Nginx high security risk !!!

  • Just realized that installing the nginx plugin and allowing access to the websites (on it) from the internet is a very high security risk!
    If a hacker somewhere with their hacking practices uploads any malicios script, then can browse, list, modify, etc all r or rw files directories in OMV.
    Can do this e.g. running a php file with scandir().
    Recently applied a temporary solution with acl banning the www-data customer and group from all shares and disabled scandir and file_uploads in php.ini, but this isn't the best solution.
    Still all directories wiht r or rw rigths can be accessed/modifid thru a simple php script.


    Played with different security practices as enabling PHP-FPM's chroot variable, open_basedir, etc. but without success.


    If someone knows the solution please let me know.
    Thank you.

  • and I don't know much about security.
    but isn't it normal to block uploading script?
    how can you upload malicious script?
    what process?

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • Just curios, why would anyone want to acces to the webgui when not home? I can understand things like deluge/trasmission or plex, but the webguy not :(

    Intel G4400 - Asrock H170M Pro4S - 8GB ram - Be Quiet Pure Power 11 400 CM - Nanoxia Deep Silence 4 - 6TB Seagate Ironwolf - RAIDZ1 3x10TB WD - OMV 5 - Proxmox Kernel

    • Offizieller Beitrag

    I'm not sure what the security risk is. All web servers with php can do this if they aren't running in chroot/jail. I still don't understand how this is a *high* security risk. It also depends on what user you choose to run the php-fpm pool as. If that user has very little privileges, then they can't do much damage even if they were somehow able to upload a script.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    it seems that no one came out with a working solution.

    That's because you really don't need nginx in a jail if you put the right pages on the server and the pool as an unprivileged user.


    I'm intersted in how to setup php to run in chroot/jail.

    Look for an nginx/php docker if you are that worried about it.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!