
#507      --   19036       0       0             26     0     0
#1000     --       8       0       0              2     0     0

The user #1000 is from my VPS.

However I wonder where #119 and #507 come from, they own CWP installation files!

Not only is it wasting CWP user's quotas, but also
this whole file owning issue is a severe security issue in case of shell access for CWP users and needs to be addressed!

What will prevent it from happening again?
I guess nothing?

(Also it should be considered to change the default umask for the root user to 700 instead of 755, if possible.)
« Last Edit: February 11, 2016, 07:41:25 AM by ripieces »

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #3 on: February 17, 2016, 12:44:32 PM »
I just found this post:
http://forum.centos-webpanel.com/centos-configuration/how-to-setup-user-quotas/msg5765/#msg5765

And the user that posted his repquota there has these strange users too.

I am not sure, but maybe it's a problem with the way the tar.gz source files are untared? Meaning it restores the original user ID, instead of using the root or whatever user should be used!?

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #4 on: February 17, 2016, 11:11:52 PM »
this are default php/apache packages, but we will repack them with root ownership this week
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #5 on: February 18, 2016, 12:15:07 PM »
Thank you very much for your reply

I am not sure of this will save you some time, but maybe you can just simply use the tar options when extracting instead of re-packaging them:

--no-same-owner
extract files as yourself (default for ordinary users)

--no-same-permissions
apply the user's umask when extracting permissions from the archive (default for ordinary users)

Source: http://linux.die.net/man/1/tar

Maybe that is sufficient already (accroding to the manual, these are default, except for root).

Offline
*
Re: Serious file owning issues (CWP Users own installation files)
« Reply #6 on: February 18, 2016, 11:24:35 PM »
fix is added in scripts
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services