[BlueOnyx:23047] Re: CushyCMS and ProFTPD

Ken Hohhof khohhof at kwom.com
Tue Jul 30 19:10:31 -05 2019 

Thanks.

 

Everything in the web directory is owned by siteadmin:site, including
subdirectories and their contents.   Above the web directory in the site
home directory, it's different, not sure if this is a problem.  The logs
directory owned by SITE22-logs:site19 seems strange.

 

I know the most common problem that web designers have with FTP and BlueOnyx
is that the web directory isn't / it's /web.  But supposedly this CMS was
already configured and working for a couple years, so it should have been
configured right.

 

BTW, that php.d directory is empty.

 

 

drwxrwsr-x 8 nobody      site19  4096 Sep 20  2017 .

drwxrwxr-x 3 root        root    4096 Nov 17  2014 ..

drwxr-s--x 9 SITE22-logs site19  4096 Jan 27  2019 logs

drw-r-Sr-- 2 root        site19  4096 Sep 20  2017 php.d

drwxrwsr-x 2 nobody      site19  4096 Nov 17  2014 users

drwxr-sr-x 3 root        site19  4096 Nov 17  2014 .users

drwxrwsr-x 7 nobody      site19  4096 Oct 11  2016 web

drwxr-xr-x 2 apache      site19 20480 Jul 30 04:59 webalizer

 

 

 

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: Tuesday, July 30, 2019 6:31 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:23046] Re: CushyCMS and ProFTPD

 

Hi Ken,

 

> I looked in var/log/messages and I see a bunch of lines like this, not 

> sure what they mean or why the are occurring now and not previously.  

> Customer would be using site admin credentials, wouldn't even know root
login.

> 

> Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254

> (198.74.49.153[198.74.49.153

> ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted Jul 30 

> 14:31:06 blueonyx proftpd[5435]: 69.49.197.254

 

Yeah, ProFTPd doesn't allow user "root" and never has. A seteuid() call
happens when a program drops privileges to do something as a lesser user and
when it's done it tries to regain the same UID/GID as before via seteuid().
It's something I'm sort of sure ProFTPd doesn't allow without full
reauthentication, because from a security point of view it's *very* tricky
to get right. In the nooks and crannies of such code usually there often is
room for exploits and that's why sensible people don't implement it - unless
they really *have* to. And then it's usually the best audited and most well
tested part of the code, because one false step and it can get exploited.

 

The last ProFTPd update only changed two things: mod_ban and mod_geoip got
activated by default. Other than that it's just ProFTPd 1.3.6-RC1 vs
ProFTPd-1.3.5.

 

Are the files in the webspace owned by that siteAdmin or by someone else?
This could be where the seteuid() call comes from. Say the files are owned
by nobody:siteX or apache:siteX and not by the siteAdmin:siteX.

 

--

With best regards

 

Michael Stauber

_______________________________________________

Blueonyx mailing list

 <mailto:Blueonyx at mail.blueonyx.it> Blueonyx at mail.blueonyx.it

 <http://mail.blueonyx.it/mailman/listinfo/blueonyx>
http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20190730/6f974fbf/attachment.html>

More information about the Blueonyx mailing list