beta.blog

Ok, so here’s another nice trick I came across in the past, as I had several FTP accounts for different purposes. However, during my tests I discovered a serious security leak: PHP scripts were able to read all my files. Therefore I created a .htaccess file which should force a download for each requested file – even more PHP scripts, in order to prevent their execution.

Everything seemed to work fine, however after some more tests I found, that the FTP users were able to delete my .htaccess file for some reason. It took me some time to find an explanation for this issue and the reason was, that the FTP users automatically also were the owners of those .htaccess files, and had sufficient privileges to remove them as well.

After searching for further ways to avoid that I found a sweet solution for this matter. The following command will make files immutable/undeletable, so even the systems root user couldn’t remove them:

chattr +i /opt/gtasa-dedicated/.htaccess

After executing this command, my FTP users were
a) unable to execute any form of scripts in this directory
b) unable to unblock themselves from their restrictions