Support

NC-Designs · #1 12-18-2010, 11:16 AM

Hi, what exactly are access denied directories there for? I am sure with the previous version (4.0.17) they used to work as customers could not get hold of files such as passwd..

Now I find that they can view these files (Since updating to 4.0.18)

Any ideas or suggestions on this?

Kind Regards,
Chris

webizen · #2 12-19-2010, 12:35 AM

An access denied directory is for protecting data inside (such as configurations, sensitive info or something in the middle of updating) from being accessed directly via HTTP (web access from end user). It is mainly for security reason.

Are you saying files in a directory used to be blocked in 4.0.17 become accessible once lsws is upgraded to 4.0.18? If so, can you check if context for the blocked directory has been changed (web console->Configuration->Virtual Host->Context->URI in question->accessible) after upgrade?

NC-Designs · #3 12-19-2010, 03:42 AM

Yeah, exactly that... In my access denied directories I have the following -

Code:

/
/var/*
/install/*
/sys/*
/selinux/*
/etc/*
/dev/*
$SERVER_ROOT/conf/*
$SERVER_ROOT/admin/conf/*

With version 4.0.17 I could not access files under /etc/ via web scripts (for example /etc/passwd) that litespeed was serving. Now since upgrading I can.

I am running cPanel with this so have no virtual host entries on the Litespeed panel.

Thanks,
Chris.

webizen · #4 12-19-2010, 09:50 PM

Please post here or via private message some sample apache configuration and how your web script access one of the files. This is to help us reproduce the issue.

NC-Designs · #5 01-03-2011, 06:03 AM

Hi, sorry for delayed reply. I am not sure what you mean by how it accesses files?

It is litespeed, it calls the configuration of the httpd.conf to get the virtualhost location. This file is located at /usr/local/apache/conf/httpd.conf

It then calls the file from the correct location. Below is an example of the Virtualhost entry with sensitive content removed.

Thanks.

Code:

<VirtualHost XX.XXX.XX.XX:80>
    ServerName testserver.config.com
    ServerAlias www.testserver.config.com
    DocumentRoot /home/filetest/public_html
    ServerAdmin webmaster@testserver.config.com
    UseCanonicalName Off
        Options -ExecCGI -Includes
        RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
    CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk combined
    CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User filetest # Needed for Cpanel::ApacheConf
    UserDir disabled
    UserDir enabled filetest
    <IfModule mod_suphp.c>
        suPHP_UserGroup filetest filetest
    </IfModule>
    <IfModule concurrent_php.c>
        php4_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        php5_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    <IfModule !concurrent_php.c>
        <IfModule mod_php4.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
        </IfModule>
        <IfModule sapi_apache2.c>
            php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        </IfModule>
    </IfModule>
    <IfModule !mod_disable_suexec.c>
        SuexecUserGroup filetest filetest
    </IfModule>
    ScriptAlias /cgi-bin/ /home/filetest/public_html/cgi-bin/

    Include "/usr/local/apache/conf/userdata/*.conf"
    Include "/usr/local/apache/conf/userdata/*.owner-root"
    Include "/usr/local/apache/conf/userdata/std/*.conf"
    Include "/usr/local/apache/conf/userdata/std/*.owner-root"
    Include "/usr/local/apache/conf/userdata/std/2/*.conf"
    Include "/usr/local/apache/conf/userdata/std/2/*.owner-root"

</VirtualHost>

mistwang · #6 01-03-2011, 09:10 AM

Quote:

Originally Posted by NC-Designs

With version 4.0.17 I could not access files under /etc/ via web scripts (for example /etc/passwd) that litespeed was serving. Now since upgrading I can.

LiteSpeed wont be able to control external web scripts, if you use PHP for the web script, it is likely the open_basedir configuration of php to prevent the script from accessing /etc/*. you can compare phpinfo page between 4.0.18 and 4.0.17.

sameer · #7 01-26-2011, 07:52 AM

Actually 4.0.18 is ignoring open_basedir completely. Recently had upgraded two of our servers to 4.0.18 but ended up downgrading to 4.0.17 to get open_basedir protection working.

webizen · #8 01-26-2011, 12:32 PM

4.0.18 works fine with open_basedir. Post your config here for us to troubleshoot further if you want.

sameer · #9 01-26-2011, 12:37 PM

What configuration information is needed??

I am using cPanel's "PHP open_basedir Tweak" i have downgraded/upgraded several time but open_basedir doesn't works with 4.0.18.

webizen · #10 01-26-2011, 05:20 PM

You need to add "concurrent_php" to Ignored Apache modules in Admin Console -> Server -> General tab.