Security concerns with FTP for user accounts.

[wyattbiker]

I have a dedicated whm/cpanel server. When I create an account using WHM for someone and give them access to their own cPanel and FTP account, they can still navigate the server directories and glean information.

I even noticed the /tmp directory with (777) permissions as well as the /script directory as 777. Can they delete or alter that?

An attacker can figure out certain things about the system. Eg. the mail folder shows all the accounts on the system.
Otherwise where's the security here? Even the 2nd drive is visible and they can see the directories (although cant navigate inside them).

Is there a way to block cpanel users from navigating outside of their /home/{user} folder?


Thanks.

[cPanelTristan]

How could they navigate directories outside of their own precisely without jailed shell or shell access? For /tmp, it has 1777 permissions, which only allows them to add files and folders for their own username due to the 1 permission (1 is the sticky bit).

The /scripts directory is owned by root:root and symlinked to /usr/local/cpanel/scripts location:

Code:

root@host [~]# ls -ld /scripts
lrwxrwxrwx 1 root root 25 Jun 18 21:38 /scripts -> /usr/local/cpanel/scripts/

Code:

root@host [/usr/local/cpanel]# ls -ld scripts
drwxr-xr-x 4 root root 32768 Jun 23 15:24 scripts/

Code:

root@host [/usr/local/cpanel]# stat scripts
  File: `scripts'
  Size: 32768     	Blocks: 64         IO Block: 4096   directory
Device: 4ah/74d	Inode: 130813730   Links: 4
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2011-06-30 05:37:01.000000000 -0700
Modify: 2011-06-23 15:24:48.000000000 -0700
Change: 2011-06-23 15:24:48.000000000 -0700

I'm a bit confused where 777 comes into play here. A symlink doesn't have actual file permissions, the file permissions are those of /usr/local/cpanel/scripts directory, which is 755.

Please provide an example of how a user without shell access has actual access to navigate these directories.

Thanks!

[wyattbiker]

Ok, I jailed the user in WHM. Didn't know it could be done there. Only basic directories show. Seems to be what I want.

Thanks