1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

chroot httpd process

Discussion in 'Plesk Suggestions and Feedback' started by Igor Smitran, Jan 23, 2013.

  1. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    httpd setup will not be secure until developers setup chrooted httpd process (per client).
    open_basedir is not safe enough. It is easily overriden and an attacker can easily have access to entire disk, including all other hosted sites.
    Also, open_basedir will not help when an attacker uses perl/cgi-bin by uploading custom .htaccess file.

    I have already discussed with Plesk support about this problem, about a year ago. I am asking you again, please, make httpd process chrooted. If you need any help with this feel free to contact me.

    When i was using old plain hosting server i didn't have web interface for clients but my server was 10 times safer.

    Please, make this a feature request. I am willing to help you with this process...
     
  2. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    Does anyone here understand what i am talking about? Is this even going to be suggested to developers to look at? Any comment would be appreciated...
     
  3. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    I agree that when running php in mod_php mode things are not as secure as I would like.

    But doesn't running it in php_fcgi mode improve things very significantly?
     
  4. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    No, it doesn't. Not secure enough anyway. Plesk developers decided to use open_basedir as a security precaution. That doesn't include perl scripts.
    Also, open_basedir is easily broken giving attacker access to entire file system. Best possible way of securing apache is making it run in a chroot environment. This is something that i already asked to be implemented almost a year ago and nothing's changed till now :(
     
  5. Linulex

    Linulex Regular Pleskian

    33
    80%
    Joined:
    Aug 4, 2001
    Messages:
    426
    Likes Received:
    61
  6. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    Is there anyone in Plesk development team able to answear to my question??? Why is this question ignored? How many servers needs to be compromised in order to implement this feature? I've offered my help, is there anything else i should do???
     
  7. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Could you possibly PM me with more specific details about your concerns. Maybe some examples, including some code, that would allow a compromise?

    The more you can tell me about your concerns, the more I will be able to help.

    My particular interest happens to be security, so this is something I want to know more about.

    The Plesk developers do frequent the forums from time to time and are very interested problems reported by users. But specifics are needed and I don't really want specifics of this nature posted in the forum.
     
  8. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,539
    Likes Received:
    1,239
    Location:
    Novosibirsk, Russia
    Affiliate:
    https://plesk.com/?a_aid=59ae552b0731c
    Now I only see the lengthy statements. In order to send the problem to developers, we need a complete and detailed description of the problem and detailed (step-by-step) instruction how problem can be reproduced. You can send me a private message with detailed report. I will send it to the responsible persons.
     
  9. StéphanS

    StéphanS Regular Pleskian

    24
    57%
    Joined:
    Jan 20, 2011
    Messages:
    176
    Likes Received:
    17

    Any news on this?
     
  10. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    i've sent PM to Faris. Waiting for his response.
     
  11. StéphanS

    StéphanS Regular Pleskian

    24
    57%
    Joined:
    Jan 20, 2011
    Messages:
    176
    Likes Received:
    17
    Submit this to http://plesk.uservoice.com/ please.
    This should be high on the priorities list for Plesk 11.5/12!
    I will be sure to vote for it.

    Imagine the competitive edge Plesk would have on CPanel, and imagine how much fewer security issues there would be.

    Win-win!
     
  12. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    I don't think Plesk developers want my help on this...
     
  13. StéphanS

    StéphanS Regular Pleskian

    24
    57%
    Joined:
    Jan 20, 2011
    Messages:
    176
    Likes Received:
    17
    Please add the concept to the list anyway ;)

    If enough people vote for it, Parallels will have to at least look into it.
     
  14. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,539
    Likes Received:
    1,239
    Location:
    Novosibirsk, Russia
    Affiliate:
    https://plesk.com/?a_aid=59ae552b0731c
    Exactly. Most voted requests have a highest priority.
     
  15. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    1. I have sent exploit example to Faris.
    2. I have sent a howto for apache chroot to Faris
    3. I have offered my help in implementing this feature to Plesk.

    We are talking about serious security improvement of Plesk interface and all i get is "Most voted requests have a highest priority". You gotta be kiding me right? :)
    As far as i can see you will sell your product to everyone without any guilt. You don't like to think about security of your product? Even when offered free help to make it more secure? I even decided to send you PM with explot. Maybe it would be better to make it available to public? How many votes would you expect? Or, even better, how many of your clients would decide to drop your product and buy something other than Plesk Panel? I sure will do the latter...

    Regards,
    Igor Smitran
     
  16. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,539
    Likes Received:
    1,239
    Location:
    Novosibirsk, Russia
    Affiliate:
    https://plesk.com/?a_aid=59ae552b0731c
    Have you sent exploit with description to someone from Parallels? I have not received it. Faris is not an employee of Parallels.
     
  17. Igor Smitran

    Igor Smitran New Pleskian

    11
     
    Joined:
    Apr 25, 2012
    Messages:
    24
    Likes Received:
    0
    @IgorG, you saw this post as everyone else. From this post it's easy to conclude that Faris is working with Plesk developers. You didn't react on this...

    Ask Faris to forward my PM to you.

     
  18. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Sorry everybody -- I've been occupied with other matters and have not had a chance to do much else until now.

    I've just forwarded Igor S's message to Igor G.

    And no, I don't work for Parallels (???). Parallels staff have a Parallels Logo just under their name. No logo = not Parallels.
     
  19. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,539
    Likes Received:
    1,239
    Location:
    Novosibirsk, Russia
    Affiliate:
    https://plesk.com/?a_aid=59ae552b0731c
    Guys, I have forwarded message from Igor Smitran to responsible person, and I will update this thread with results of investigation as soon as I receive it.
     
  20. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,539
    Likes Received:
    1,239
    Location:
    Novosibirsk, Russia
    Affiliate:
    https://plesk.com/?a_aid=59ae552b0731c
    I have received following comment:
     
Loading...