This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora security questions
#1
Sentora security questions
Hi I am considering using sentora in production but i have 2 questions:

1. why sentora is using 777 everywhere!? for me as a sysadmin this is totally crazy (or there is something i dont know about?). I totally dont understand this how can you release a software that uses 777 everywhere!
Quote:drwxrwxrwx. 13 root root 4096 04-28 21:03 configs
drwxrwxrwx. 2 root root 6 04-28 21:03 docs
drwxrwxrwx. 8 root root 4096 09-07 20:31 panel

2. why sentora is using just "md5" hash for password without any salt? i.e for mailbox module?
Quote:$password = '{PLAIN-MD5}' . md5($password);

md5 hash is very weak.
Reply
Thanks given by:
#2
RE: Sentora security questions
Good point over MD5. We may improve it.

Beside that sentora currently rely on jaling users using suhosin. So 777 don't allow you to go anywhere. It sound crazy but works.

Despite that we plan to migrate to a security model more based on per user permissions rather than 777.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#3
RE: Sentora security questions
I've been involved in server recoveries numerous times, even with suhosin, 777 is a full-stop issue and it has, unfortunately, completely eliminated consideration of Sentora as even a testing option.

I hope you can excise this foolhardy design decision/lazy configuration in the migration of the security model, but until then, I STRONGLY advise against using Sentora for any public facing internet site at all.

I had such hope for Sentora, right up until I setup a reseller, a client, an ftp user, and logged in and saw world writable user file structure.  Once I looked into it, I stumbled upon posts like this that don't seem to understand the all encompassing horror of this configuration, suhosin or not.  This is, in someways, an effective Botnet virtualization software, the individual accounts can be backdoored within the "jail" even if it isolates other accounts from cross-compromise.

This should be priority number 1 on your list of emergency action items.
Reply
Thanks given by:
#4
RE: Sentora security questions
First of all, Hello everyone, and thank you Sentora community for your hard work on this project.
I tested sentora for over 1w and i am going to be on the same page with dezmd. He is wright about configuration, it doesn't look good because the individual accounts can be easly backdoored and this is not good. The accounts can be compromise so easly even if you have security, firewalls etc... Still, i would love to see this as a priority and if we can help with something just ask us, im sure there are allot of dev, who knows about this.

I know you have aloot of work, doing other stuffs, but please let's improve security because its very important.

THank you, and sry for my bad english.
Reply
Thanks given by:
#5
RE: Sentora security questions
Me.B, kandrews
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#6
RE: Sentora security questions
You can dm me if you have more infos?

Your point don't mean there is a flaw that would allow any direct attack but in case you have a faulty script (with an exploit) in the website and allow a bot to enter it would have too many permissions? My understanding is right?

So you wish we lower permissions?
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#7
RE: Sentora security questions
The fact that sentora uses 777 for almost everything is in fact worrisome.
Anyways it would hardly be a security issue unless you have another issue first, in that case it can escalate easily.

I've said it already, and I say it now again, using linux accounts would be a much better way, specially now that Windows is not officially supported. Many of the issues of this panel are from the Windows legacy.
My Sentora Resources
[Module] Mail Quota Count | Vagrant Box with Sentora

[Image: vanguardly-logo-micro.png]
Graphic and Web Design. Development.
www.vanguardly.com


Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Is Sentora dead? rajeevrrs 2 2 ,880 12-17-2022, 09:20 AM
Last Post: TGates
Sentora debug and error files johnnyp 0 1 ,099 10-27-2022, 06:16 PM
Last Post: johnnyp
Transfer Account to another Sentora BenI 1 2 ,488 07-21-2022, 07:19 PM
Last Post: Nigel

Forum Jump:


Users browsing this thread: 1 Guest(s)