Access Denied Directories??

Discussion in 'General' started by NC-Designs, Dec 18, 2010.

  1. NC-Designs

    NC-Designs New Member

    Hi, what exactly are access denied directories there for? I am sure with the previous version (4.0.17) they used to work as customers could not get hold of files such as passwd..

    Now I find that they can view these files (Since updating to 4.0.18)

    Any ideas or suggestions on this?

    Kind Regards,
    Chris
  2. webizen

    webizen New Member

    An access denied directory is for protecting data inside (such as configurations, sensitive info or something in the middle of updating) from being accessed directly via HTTP (web access from end user). It is mainly for security reason.

    Are you saying files in a directory used to be blocked in 4.0.17 become accessible once lsws is upgraded to 4.0.18? If so, can you check if context for the blocked directory has been changed (web console->Configuration->Virtual Host->Context->URI in question->accessible) after upgrade?
  3. NC-Designs

    NC-Designs New Member

    Yeah, exactly that... In my access denied directories I have the following -
    Code:
    /
    /var/*
    /install/*
    /sys/*
    /selinux/*
    /etc/*
    /dev/*
    $SERVER_ROOT/conf/*
    $SERVER_ROOT/admin/conf/*
    With version 4.0.17 I could not access files under /etc/ via web scripts (for example /etc/passwd) that litespeed was serving. Now since upgrading I can.

    I am running cPanel with this so have no virtual host entries on the Litespeed panel.

    Thanks,
    Chris.
  4. webizen

    webizen New Member

    Please post here or via private message some sample apache configuration and how your web script access one of the files. This is to help us reproduce the issue.
  5. NC-Designs

    NC-Designs New Member

    Hi, sorry for delayed reply. I am not sure what you mean by how it accesses files?

    It is litespeed, it calls the configuration of the httpd.conf to get the virtualhost location. This file is located at /usr/local/apache/conf/httpd.conf

    It then calls the file from the correct location. Below is an example of the Virtualhost entry with sensitive content removed.

    Thanks.


    Code:
    <VirtualHost XX.XXX.XX.XX:80>
        ServerName testserver.config.com
        ServerAlias www.testserver.config.com
        DocumentRoot /home/filetest/public_html
        ServerAdmin webmaster@testserver.config.com
        UseCanonicalName Off
            Options -ExecCGI -Includes
            RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
        CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk combined
        CustomLog /usr/local/apache/domlogs/testserver.nchost.co.uk-bytes_log "%{%s}t %I .\n%{%s}t %O ."
        ## User filetest # Needed for Cpanel::ApacheConf
        UserDir disabled
        UserDir enabled filetest
        <IfModule mod_suphp.c>
            suPHP_UserGroup filetest filetest
        </IfModule>
        <IfModule concurrent_php.c>
            php4_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
            php5_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
        </IfModule>
        <IfModule !concurrent_php.c>
            <IfModule mod_php4.c>
                php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
            </IfModule>
            <IfModule mod_php5.c>
                php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/local/lib/php:/tmp"
            </IfModule>
            <IfModule sapi_apache2.c>
                php_admin_value open_basedir "/home/filetest:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
            </IfModule>
        </IfModule>
        <IfModule !mod_disable_suexec.c>
            SuexecUserGroup filetest filetest
        </IfModule>
        ScriptAlias /cgi-bin/ /home/filetest/public_html/cgi-bin/
    
        Include "/usr/local/apache/conf/userdata/*.conf"
        Include "/usr/local/apache/conf/userdata/*.owner-root"
        Include "/usr/local/apache/conf/userdata/std/*.conf"
        Include "/usr/local/apache/conf/userdata/std/*.owner-root"
        Include "/usr/local/apache/conf/userdata/std/2/*.conf"
        Include "/usr/local/apache/conf/userdata/std/2/*.owner-root"
    
    </VirtualHost>
  6. mistwang

    mistwang LiteSpeed Staff

    LiteSpeed wont be able to control external web scripts, if you use PHP for the web script, it is likely the open_basedir configuration of php to prevent the script from accessing /etc/*. you can compare phpinfo page between 4.0.18 and 4.0.17.
  7. sameer

    sameer New Member

    Actually 4.0.18 is ignoring open_basedir completely. Recently had upgraded two of our servers to 4.0.18 but ended up downgrading to 4.0.17 to get open_basedir protection working.
  8. webizen

    webizen New Member

    4.0.18 works fine with open_basedir. Post your config here for us to troubleshoot further if you want.
  9. sameer

    sameer New Member

    What configuration information is needed??

    I am using cPanel's "PHP open_basedir Tweak" i have downgraded/upgraded several time but open_basedir doesn't works with 4.0.18.
  10. webizen

    webizen New Member

    You need to add "concurrent_php" to Ignored Apache modules in Admin Console -> Server -> General tab.
  11. NC-Designs

    NC-Designs New Member

    So is there a solution to this?

    Access denied directories used to work and should still work as it clearly states in the following text -

    Code:
    Specifies the directories that should be blocked from access.  Add directories that contain sensitive data to this list to prevent accidentally  exposing sensitive files to clients. Append a "*" to the path to include all sub-directories.  If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic  links will be checked against the denied directories.
    So.. you are coming up with a crap excuse for support and saying that litespeed won't be able to control external web scripts.. LiteSpeed serves the content hence LiteSpeed can simply block the content.

    Webizen was completely right in stating
    Please, look into this seriously. Now i'm not stupid and I have paid a lot of money for this product... I know this feature used to work. And if it isn't to prevent external scripts from getting the data.. What is it there for?
    Last edited: Feb 6, 2011
  12. NC-Designs

    NC-Designs New Member

    Come on please...
  13. webizen

    webizen New Member

    Have you tried this? You can verify if open_basedir is set with a phpinfo page.
  14. NC-Designs

    NC-Designs New Member

    Open_basedir is set yeah but I don't want them to receive such a descriptive error - Litespeed's access denied directories did this perfectly when they were working.

    Also open_basedir only prevents PHP scripts from accessing these directories, what about perl exploits that happily list out every single domain on the server?

    Regards,
    Chris.
  15. mistwang

    mistwang LiteSpeed Staff

    access denied dir never stop perl or CGI script no matter which version of LSWS you use. Feel free to verify that by switching back to older version.
    Those scripts run in there own process, talks to linux kernel directly, LiteSpeed has no way to interfere with that, no user land application can do that.
  16. muiruri

    muiruri Member

    In my case, I'm having trouble with several sites running on Miva application. they do not load and give following error;

    "403 Forbidden Access to this resource on the server is denied!"

    When I check the error details on LSWS console get the following;

    [ERROR] [99.999.99.99:3667-0#APVH_domain.com] MIME type [application/x-httpd-miva] for suffix '.mv' does not allow serving as static file, access denied!

    How do I make this work?

    We've temporary switched back to Apache, because none of the sites running miva will work.

    Had seen a post somewhere that may be can use "Script Handler" to define or using the "External App" menu option at the LSWS console.

    If this is one of the places to use, which one would I use and what lines should I use? For example what would be the "handler type"?

    We have LSWS 4.1.1

    Apache works fine and does not have this error.

    Regards, Sam
    Last edited: Jul 6, 2011
  17. mistwang

    mistwang LiteSpeed Staff

    get the latest build of 4.1.2 by changing the version number in the download link.
    should be addressed.

Share This Page