Zpanel cp X

List of files with bad permissions

Bug #995602 reported by Joseph Mills
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zpanel cp X
Triaged
Medium
Unassigned

Bug Description

There are a number of direcotry's and files that are managed with the permission of 777 this can not happen This is a Huge area that needs to be fixed. If you know alot about file permissions and or anything about correct permissions for vmail and other services please contact me asap thanks for your time

List of Directory that are no good in current implant of Zpanel on Servers

/etc/zpanel/
/var/zpanel/
/var/zpanel/vmail
/var/zpanel/logs/bind/bind.log
/etc/zpanel/configs/dovecot2/dovecot.conf
/etc/zpanel/configs/postfix/conf/dovecot-sql.conf
/etc/zpanel/configs/postfix/conf/dovecot-trash.conf
/etc/mysql/my.cnf
/etc/zpanel/configs/postfix/conf/mysql_virtual_alias_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_mailbox_limit_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_mailbox_maps.cf
/etc/zpanel/configs/postfix/conf/mysql_virtual_transport.cf

Other possible Security issues

ZPANEL ZSUDO:
====================================
# Must be owned by root with 4777 permissions, or zsudo will not work!
cc -o /etc/zpanel/panel/bin/zsudo /etc/zpanel/configs/bin/zsudo.c
sudo chown root /etc/zpanel/panel/bin/zsudo
chmod +s /etc/zpanel/panel/bin/zsudo

Over writing certian files like apache2.conf is not a good idea there needs to be a better implementation for this and all files that are being altered.

There is no ssl so anyone can see what you are typing when if you are prone too a man in the middle attack.

IMPORANT

All of this information was gathered by looking at the Community based installer scripts
So there is nothing that can be done besides make a better debian package

Revision history for this message
Joseph Mills (josephjamesmills) wrote :
Revision history for this message
Joseph Mills (josephjamesmills) wrote :

Set up new framework to handle all the bad permissions.

Joseph Mills (josephjamesmills)
visibility: private → public
Joseph Mills (josephjamesmills)
Changed in zpanelcp:
status: Confirmed → Fix Committed
Joseph Mills (josephjamesmills)
Changed in zpanelcp:
importance: Critical → Medium
Joseph Mills (josephjamesmills)
Changed in zpanelcp:
status: Fix Committed → Fix Released
importance: Medium → Wishlist
importance: Wishlist → Undecided
Revision history for this message
Mohamed M. Hagag (mohamedhagag1981) wrote :

How is it fixed ?

drwxrwxrwx 5 www-data www-data 4096 Nov 20 15:02 ./ # 777 ?!
drwxrwxrwx 3 www-data www-data 4096 Nov 20 14:37 ../ # 777 ?!
drwxrwxrwx 2 root root 4096 Nov 20 14:40 _cgi-bin/ # 777 ?!
drwxr-xr-x 9 ftpuser ftpgroup 4096 Nov 20 15:02 d7/
drwxrwxrwx 2 www-data www-data 4096 Nov 20 14:37 _errorpages/ # 777 ?!
-rwxrwxrwx 1 www-data www-data 26845 Nov 20 14:37 index.html*

what's the status of this issue now ?

Revision history for this message
Joseph Mills (josephjamesmills) wrote :

Well I had changed the permissions in the setup directory though I think one may like to read this

https://launchpad.net/zpanelcp/+announcement/10057

If one would like to take this project over feel free

Changed in zpanelcp:
status: Fix Released → New
importance: Undecided → Medium
Joseph Mills (josephjamesmills)
Changed in zpanelcp:
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.