Permission denied

This is the dedicated forum for RemoteCP4: the web based dedicated server control script.

Moderators: hal|Sascha, TM-Patrol

Post Reply
penguisher
pedestrian
pedestrian
Posts: 12
Joined: 15 Oct 2009 15:11
Owned TM-games: TMNF

Permission denied

Post by penguisher » 15 Oct 2009 15:17

Hello everyone,

I tried to set up a Trackmania Nations Forever server and I tried to control it using remoteCP.
When I login for the first time, I should change my admin password. I can login succesfully, but when I try to change the passsword I get an error: [2009-10-15T17:06:59+02:00] [PHP Warning] DOMDocument::save(./xml/admins.xml) [domdocument.save]: failed to open stream: Permission denied on line 201 in file /var/www/remoteCP_4-0-3-2/includes/core/rcp_session.class.php

Every time I want to make a change (if it is my password or my servername etc.) I do get an error with Permission denied.

Can someone please help me? I run an Ubuntu 9.04 server with an Apache webserver and the Trackmania nations forever dedicated server. My version of remoteCP is 4-0-3-2.

schmidi
smooth traffic navigator
smooth traffic navigator
Posts: 196
Joined: 15 Jul 2008 22:25
Owned TM-games: tmo, tms, tmuf

Re: Permission denied

Post by schmidi » 15 Oct 2009 17:03

wrong file-permissions for server.xml, admins.xml and groups.xml
make sure your webserver is allowed to alter this files

nocturne
solid chaser
solid chaser
Posts: 1390
Joined: 08 Jun 2007 18:48
Owned TM-games: all
Contact:

Re: Permission denied

Post by nocturne » 15 Oct 2009 17:18

Just need to chmod 771 all your xml config files..

Just be sure never to give read rights out to the 'everyone' group, as unless your server supports the .htaccess method, a simple google search can unveil your server settings along with the dozens of others who have improperly protected their rcp settings.

penguisher
pedestrian
pedestrian
Posts: 12
Joined: 15 Oct 2009 15:11
Owned TM-games: TMNF

Re: Permission denied

Post by penguisher » 15 Oct 2009 17:40

Ok thank you very much, problem solved, also thanks for the security tip. I think that should be added to the manual of remoteCP because they tell you to chmod 777 the whole cache and XML directory.

nocturne
solid chaser
solid chaser
Posts: 1390
Joined: 08 Jun 2007 18:48
Owned TM-games: all
Contact:

Re: Permission denied

Post by nocturne » 16 Oct 2009 03:11

I've mentioned it before in the RemoteCP subforum, only after a user in the Deepsilver forum (german equivalent of here) bragged extensively about how he exploited that very weakness to compromise several servers. Sascha certainly knows, it's up to him/her to change the documentation.

Normally the .htaccess file keeps those files safe from prying eyes, but unfortunately not all hosts support it's use. Unfortunately, practically any script you try to run; whether it's a server rpc script such as RCP, an image gallery, or a forum; simply state in their instructions to use CHMOD 777 on all the appropriate files -- without any consideration of the potential security risks.

For what it's worth, there's an easy test to check RCP's security... just try to access the /xml/admins.xml file from your browser. If you can access it, you need to remove the read rights.

User avatar
hal|Sascha
Pit Crew
Pit Crew
Posts: 671
Joined: 12 Aug 2005 16:22
Owned TM-games: TMU, TMN, TMS, TMO
Location: Germany Munich
Contact:

Re: Permission denied

Post by hal|Sascha » 16 Oct 2009 11:32

I changed the official docs here: http://www.tmbase.de/V6/docs/install4/
There is also a "important information" part that tells you about the secuirty issue with *.xml files.

If you really want to secure your RCP install, you should also have a look into the file /includes/core.class.php
There is a code line like this

Code: Select all

self::$instance->storeSetting('xmlpath', './xml/');
There youre able to change the xml path. Should also increase security a little bit :)
CPU: Intel Core 2 Duo E6600
Mainboard: Asus P5W DH Deluxe
RAM: 2 GB
Graphics: ATI Radeon X1950XTX
Audio: Soundblaster Audigy 4
Internet: ADSL 6Mbit
OS: Windows Vista Bussiness

Post Reply