duy13
1
Hi,
Is there any tutorial to do that, as I see currently the system is using a single user for all webs: sslipse
[root@vddos public_html]# ls -lah
total 24K
drwxr-xr-x 3 sslipse sslipse 4.0K Mar 22 06:44 .
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 04:13 ..
drwxr-xr-x 2 sslipse sslipse 4.0K Mar 22 04:13 .well-known
-rwxr--r-- 1 sslipse sslipse 725 Mar 22 04:14 index.html
-rw-r--r-- 1 sslipse sslipse 20 May 8 2014 info.php
-rw-r--r-- 1 sslipse sslipse 144 May 17 2016 who.php
For example web 1.com running as user1 privilege; web 2.com running as user2 privilege;
This is to limit the localattack
You are inside a public_html of a single website (All child domains under this will use this user)
However each website runs via its own user, you need to run
ls -la /home
duy13
3
- Add a USER: user1
- Add WEBSITE for user1: ssl9.ipserver.ml
- Check Permission /home:
[root@vddos ~]# ls -lah /home/
total 28K
drwxr-xr-x 7 root root 4.0K Mar 22 07:15 .
dr-xr-xr-x 20 root root 4.0K Mar 22 04:40 ..
drwx------ 2 cyberpanel cyberpanel 4.0K Mar 22 06:42 cyberpanel
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 04:13 ssl.ipserver.ml
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 04:53 ssl8.ipserver.ml
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 07:15 ssl9.ipserver.ml
drwx------ 2 vmail vmail 4.0K Mar 22 04:02 vmail
- Check vHost Conf of WEBSITE ssl9.ipserver.ml:
docRoot $VH_ROOT/public_html
vhDomain $VH_NAME
vhAliases www.$VH_NAME
adminEmails [email protected]
enableGzip 1
enableIpGeo 1
index {
useServer 0
indexFiles index.php, index.html
}
errorlog $VH_ROOT/logs/$VH_NAME.error_log {
useServer 0
logLevel ERROR
rollingSize 10M
}
accesslog $VH_ROOT/logs/$VH_NAME.access_log {
useServer 0
logFormat "%v %h %l %u %t "%r" %>s %b"
logHeaders 5
rollingSize 10M
keepDays 10 compressArchive 1
}
scripthandler {
add lsapi:sslipse php
}
extprocessor sslipse {
type lsapi
address UDS://tmp/lshttpd/sslipse.sock
maxConns 10
env LSAPI_CHILDREN=10
initTimeout 60
retryTimeout 0
persistConn 1
pcKeepAliveTimeout 1
respBuffer 0
autoStart 1
path /usr/local/lsws/lsphp72/bin/lsphp
extUser sslipse
extGroup sslipse
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 400
procHardLimit 500
}
context /.filemanager {
type NULL
location /usr/local/lsws/Example/html/FileManager
allowBrowse 1
autoIndex 1
accessControl {
allow 127.0.0.1, localhost
deny 0.0.0.0/0
}
addDefaultCharset off
}
vhssl {
keyFile /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/privkey.pem
certFile /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/fullchain.pem
certChain 1
sslProtocol 31
}
- Check passwd
[root@vddos ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:997:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
saslauth:x:997:76:Saslauthd user:/run/saslauthd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
cyberpanel:x:1000:1000::/home/cyberpanel:/bin/bash
lsadm:x:996:995:lsadm:/:/sbin/nologin
mysql:x:995:994:MySQL server:/var/lib/mysql:/sbin/nologin
ftpuser:x:2001:2001:"pureftpd user":/bin/null:/bin/false
pdns:x:994:993:PowerDNS user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:993:992:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
vmail:x:5000:5000::/home/vmail:/bin/bash
sslipse:x:5001:5001::/home/ssl.ipserver.ml:/bin/bash
vddos:x:5002:5002::/vddos:/sbin/nologin
It seems that I have add as many users or domains, their permissions are under USER sslipse
I understand your point of view, the problem is PHPSuExec user is picked from the domain name.
ssl.ipserver.ml
ssl8.ipserver.ml
ssl9.ipserver.ml
Your domain name here is similar, except the number (numbers are excluded), which is why you are getting the same user every time.
Try with something like:
duy13.ipserver.ml
duy13
5
Everything has been successful, thanks you!
But it seems that CyberPanel users will have trouble with different subdomains for plans CDN Server Static File:
cdn1.cloud.uk
cdn2.cloud.uk
s100.zvideos.cn
s200.zvideos.cn
s300.zvideos.cn
…
[root@vddos ~]# ls -lah /home/
total 44K
drwxr-xr-x 11 root root 4.0K Mar 22 07:41 .
dr-xr-xr-x 20 root root 4.0K Mar 22 04:40 ..
drwxr-xr-x 4 cdnclou cdnclou 4.0K Mar 22 07:40 cdn1.cloud.uk
drwxr-xr-x 4 cdnclou cdnclou 4.0K Mar 22 07:41 cdn2.cloud.uk
drwx------ 2 cyberpanel cyberpanel 4.0K Mar 22 07:34 cyberpanel
drwx------ 2 vmail vmail 4.0K Mar 22 04:02 vmail
drwxr-xr-x 4 voduyco voduyco 4.0K Mar 22 07:31 voduy.com
Will add some random characters to PHPSuExec user which should rectify this.