Nginx high security risk !!!

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Nginx high security risk !!!

      Just realized that installing the nginx plugin and allowing access to the websites (on it) from the internet is a very high security risk!
      If a hacker somewhere with their hacking practices uploads any malicios script, then can browse, list, modify, etc all r or rw files directories in OMV.
      Can do this e.g. running a php file with scandir().
      Recently applied a temporary solution with acl banning the www-data customer and group from all shares and disabled scandir and file_uploads in php.ini, but this isn't the best solution.
      Still all directories wiht r or rw rigths can be accessed/modifid thru a simple php script.

      Played with different security practices as enabling PHP-FPM's chroot variable, open_basedir, etc. but without success.

      If someone knows the solution please let me know.
      Thank you.
    • Just curios, why would anyone want to acces to the webgui when not home? I can understand things like deluge/trasmission or plex, but the webguy not :(
      Intel G4400 - Asrock H170M Pro4S - Syba SI-PEX40064 Marvell 88SE9125 - 8GB ram - Corsair VS350W - 2X6TB Seagate Ironwolf - 4x2TB WD Enterprise
      OMV 4.1.17 - Kernel 4.18 backport 3 - omvextrasorg 4.1.2
    • I'm not sure what the security risk is. All web servers with php can do this if they aren't running in chroot/jail. I still don't understand how this is a *high* security risk. It also depends on what user you choose to run the php-fpm pool as. If that user has very little privileges, then they can't do much damage even if they were somehow able to upload a script.
      omv 4.1.17 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • aicon wrote:

      it seems that no one came out with a working solution.
      That's because you really don't need nginx in a jail if you put the right pages on the server and the pool as an unprivileged user.

      aicon wrote:

      I'm intersted in how to setup php to run in chroot/jail.
      Look for an nginx/php docker if you are that worried about it.
      omv 4.1.17 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!