This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Sentora Secured (SFTP + suEXEC/RUID2 )
#1
[Not Solved] Sentora Secured (SFTP + suEXEC/RUID2 )
Greetings everyone,

I know there has been plenty concern over using secure permissions with Sentora. Over the past few months I've been working hard on an UNOFFICIAL (not supported by the Sentora team) plugin that will allow secure permissions within the web hosting panel. I've named the project Sentora Secured.

This program basically does two things: (1) Create Linux users (named after the Sentora user) to use for SFTP and ownership over their own hostdata information and (2) fix most of the insecure permissions of Sentora.

With Apache, the default setup is to use a general user and group (usually "apache", "nobody", or "www-data") for every file in a persons hostdata directory. This actually makes it so that anyone can edit and modify another user's files since they're all owned and ran by the same user. With Sentora Secured, all of a persons data is owned to themselves and run through Apache using suEXEC (or RUID2 if suEXEC is not available). As a side note, it's actually preferable to use RUID2 with Apache over suEXEC so you can have the benefits of PHP OpCode caching software.

This software is very much in an alpha stage. I do NOT recommend using this in a production environment. However, I would appreciate any testers willing to help find bugs or other issues. I'm always open to new feature requests, too. You can view and download the entire project and its source code here: [ https://github.com/ekultails/sentorasecured ].

Ideally, this is something that would be implemented in the official Sentora. Since this fork of zPanel no longer relies on a Windows port there's no reason not to transition to using real Linux users (instead of pseudo Sentora and FTP users) and implementing suEXEC/RUID2 protocols for Apache users. I understand this is on the "to-do list" but hope it will be integrated one day soon.

Thank you guys for your time and I hope to see you all around the forums!
Welcome to a new age of hosting.
GalacticWebspace.com
Reply
Thanks given by: Me.B , Cantalupo , iTpain
#2
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
intersting but suEXEC should be our focus on 1.1 with official support.

The way you added suEXEC if f******** So good! Really clever as you didn't even change path's.

The issue currently, you are resetting permission each time wich could be odd. If a user want to write protect a folder? You are limited here as sentora way of creating users/vhots. We should add another field in the DB that allow you to see pending domains/users waiting for creation & thus create only those users/domains. I think such modification would also allow us to creat a vhost-httpd PER user too & would allow later more plugins like this to be triggered once we create domains/delete.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS

Reply
Thanks given by: Cantalupo
#3
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
@Me.B

Thanks for your support! When the permissions fix runs every hour, the permissions inside their hostdata only get reset to their Linux user and group for ownership. Any special permissions for readable, writable, and executable rights for their site files are not changed and can be set to any value (even 777) that the Sentora user wants to use. This way if any files are created under Apache's main user/group it will be corrected to be owned by the right person.

There is certainly a lot to explore within Apache and Sentora setups by fully implementing suEXEC (or preferably RUID2). I look forward to seeing how the official project continues to grow!
Welcome to a new age of hosting.
GalacticWebspace.com
Reply
Thanks given by: Cantalupo
#4
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
I meant If we change user permission to lock directory permission ;-) from php writing it.
Reply
Thanks given by: Cantalupo
#5
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
I appreciate you bringing that up, I thought I had the script set up to change the /var/sentora/hostdata/USER/* and /var/sentora/hostdata/USER/public_html/DOMAIN_COM folder permissions but apparently not! This has been corrected and now ONLY the Sentora user has access to modify their own files there Smile

As for correcting other files inside a persons DOMAIN_COM/ folder, Sentora Secured won't be tweaking those. By default, newly created files in there should have secure permissions for folders (755) and files (644) with it being owned to the user and group of the Sentora username. People can have custom permissions in DOMAIN_COM/ for one reason or another so I'd hate to be the cause of breaking their site by changing those.
Welcome to a new age of hosting.
GalacticWebspace.com
Reply
Thanks given by: Cantalupo
#6
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
Support!
So will become more professional. Big Grin
Reply
Thanks given by:
#7
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
Awesome SFTP - much more reliable!

kandrews was planning on implementing this so I think you may have just saved him some work Wink
Before posting, update your profile with your OS, Sentora version and server type!

Reply
Thanks given by:
#8
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
Nice ! have already build a Dedicated Atom for this Smile but can we have a single install command ?
Easy for copy & paste installers like me Smile
Reply
Thanks given by:
#9
[Not Solved] RE: Sentora Secured (SFTP + suEXEC/RUID2 )
Hopefully some of my work does help out with the official Sentora project! It's written in Bash so it will likely need to be re-written in PHP like the rest of Sentora. I'm more of a Bash and Python guy rather than PHP :-)

For setting up suEXEC in Apache it's as easy as adding this line to each user's vhost entry:
#===========
SuexecUserGroup USER USER
#===========

And if you are using RUID2 instead of suEXEC ("apache" may need to be changed to the Apache user used on your operating system):
#===========
RMode config
RUidGid USER USER
RGroups apache
#===========

The "USER" entry should be replaced with the actual Linux user. The hardest part would be the transition to using real Linux users which really shouldn't be too hard either to implement in a future release of the Sentora panel.

As for a one-liner install script for Sentora Secured, I have updated the README file for the project to include one and will copy it here as well. Remember, this is still in early development and is recommended for testing servers only. Use at your own risk!

Sentora Secured installer:
wget https://github.com/ekultails/sentorasecu...master.zip; unzip master.zip; cd ./sentorasecured-master/; sh install.sh
Welcome to a new age of hosting.
GalacticWebspace.com
Reply
Thanks given by: iTpain


Possibly Related Threads...
Thread Author Replies Views Last Post
SFTP Authentication Failed, Need to retrieve password wormsunited 9 14 302 01-24-2019, 05:52 PM
Last Post: fearworks
Ftp On Sentora techs221 2 6 532 12-29-2016, 03:06 PM
Last Post: techs221
FTP accouunt setting problem of Sentora bbloldd 3 11 114 08-12-2015, 09:41 AM
Last Post: james415

Forum Jump:


Users browsing this thread: 1 Guest(s)