harizalan Posted 23 hours ago Posted 23 hours ago Good day! I have detected a few – closely linked – security issues on the Johnny server. First question: where could I contact the developers privately? Of course, it is possible that only I am concerned about insignificant problems, but, for example, being able to bypass the storage limit does not seem to be good. Thank you! Quote
Unknown025 Posted 22 hours ago Posted 22 hours ago Users that bypass the storage limit face a Plesk suspension. That said, if you have genuine security problems to bring up, a root administrator might reach out directly. Quote
harizalan Posted 20 hours ago Author Posted 20 hours ago I have genuine security problems... for bypassing the storage limit, the problem itself is that Plesk does not „see” anything outside the home directory. Thus, I was able to create a rather huge file in /tmp (by running a Bash-based CGI script), which is continuously accessible between two restarts, and Plesk has still shown that my account has the same amount of disk space remaining. Methinks it is an issue. And there are a few other problems as well... Quote
wolstech Posted 18 hours ago Posted 18 hours ago Yeah /tmp is shared by everyone. It's just how Plesk servers work (I know some other products put a user's /tmp inside the home folder which IMO would make more sense, but it is what it is). You shouldn't be able to save things anywhere besides /tmp and ~ though, and there are certain commands, files, and folders that can trigger a permanent ban if their account is seen messing with them. In fact, people tend to fill up /tmp accidentally quite a bit with broken Node apps (passenger logs get saved there, and when people do things like write bad apps, or delete their node app without turning node off, passenger sits there slowly filling /tmp with logs until the server breaks). You'll get suspended for filling /tmp, and monitoring to automatically handle /tmp filling up is a project currently on our radar since its a common issue. We had an outage on Morty due to a full /tmp the other day. As for the space limit not changing in Plesk, consumed disk space is only recalculated a few times a day, so you can technically exceed the limit up front, but it will automatically suspend you when the next recalc happens. Quote
harizalan Posted 1 hour ago Author Posted 1 hour ago Okay, thank you for your reply. Another question: is it intentional that well-nigh all directories outside /home are list-accessible by anyone? It is at least quirky that (although I could not access the files themselves, fortunately) the contents of /boot can be freely listed, thus revealing the kernel version and literally every former patch. Not a security issue itself, but can be used for preparing an attack. Methinks /boot and /proc directories should be completely denied (including listing files) for anyone excluding root. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.