Page 2 of 2 FirstFirst 12
Results 16 to 21 of 21

Thread: Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

  1. #16
    Registered Member cPanel Partner NOC Badge
    Join Date
    Oct 2011
    Posts
    43
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Quote Originally Posted by CoolMike View Post
    Hi

    Sorry for opening such an old posting, but I have exactly the same problem and I guess nearly everybody here has the same problem. Hacker can create symlinks to config files of other users and get mysql login details like this. Did someone find a solution for this security problem without loosing the functionality of Joomla and other cms systems?
    Install this - http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p4.html#post996441

  2. #17
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,155
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    The link posted above is the solution. It forces all FollowSymLink settings to be SymLinkIfOwnerMatches. The patch is to EasyApache so that the setting change is compiled into Apache and can't be overridden from .htaccess.

    As someone else says in that thread, this is becoming really widespread; cPanel hope you don't mind me saying that it's time you took notice and came up with a decent solution.
    White Dog Green Frog - web hosting and web development since 2002
    Blogs: SMB web use cPanel/WHM scripts

  3. #18
    cPanel Staff cPanelTristan's Avatar
    Join Date
    Oct 2010
    Location
    somewhere over the rainbow
    Posts
    7,611
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Hello brianoz,

    Please post a feature request if you feel that this is something that needs to be revised or added. You can use Feature Requests for cPanel/WHM to post your own feature request.

    Thanks!
    cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
    -- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

    Submit a ticket | Check an existing ticket

  4. #19
    Registered Member rs-freddo's Avatar
    Join Date
    May 2003
    Location
    Australia
    Posts
    857
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Have to bump this, on a server with suphp this should not be happening. Now I have to go change mysql passwords for a bunch of accounts
    Michael

  5. #20
    Registered Member
    Join Date
    May 2006
    Location
    Johannesburg, South Africa
    Posts
    988
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Quote Originally Posted by rs-freddo View Post
    Have to bump this, on a server with suphp this should not be happening. Now I have to go change mysql passwords for a bunch of accounts
    Why do you need to change the MySQL passwords?
    • cPanel :: Fantastico :: RVSkin :: WHM :: ModernBill
    • Reseller Hosting :: SSL Certificates :: Domain Registrations :: Affiliate Program
    • Blog Hosting :: CMS Hosting :: Forum Hosting :: E-Commerce Hosting

    SoftDux- The Leaders in Software
    Use the coupon: cpanel-06 to get 20% off our packages

  6. #21
    Registered Member rs-freddo's Avatar
    Join Date
    May 2003
    Location
    Australia
    Posts
    857
    cPanel Access Level

    Root Administrator

    Default Re: Fix access to other users files from Apache - FollowSymLinks vs. SymLin

    Quote Originally Posted by SoftDux View Post
    Why do you need to change the MySQL passwords?
    Because a hacker broke into one account and read the mysql passwords for other accounts from their config files.
    Michael

Page 2 of 2 FirstFirst 12

Similar Threads

  1. users access each others files
    By martin.henits in forum Security
    Replies: 7
    Last Post: 05-03-2012, 03:28 PM
  2. allowing users access to files not owned by them
    By hostcadet in forum General Discussion
    Replies: 2
    Last Post: 02-22-2011, 04:58 PM
  3. Replies: 1
    Last Post: 04-28-2008, 03:04 PM
  4. All ftp users can access the files on the server
    By devdev in forum General Discussion
    Replies: 1
    Last Post: 04-13-2006, 05:05 AM
  5. ssh - user access to another users files
    By ladydi711 in forum General Discussion
    Replies: 2
    Last Post: 03-11-2006, 12:13 PM
bargain