DirectAdmin <= 1.33.6 Symlink Permission Bypass

Have you tested it, scsi? I don't believe it to be a real exploit, because links don't give you any permission the original file doesn't have. But I haven't tested it so I can't say for sure. Have you tested it?

Jeff
 
I believe I have duplicated it, caused by slight variations in the functionality of effective uid vs real uid values of processes. In any case, I've made the necessary changes to the code. However, these changes are far more strict so I'm releasing them in pre-release form for testing purposes, accessible via your Client Section.

The main thing that I will expect might break due to these changes is any file or directory created by a php process, which is chowned to apache and set to chmod 600 or 700. The backup process will not be able to read those files or directories, thus throwing errors and preventing those files from being added into the backups. Those directories and/or files will need to be chmod to 755 or 644 (whatever is appropriate) such that the DA user can read them, else they'll be omitted.

I encourage anyone who would like these changes, or who are willing to test them, to install the pre-release binaries.

John
 
When you do release them John, hopefully you can make changes the permissions reset script. And of course remind us somehow that we have to run it ... or run it for us as part of the update?

Or are there other details I'm missing?

Jeff
 
The set_permissions.sh script? It doesn't touch User uploaded files, only DA created files.

In any case I think a basic "find" command could be run, to search out apache owned files under home and set directories to 755, files to 644. It might be out of the scope for the update to run it, but we can definitely include instructions on how admins can do it.

John
 
It might be out of the scope for the update to run it, but we can definitely include instructions on how admins can do it.
Click to expand...
You've got my vote on that.

Jeff
 
how??


DirectAdmin Values
Compiled on CentOS 5.0 64-bit
Server Version 1.34.5
Current Available Version 1.345000
Last Updated Mon Jan 4 04:41:30 2010
 
Hello,

Grab the pre-release binaries from the Clients Section

Click on your license to view the info. Just below the info will be a link to install the pre-release binaries.

John
 
Hello,

This version is one step closer to being released.
I've again updated the pre-release binaries with a checking code that traverses all /home/user/domains directories to see if there are any non-readable files by that DA User. If there are any non-readable files, DA will notify all of the Admin's with a message.

I encourage people to try out this code. As before, the pre-release binaries can be downloaded from the Clients Section.

To manually trigger the check, use this:
Code: 
cd /usr/local/directadmin
echo "action=syscheck" >> data/task.queue
./dataskq d2000
however, this action is added to the task.queue via the update.sh for normal updates. The manual method will be handy to use if the admin is working through a list of files to get them all readable, to check on his progress.

I'm unsure if I'll be adding automation to changing the permissions or ownership on files, as it might be out of the scope of DirectAdmin's job. Reporting the permissions issues is a given, and all info is given to the Admin, but for the actual changing of permissions, a human touch might be safer. Discussion is welcome for the automation of resetting the non-readable file permissions.

I've updated the versions entry with more information:
http://www.directadmin.com/features.php?id=1052

John
 
Update not necessary

Details

You already have the most recent version of the program

but this still being:

DirectAdmin Values
Compiled on CentOS 5.0 64-bit
Server Version 1.34.5
Current Available Version 1.345000
Last Updated Mon Jan 4 04:41:30 2010
Update DirectAdmin


this can be cuz im running 64bit version?
 
please, can you tell me what im doing wrong?

cd /usr/local/directadmin
wget -O new.tar.gz http://files.directadmin.com/linkwithfile_64.tar.gz
tar xvzf new.tar.gz
./directadmin p
./scripts/update.sh
killall -9 directadmin
./directadmin d


but then when i go to licencing/update in DA panel

irectAdmin Values
Compiled on CentOS 5.0 64-bit
Server Version 1.34.5
Current Available Version 1.345000
Last Updated Fri Feb 5 06:43:10 2010


still the same, or installing the tar, this is updated?


very thanks dude.
 
Everything is okay, version number is still 1.345 for pre-releases.
 
DirectAdmin Support said:
The main thing that I will expect might break due to these changes is any file or directory created by a php process, which is chowned to apache and set to chmod 600 or 700. The backup process will not be able to read those files or directories, thus throwing errors and preventing those files from being added into the backups. Those directories and/or files will need to be chmod to 755 or 644 (whatever is appropriate) such that the DA user can read them, else they'll be omitted.
Click to expand...

Is there a setting to make the backup script just ignore those kind of apache owned files? There are lots of php scripts that won't allow me to change the filemask to 755 or 644 for newly created files (like cache files for example). And even if some would I wouldn't want to go change all my clients php scripts. So a workaround would be great!
 
Actually... now that you mention it, yes there is a way.
Edit your directadmin.conf, and add:
Code: 
extra_backup_option=--ignore-failed-read
and restart DA. Double check that the value is set correctly:
Code: 
cd /usr/local/directadmin
./directadmin c | grep extra_backup_option
Related: http://www.directadmin.com/features.php?id=792

John
 
You must log in or register to reply here.
Back
Top