Nginx high security risk !!!

  • Just realized that installing the nginx plugin and allowing access to the websites (on it) from the internet is a very high security risk!
    If a hacker somewhere with their hacking practices uploads any malicios script, then can browse, list, modify, etc all r or rw files directories in OMV.
    Can do this e.g. running a php file with scandir().
    Recently applied a temporary solution with acl banning the www-data customer and group from all shares and disabled scandir and file_uploads in php.ini, but this isn't the best solution.
    Still all directories wiht r or rw rigths can be accessed/modifid thru a simple php script.


    Played with different security practices as enabling PHP-FPM's chroot variable, open_basedir, etc. but without success.


    If someone knows the solution please let me know.
    Thank you.

  • and I don't know much about security.
    but isn't it normal to block uploading script?
    how can you upload malicious script?
    what process?

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • Just curios, why would anyone want to acces to the webgui when not home? I can understand things like deluge/trasmission or plex, but the webguy not :(

    Intel G4400 - Asrock H170M Pro4S - 8GB ram - Be Quiet Pure Power 11 400 CM - Nanoxia Deep Silence 4 - 6TB Seagate Ironwolf - RAIDZ1 3x10TB WD - OMV 5 - Proxmox Kernel

  • I'm not sure what the security risk is. All web servers with php can do this if they aren't running in chroot/jail. I still don't understand how this is a *high* security risk. It also depends on what user you choose to run the php-fpm pool as. If that user has very little privileges, then they can't do much damage even if they were somehow able to upload a script.

    omv 5.6.18 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6.3 | kvm plugin 5.1.7
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Thanks guys, but it seems that no one came out with a working solution.
    I'm intersted in how to setup php to run in chroot/jail.
    thx

  • it seems that no one came out with a working solution.

    That's because you really don't need nginx in a jail if you put the right pages on the server and the pool as an unprivileged user.


    I'm intersted in how to setup php to run in chroot/jail.

    Look for an nginx/php docker if you are that worried about it.

    omv 5.6.18 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6.3 | kvm plugin 5.1.7
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!