Disable user to browse file / folder for others user

4 posts / 0 new
Last post
#1 Thu, 08/09/2018 - 19:46
navotera

Disable user to browse file / folder for others user

i simulate to inject wso.php to my virtual server, seems like the wso can browser all folder / file that the file / folder is not owned by the user..

is there any feature that restrict that user only can browse / manage the folder that he/she owned. ?

What the suggestion to increase security concern to my vps that host many virtual server ?

thanks a ton

Fri, 08/10/2018 - 08:24
unborn
unborn's picture

hi,

yes wso is great script :) well first of all make sure you cannot inject that script inside of your cms means take care when you coding the themes or plugins or cms it self or changing it - be it wp or bad joomla or anything other. Secondly use proper permissions for each user out there be it sys user or roots or just normal user. Also keep the backups and logs! at least 20 days back in the time so you can restore and have look how ;the one; got in and via what. I would also suggest you to change settings in your ssh for root login - just use ssh keys not the password.. you should be fine. - If you was able to inject the wso up via some website hosted by you - take it down and have look at the problem like why and how its possible - make correction to your code and then make it online again. You should be fine.

also perhaps you should deploy some script which would send you google hangouts or fb chat notification or xmpp notification when anyone logs into server be it root or normal user or other admin with ip and time etc.. - its very simple to implement this and its real time, so you would know when somethings go wrong..

''is there any feature that restrict that user only can browse / manage the folder that he/she owned. ?'' - use linux permissions and from time to time scan it for those shell scripts - you can search github for those ;)

WSO is great script and of course its much more capable then browse - it can deal with dbs and edit files, upload scripts and tons of more..

Configuring/troubleshooting Debian servers is always great fun

Tue, 08/14/2018 - 20:22
navotera

Good advice... i wonder if virtualmin has feature to solve some inject script such as wso or other backdoor script... thanks bro

Fri, 08/17/2018 - 08:58 (Reply to #3)
unborn
unborn's picture

not really.. eh virtualmin have nothing to do with your or other scripts, its just server side script to serve that is all..but it is very robust and safe as I would say, same as linux it self - there is nothing like an 'antivirus' regards this - just knowledge.

Configuring/troubleshooting Debian servers is always great fun

Topic locked