Nginx high security risk !!!

    • Nginx high security risk !!!

      Just realized that installing the nginx plugin and allowing access to the websites (on it) from the internet is a very high security risk!
      If a hacker somewhere with their hacking practices uploads any malicios script, then can browse, list, modify, etc all r or rw files directories in OMV.
      Can do this e.g. running a php file with scandir().
      Recently applied a temporary solution with acl banning the www-data customer and group from all shares and disabled scandir and file_uploads in php.ini, but this isn't the best solution.
      Still all directories wiht r or rw rigths can be accessed/modifid thru a simple php script.

      Played with different security practices as enabling PHP-FPM's chroot variable, open_basedir, etc. but without success.

      If someone knows the solution please let me know.
      Thank you.
    • I'm not sure what the security risk is. All web servers with php can do this if they aren't running in chroot/jail. I still don't understand how this is a *high* security risk. It also depends on what user you choose to run the php-fpm pool as. If that user has very little privileges, then they can't do much damage even if they were somehow able to upload a script.
      omv 4.1.12 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • aicon wrote:

      it seems that no one came out with a working solution.
      That's because you really don't need nginx in a jail if you put the right pages on the server and the pool as an unprivileged user.

      aicon wrote:

      I'm intersted in how to setup php to run in chroot/jail.
      Look for an nginx/php docker if you are that worried about it.
      omv 4.1.12 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!