Preventing Manipulation with Logs Directory Permissions

(H-Sphere 2.5 Patch 8 and up)


Starting with H-Sphere 2.5 Patch 8, new security scheme has been implemented. This scheme prevents untrusted users from manipulating logs directory and prohibits users other than httpd from entering user directory. The example of the permissions and groups associated with the directories in the new security scheme is as follows:

xrwx--T - permissions with a sticky bit that prevents users from making any changes to logs directory
httpd - owner of the directory (should not coincide with the user name)
4096 - size in bytes

Use logslock utility to put/remove immutable flag from the ~userhome/logs directory:

logslock -h
Usage: /hsphere/shared/bin/logslock [ -p directory ] [ -u directory ] [-s] [-a]
p : set sticky bit on home directory
u : unset sticky bit from home directory
a : unset sticky bit from home directories of H-Sphere users
s : set sticky bit on home directories of H-Sphere users

Note: above mentioned permission settings for user home directory may cause user access denial via ssh if public key authentication is used. To avoid the problem, you can disable strict sshd mode by editing sshd_config file and restarting sshd daemon (/etc/ssh/sshd_config file on Linux).

© Copyright. . PSOFT. All Rights Reserved. Terms | Site Map