Serious file owning issues (CWP Users own installation files)

Hello, all my users share the same "default" package.

Code: [Select]

*** Report for user quotas on device /dev/vzfs
Block grace time: 00:00; Inode grace time: 00:00
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
[...]
amira     --    111M   1000M   1000M           8070     0     0
vgs       --    134M   1000M   1000M          16303     0     0
srdent    --    137M   1000M   1000M          16492     0     0
[...]
I created the user amira first and uploaded over 40 MB
Then I created vgs, which atm should be empty.
Then I creaded srdent, which should be empty too atm.

How is this even possible :O

The only awkward things I did is
- edited the package after and "(Update quota for all users using this package, also disables inode limits !)"
- entered CWP users using the root pw

Edit: I am using CWP version: 0.9.8.11

I did a

find / --user srdent
and it owned the whole
/tmp/php-build/

and

find / --user vgs
and it owned thw whole
/usr/local/src/cwp/php-5.4.27/

and

find / --user amira
and it owned the whole
/tmp/apache-build/httpd-2.2.27
/usr/local/apache/man/man1/*
/usr/local/apache/man/man8/*
/usr/local/apache/cgi-bin/*
/usr/local/apache/error/*
/usr/local/apache/icons/*
/usr/local/cwpsrv/man/man1/*
/usr/local/cwpsrv/man/man8/*
/usr/local/cwpsrv/cgi-bin/*
/usr/local/cwpsrv/error/*
/usr/local/cwpsrv/icons/*
/usr/local/src/cwp/httpd-2.2.27/


example:

Code: [Select]

[root@xxx cwp]# pwd
/usr/local/src/cwp
[root@xxx cwp]# ls -la
total 24200
drwxr-xr-x  6 root  root      4096 Feb  8 19:34 .
drwxr-xr-x  4 root  root      4096 Feb  8 19:38 ..
drwxr-xr-x 28  1000  1000     4096 Feb  8 19:32 apr-1.5.1
-rw-r--r--  1 root  root   1020833 Apr 19  2014 apr-1.5.1.tar.gz
drwxr-xr-x 20  1000  1000     4096 Feb  8 19:33 apr-util-1.5.3
-rw-r--r--  1 root  root    874462 Nov 16  2013 apr-util-1.5.3.tar.gz
drwxr-xr-x 12 amira amira     4096 Feb  8 19:33 httpd-2.2.27
-rw-r--r--  1 root  root   7519677 Mar 18  2014 httpd-2.2.27.tar.gz
drwxr-xr-x 17 vgs   games     4096 Feb  8 19:37 php-5.4.27
-rw-r--r--  1 root  root  15333755 Apr  4  2014 php-5.4.27.tar.gz

I fixed the permissions and ownership manually and now the quotas make much more sense:

Code: [Select]

[root@xxx /]# repquota  -a -s
*** Report for user quotas on device /dev/vzfs
Block grace time: 00:00; Inode grace time: 00:00
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
...
amira     --   49536   1000M   1000M           1449     0     0
vgs       --      40   1000M   1000M              9     0     0
srdent    --      40   1000M   1000M              9     0     0
...
#119      --    8420       0       0            345     0     0
#507      --   19036       0       0             26     0     0
#1000     --       8       0       0              2     0     0
The user #1000 is from my VPS.

However I wonder where #119 and #507 come from, they own CWP installation files!

Not only is it wasting CWP user's quotas, but also
this whole file owning issue is a severe security issue in case of shell access for CWP users and needs to be addressed!

What will prevent it from happening again?
I guess nothing?

(Also it should be considered to change the default umask for the root user to 700 instead of 755, if possible.)

I just found this post:
http://forum.centos-webpanel.com/centos-configuration/how-to-setup-user-quotas/msg5765/#msg5765

And the user that posted his repquota there has these strange users too.

I am not sure, but maybe it's a problem with the way the tar.gz source files are untared? Meaning it restores the original user ID, instead of using the root or whatever user should be used!?

this are default php/apache packages, but we will repack them with root ownership this week

Thank you very much for your reply

I am not sure of this will save you some time, but maybe you can just simply use the tar options when extracting instead of re-packaging them:

--no-same-owner
extract files as yourself (default for ordinary users)

--no-same-permissions
apply the user's umask when extracting permissions from the archive (default for ordinary users)

Source: http://linux.die.net/man/1/tar

Maybe that is sufficient already (accroding to the manual, these are default, except for root).

fix is added in scripts