Page 1 of 1

Permission denied

Posted: 15 Oct 2009 15:17
by penguisher
Hello everyone,

I tried to set up a Trackmania Nations Forever server and I tried to control it using remoteCP.
When I login for the first time, I should change my admin password. I can login succesfully, but when I try to change the passsword I get an error: [2009-10-15T17:06:59+02:00] [PHP Warning] DOMDocument::save(./xml/admins.xml) [domdocument.save]: failed to open stream: Permission denied on line 201 in file /var/www/remoteCP_4-0-3-2/includes/core/rcp_session.class.php

Every time I want to make a change (if it is my password or my servername etc.) I do get an error with Permission denied.

Can someone please help me? I run an Ubuntu 9.04 server with an Apache webserver and the Trackmania nations forever dedicated server. My version of remoteCP is 4-0-3-2.

Re: Permission denied

Posted: 15 Oct 2009 17:03
by schmidi
wrong file-permissions for server.xml, admins.xml and groups.xml
make sure your webserver is allowed to alter this files

Re: Permission denied

Posted: 15 Oct 2009 17:18
by nocturne
Just need to chmod 771 all your xml config files..

Just be sure never to give read rights out to the 'everyone' group, as unless your server supports the .htaccess method, a simple google search can unveil your server settings along with the dozens of others who have improperly protected their rcp settings.

Re: Permission denied

Posted: 15 Oct 2009 17:40
by penguisher
Ok thank you very much, problem solved, also thanks for the security tip. I think that should be added to the manual of remoteCP because they tell you to chmod 777 the whole cache and XML directory.

Re: Permission denied

Posted: 16 Oct 2009 03:11
by nocturne
I've mentioned it before in the RemoteCP subforum, only after a user in the Deepsilver forum (german equivalent of here) bragged extensively about how he exploited that very weakness to compromise several servers. Sascha certainly knows, it's up to him/her to change the documentation.

Normally the .htaccess file keeps those files safe from prying eyes, but unfortunately not all hosts support it's use. Unfortunately, practically any script you try to run; whether it's a server rpc script such as RCP, an image gallery, or a forum; simply state in their instructions to use CHMOD 777 on all the appropriate files -- without any consideration of the potential security risks.

For what it's worth, there's an easy test to check RCP's security... just try to access the /xml/admins.xml file from your browser. If you can access it, you need to remove the read rights.

Re: Permission denied

Posted: 16 Oct 2009 11:32
by hal|Sascha
I changed the official docs here: http://www.tmbase.de/V6/docs/install4/
There is also a "important information" part that tells you about the secuirty issue with *.xml files.

If you really want to secure your RCP install, you should also have a look into the file /includes/core.class.php
There is a code line like this

Code: Select all

self::$instance->storeSetting('xmlpath', './xml/');
There youre able to change the xml path. Should also increase security a little bit :)