List of files with bad permissions

Bug #995602 reported by Joseph Mills on 2012-05-06
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zpanel cp X
Medium
Unassigned

Bug Description

There are a number of direcotry's and files that are managed with the permission of 777 this can not happen This is a Huge area that needs to be fixed. If you know alot about file permissions and or anything about correct permissions for vmail and other services please contact me asap thanks for your time

List of Directory that are no good in current implant of Zpanel on Servers

/etc/zpanel/
/var/zpanel/
/var/zpanel/vmail
/var/zpanel/logs/bind/bind.log
/etc/zpanel/configs/dovecot2/dovecot.conf
/etc/zpanel/configs/postfix/conf/dovecot-sql.conf
/etc/zpanel/configs/postfix/conf/dovecot-trash.conf
/etc/mysql/my.cnf
/etc/zpanel/configs/postfix/conf/mysql_virtual_alias_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_mailbox_limit_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_mailbox_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_transport.cf

Other possible Security issues

ZPANEL ZSUDO:
====================================
# Must be owned by root with 4777 permissions, or zsudo will not work!
cc -o /etc/zpanel/panel/bin/zsudo /etc/zpanel/configs/bin/zsudo.c
sudo chown root /etc/zpanel/panel/bin/zsudo
chmod +s /etc/zpanel/panel/bin/zsudo

Over writing certian files like apache2.conf is not a good idea there needs to be a better implementation for this and all files that are being altered.

There is no ssl so anyone can see what you are typing when if you are prone too a man in the middle attack.

IMPORANT

All of this information was gathered by looking at the Community based installer scripts
So there is nothing that can be done besides make a better debian package

Joseph Mills (josephjamesmills) wrote :

Set up new framework to handle all the bad permissions.

visibility: private → public
Changed in zpanelcp:
status: Confirmed → Fix Committed
Changed in zpanelcp:
importance: Critical → Medium
Changed in zpanelcp:
status: Fix Committed → Fix Released
importance: Medium → Wishlist
importance: Wishlist → Undecided

How is it fixed ?

drwxrwxrwx 5 www-data www-data 4096 Nov 20 15:02 ./ # 777 ?!
drwxrwxrwx 3 www-data www-data 4096 Nov 20 14:37 ../ # 777 ?!
drwxrwxrwx 2 root root 4096 Nov 20 14:40 _cgi-bin/ # 777 ?!
drwxr-xr-x 9 ftpuser ftpgroup 4096 Nov 20 15:02 d7/
drwxrwxrwx 2 www-data www-data 4096 Nov 20 14:37 _errorpages/ # 777 ?!
-rwxrwxrwx 1 www-data www-data 26845 Nov 20 14:37 index.html*

what's the status of this issue now ?

Joseph Mills (josephjamesmills) wrote :

Well I had changed the permissions in the setup directory though I think one may like to read this

https://launchpad.net/zpanelcp/+announcement/10057

If one would like to take this project over feel free

Changed in zpanelcp:
status: Fix Released → New
importance: Undecided → Medium
Changed in zpanelcp:
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers