• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

chroot httpd process

I

Igor Smitran

New Pleskian
httpd setup will not be secure until developers setup chrooted httpd process (per client).
open_basedir is not safe enough. It is easily overriden and an attacker can easily have access to entire disk, including all other hosted sites.
Also, open_basedir will not help when an attacker uses perl/cgi-bin by uploading custom .htaccess file.

I have already discussed with Plesk support about this problem, about a year ago. I am asking you again, please, make httpd process chrooted. If you need any help with this feel free to contact me.

When i was using old plain hosting server i didn't have web interface for clients but my server was 10 times safer.

Please, make this a feature request. I am willing to help you with this process...
 
Does anyone here understand what i am talking about? Is this even going to be suggested to developers to look at? Any comment would be appreciated...
 
I agree that when running php in mod_php mode things are not as secure as I would like.

But doesn't running it in php_fcgi mode improve things very significantly?
 
No, it doesn't. Not secure enough anyway. Plesk developers decided to use open_basedir as a security precaution. That doesn't include perl scripts.
Also, open_basedir is easily broken giving attacker access to entire file system. Best possible way of securing apache is making it run in a chroot environment. This is something that i already asked to be implemented almost a year ago and nothing's changed till now :(
 
Is there anyone in Plesk development team able to answear to my question??? Why is this question ignored? How many servers needs to be compromised in order to implement this feature? I've offered my help, is there anything else i should do???
 
Could you possibly PM me with more specific details about your concerns. Maybe some examples, including some code, that would allow a compromise?

The more you can tell me about your concerns, the more I will be able to help.

My particular interest happens to be security, so this is something I want to know more about.

The Plesk developers do frequent the forums from time to time and are very interested problems reported by users. But specifics are needed and I don't really want specifics of this nature posted in the forum.
 
Now I only see the lengthy statements. In order to send the problem to developers, we need a complete and detailed description of the problem and detailed (step-by-step) instruction how problem can be reproduced. You can send me a private message with detailed report. I will send it to the responsible persons.
 
IgorG said:
Now I only see the lengthy statements. In order to send the problem to developers, we need a complete and detailed description of the problem and detailed (step-by-step) instruction how problem can be reproduced. You can send me a private message with detailed report. I will send it to the responsible persons.
Click to expand...


Any news on this?
 
1. I have sent exploit example to Faris.
2. I have sent a howto for apache chroot to Faris
3. I have offered my help in implementing this feature to Plesk.

We are talking about serious security improvement of Plesk interface and all i get is "Most voted requests have a highest priority". You gotta be kiding me right? :)
As far as i can see you will sell your product to everyone without any guilt. You don't like to think about security of your product? Even when offered free help to make it more secure? I even decided to send you PM with explot. Maybe it would be better to make it available to public? How many votes would you expect? Or, even better, how many of your clients would decide to drop your product and buy something other than Plesk Panel? I sure will do the latter...

Regards,
Igor Smitran
 
Have you sent exploit with description to someone from Parallels? I have not received it. Faris is not an employee of Parallels.
 
@IgorG, you saw this post as everyone else. From this post it's easy to conclude that Faris is working with Plesk developers. You didn't react on this...

Ask Faris to forward my PM to you.

Faris Raouf said:
Could you possibly PM me with more specific details about your concerns. Maybe some examples, including some code, that would allow a compromise?

The more you can tell me about your concerns, the more I will be able to help.

My particular interest happens to be security, so this is something I want to know more about.

The Plesk developers do frequent the forums from time to time and are very interested problems reported by users. But specifics are needed and I don't really want specifics of this nature posted in the forum.
Click to expand...
 
Sorry everybody -- I've been occupied with other matters and have not had a chance to do much else until now.

I've just forwarded Igor S's message to Igor G.

And no, I don't work for Parallels (???). Parallels staff have a Parallels Logo just under their name. No logo = not Parallels.
 
Guys, I have forwarded message from Igor Smitran to responsible person, and I will update this thread with results of investigation as soon as I receive it.
 
I have received following comment:
Both chrooting Apache and restricting PHP are good for security, but could cause some compatibility issues in general. So, it’s risky to implement them by default, but maybe we should add some support or compatibility features for such configurations.
Click to expand...
 
You must log in or register to reply here.

Similar threads

S
Question open_basedir and WordPress, general consensus needed, configured or none?
Replies
6
Views
3K
Duarte N
D
G
Question WP installs are quarantined daily.
Replies
4
Views
635
Bobbbb
B
Alexey Sobolev
Important Updated Node.JS application hosting support
Replies
7
Views
5K
macmee
M
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
6
Views
3K
WebHostingAce
WebHostingAce
Ming
Issue Passenger issue - boost::thread_resource_error: Resource temporarily unavailable
Replies
12
Views
3K
Ming
Ming
Back
Top