RE: Sentora security questions
11-18-2015, 02:51 AM
(This post was last modified: 11-18-2015, 02:52 AM by dezmd.)
I've been involved in server recoveries numerous times, even with suhosin, 777 is a full-stop issue and it has, unfortunately, completely eliminated consideration of Sentora as even a testing option.
I hope you can excise this foolhardy design decision/lazy configuration in the migration of the security model, but until then, I STRONGLY advise against using Sentora for any public facing internet site at all.
I had such hope for Sentora, right up until I setup a reseller, a client, an ftp user, and logged in and saw world writable user file structure. Once I looked into it, I stumbled upon posts like this that don't seem to understand the all encompassing horror of this configuration, suhosin or not. This is, in someways, an effective Botnet virtualization software, the individual accounts can be backdoored within the "jail" even if it isolates other accounts from cross-compromise.
This should be priority number 1 on your list of emergency action items.
I hope you can excise this foolhardy design decision/lazy configuration in the migration of the security model, but until then, I STRONGLY advise against using Sentora for any public facing internet site at all.
I had such hope for Sentora, right up until I setup a reseller, a client, an ftp user, and logged in and saw world writable user file structure. Once I looked into it, I stumbled upon posts like this that don't seem to understand the all encompassing horror of this configuration, suhosin or not. This is, in someways, an effective Botnet virtualization software, the individual accounts can be backdoored within the "jail" even if it isolates other accounts from cross-compromise.
This should be priority number 1 on your list of emergency action items.
