After creating new virtual server, login with SFTP and use can go up directories all the way to the root. Is this normal?

After creating new virtual server, login with SFTP and use can go up directories all the way to the root. Is this normal?

This is after a fresh install.

For example I created a site , beta.example.com and the user beta logged in can browse all the way to / and see my /backups folders and files.

Also another strange behavior is, in Website Options, after restoring a few joomla sites from backups the PHP script execution mode must be Apache mod_php (run as Apache's user). If it is put to the default value of FCGId (run as virtual server owner) then the error, "Database Error: Unable to connect to the database:The MySQL adapter "mysql" is not available" for each site that I restored. This does not affect sites that I manually created and used Install Scripts to create the sites.

The problem with Apache set as the PHP Execution mode is that any operation performed with Joomla with set the permissions on the directories and files as apache rather than the virtual server owner as it should be.

Please help. I'm kinda puzzled as to why this is happening out-of-the-box.

Status: 
Closed (fixed)

Comments

SFTP being able to access any directory on the system is normal, as only FTP can be restricted to a particular directory. However, they won't be able to access the home directories of other domains, due to file permissions .. so there isn't really any risk from allowing SFTP users to navigate the filesystem.

Regarding the PHP issue, this is sort-of expected as the domain's etc/php5/php.ini file won't contain the extension=mysql.so line needed to enable MySQL support. This gets added when you install a script, but if the install is done in mod_php mode it is only added to /etc/php.ini .

You can either add this line manually, or just now switch PHP execution mode after installing scripts..

Thanks for this.

So each primary user of a Virtual Server can login with SFTP and can go to the root of the drive and download the backups which are located in /backups.

This backup folder contains the backups of system wide settings as well as other sites. Where can I backup the entire system and individual virtual servers to a location where only root will have access and no other users?

===

Regarding the PHP issue, this is sort-of expected as the domain's etc/php5/php.ini file won't contain the extension=mysql.so line needed to enable MySQL support. This gets added when you install a script, but if the install is done in mod_php mode it is only added to /etc/php.ini .

This also very important if someone is restoring a backup of a Virtual Server but only select to restore a few of the contents of the backup such as the MySQL database and home directory contents, which is my case.

For one of my sites where PHP/MySQL seem to work fine is located in /home/beta/. I checked both php.ini files and found no sign of mysql.so, screenshots attached. What is happening there?

Regarding the backups, the best solution would be to put them in a directory like /backup that is mode 700, and so readable only by root.

Regarding the PHP config, does adding the extension=mysql.so line to the etc/php5/php.ini file solve the problem? You may need to restart Apache afterwards..

Well, the strange thing about that site is that the MySQL is working without any mysql.so in any of the php.ini config files. This is why it's puzzling...

Also, regarding the SSH access, would it be possible to set a type of restriction where if users are not root or part of root they cannot get out of their home directory. I see issues with clients being able to see which sites might be hosted on the same server as accounts may contain company name or domain name details. This info which otherwise would be completely private is now exposed due to the ability to go outside of the home/ftp directory.

I certainly feel sensitive to have other clients snoop around the server to see how many virtual server exist. Also certain client typically private information is now exposed which is a privacy concern. With Resellers, would clients be able to count how many sites the reseller is hosting? I have not setup that functionality yet but I'm curious.

Is this because of how SSH works? I'm not an expert of Linux and don't want to pretend to be one either.

Just trying to really understand the system and the philosophy behind it.

Yes, this is a limitation on the way SSH works. The SSH server doesn't have any built-in way to limit users to a directory like you can do with an FTP server, as a user logging in via SSH needs access to all the system files in /etc and /bin in order to run commands.

If this bothers you, the best solution is to deny your domain owners SSH access by giving them a shell that doesn't allow logins, like /sbin/nologin. They can then use FTP, but can be restricted to their home directories.

Of course, smart users could still write a PHP or CGI script to list files outside the home, as they are not restricted.

As for resellers, being able to list files outside the home directory wouldn't allow anyone to see how many or which domains a reseller manages.

Thanks for the clarification with SSH. I will try FTP. I must stay that I find such a limitation a disappointing discovery. With SFTP the channel is encrypted but the user has easier access to view the file system, whereas FTP is not encrypted but the file system is somewhat less accessible. It's quite the tradeoff but in both cases perhaps because I don't know enough about Linux yet... but IMO users shouldn't be able to traverse the file system of the server since they really never have this genuine need if all they are paying for is a $10/month shared web hosting account.

It almost seems like that in order to be able to have true privacy and peace of mind that nobody is snooping around the file system would require an entirely separate instance of VirtualMin.

Back to my issue with mysql not being found when I switch to FCGId (run as virtual server owner) from Apache mod_php (run as Apahe's user). What I did is I copied both php.ini files from a working VirtualServer that has Joomla on it now the error about Mysql has dissapeared. However I noticed an option "PHP 5 Configuration" in VirtualMin is missing from the GUI. Please see attached screenshots.

I think we have to append to this issue that, "PHP 5 Configuration" also not available after restoring server from Backup created by VirtualMin, even after copying new php.ini files in/etc/. Since this is how I find myself with one set of sites that do display PHP5 Configuration and another set of sites (created on the new install) that are functioning as expected.

Thanks for the clarification with SSH. I will try FTP. I must stay that I find such a limitation a disappointing discovery. With SFTP the channel is encrypted but the user has easier access to view the file system, whereas FTP is not encrypted but the file system is somewhat less accessible. It's quite the tradeoff but in both cases perhaps because I don't know enough about Linux yet... but IMO users shouldn't be able to traverse the file system of the server since they really never have this genuine need if all they are paying for is a $10/month shared web hosting account.

Yes, the way the SSH protocol is implemented sadly makes this kind of restriction impossible, sorry. Another alternative is to suggest users use the File Manager feature of Virtualmin, which is both secure and restricted.

Back to my issue with mysql not being found when I switch to FCGId (run as virtual server owner) from Apache mod_php (run as Apahe's user). What I did is I copied both php.ini files from a working VirtualServer that has Joomla on it now the error about Mysql has dissapeared. However I noticed an option "PHP 5 Configuration" in VirtualMin is missing from the GUI. Please see attached screenshots.

The PHP5 Configuration link only appears if you have the domain setup to run PHP scripts via FCGId, as only in that mode does the domain have its own php.ini file, separate from the one in /etc.

Hi Jamie,

It seems that I resolved the issue with your help.

What I have done is copied the php.ini files to a site that was affected and I went into webmin and choose Refresh Modules. After the refresh was completed the PHP 5 Configuration option was available under the Services tab in VirtualMin. I could then change the the FCGId and the site wasn't complaining about mysql.so.

So thanks for your help once again.

This thread is private and I was wondering if we can we have this resolution/troubleshooting added to a KB, especially since this error "Database Error: Unable to connect to the database:The MySQL adapter "mysql" is not available" is such a common error that site owners can get with scripts that use MySQL.

Cheers, Martin

Great, glad you got that working!

I could make this thread public if you like .. unless you feel it contains some private information about your system?

Okay, sure.

Share the knowledge.

-M

Automatically closed -- issue fixed for 2 weeks with no activity.