Chmod 000 c compilers

**iago** · 03-11-2003 04:23 PM

A user at WHT (Admin0) suggested to chmod 000 the c compilers on a cpanel server (chmod 000 *cc*) so, in the event that script kiddie upload an exploit to the tmp directory he would not be able to compile it.

Then just chmod back to 700 when i need to compile something. I dont give away shell access to my clients, and the ones that have this kind of access dont requiere to compile programs.

I know i have to chmod to 700 when running scripts like buildapache that need the compilers, but, what about the autoupdates features.

Does this autoupdate needs the compiler in some way? or does it installs just binaries or rpms?

If the autoupdate feature requires access to the compiler i was thinking to do the following: turn the update options to manual and chmod 000 the compiler, and chmod back to 700 to run the update option.

Hope a cpanel support tech or an experienced user could shed some light on this.

Regards

**Radio_Head** · 05-15-2003 02:28 PM

It seems that cpanel does not use gcc or other c compilers .
It uses a cpanel gcc compiler on /root . And if the hacker uses the
gcc compiler usued by cpanel ?

**buckarootimb** · 05-16-2003 10:02 AM

Originally posted by Radio_Head
It seems that cpanel does not use gcc or other c compilers .
It uses a cpanel gcc compiler on /root . And if the hacker uses the
gcc compiler usued by cpanel ?

Hi, Radio_Head,

I've seen other of your posts, and you seemed to know your way around town.

But what you say here conflicts with my experience.

I have had several situations where I turned off compilers for an extended time. During that time, cpanel can update most packages just fine, because most packages are rpms which do not recquire compilation.

However, there are some packages which do require compilation. For example some of the perl stuff. On those days I get the usual cpanel nightly email and I can see the attempt to compile and I can see that it failed.

So, in that case, the next day I turned on the compilers and ran the cpanel update command and everything updated just fine. Then turned off the compilers again, and next night cpanel made no further attempt to update that package because it was already updated.

(The cpanel update command is either upcp or cpup, something like that. It's listed right at the beginning of the cpanel nightly email, but I don't have one handy to look it up.)

Anyway, Radio_Head, I don't think this seems much like cpanel is using its own compilers. If so, why would nightly compilation break when *my* compiler is deactivated?

Much or all cpanel compilation (using my compilers) does seem to take place IN the root directory, but I've not seen any compilers in there. (Of course, maybe I don't know where or how to look!)

Of course, I am still very interested to know why you believe that cpanel has its own compilers. So I would be thankful if you could tell me what led you to say they had their own compiler in /root?

**Radio_Head** · 05-16-2003 10:24 AM

Originally posted by buckarootimb
Hi, Radio_Head,

I've seen other of your posts, and you seemed to know your way around town.

But what you say here conflicts with my experience.

I have had several situations where I turned off compilers for an extended time. During that time, cpanel can update most packages just fine, because most packages are rpms which do not recquire compilation.

However, there are some packages which do require compilation. For example some of the perl stuff. On those days I get the usual cpanel nightly email and I can see the attempt to compile and I can see that it failed.

So, in that case, the next day I turned on the compilers and ran the cpanel update command and everything updated just fine. Then turned off the compilers again, and next night cpanel made no further attempt to update that package because it was already updated.

(The cpanel update command is either upcp or cpup, something like that. It's listed right at the beginning of the cpanel nightly email, but I don't have one handy to look it up.)

Anyway, Radio_Head, I don't think this seems much like cpanel is using its own compilers. If so, why would nightly compilation break when *my* compiler is deactivated?

Much or all cpanel compilation (using my compilers) does seem to take place IN the root directory, but I've not seen any compilers in there. (Of course, maybe I don't know where or how to look!)

Of course, I am still very interested to know why you believe that cpanel has its own compilers. So I would be thankful if you could tell me what led you to say they had their own compiler in /root?

you are right . I was confused from this script

scripts/checkccompiler

Code:

system("gcc /root/cpanel-gcc-test.c -o /root/cpanel-gcc-test 2>/dev/null");
unlink("/root/cpanel-gcc-test.c");
$compilerworks = `/root/cpanel-gcc-test 2>/dev/null`;
if ($compilerworks !~ /C Compiler Works/i) {
#       print "The C Compiler is Broken\n";
        system("/scripts/fixheaders");
#       print "The C Compiler has been Repaired!\n";
}
unlink("/root/cpanel-gcc-test");

At first , I was thinking that cpanel-gcc-test was a Cpanel c compiler
but I was wrong , it only a c file to test if gcc works .
So , cpanel needs gcc on /usr/bin .

Doing only MANUAL cpanel updates and executing
#chmod 700 /usr/bin/*cc* before updating
and #chmod 000 /usr/bin/*cc* after the update I think
it's a good way to sleep better ...

I disable also
#chmod 000 /usr/bin/*++* (c++ compilers)

About red hat updates...
Do you think that the installation redhat rpm packages needs c compiler activated (I suppose yes) ?

**Radio_Head** · 05-16-2003 11:11 AM

suppose the hacker is able to execute

/scripts/fixheaders

it re-enable the compilers .... or am I wrong .?

**buckarootimb** · 05-17-2003 11:35 AM

Hi, Radio_Head,

You got me there. I don't know. But I'd guess that a minute and a half on your server with a simple experiment would reveal the answer!

If you are checking to see, also su to some ordinary user, and see if the script can be run by an ordinary user.

Because if the guy is root, of course he can enable the compilers any way he wants, no?

**FWC** · 05-17-2003 01:17 PM

Originally posted by Radio_Head
suppose the hacker is able to execute

/scripts/fixheaders

it re-enable the compilers .... or am I wrong .?

/scripts/fixheaders is set by default to 700. The hacker can't run it unless he already has root. And if he does...

**iago** · 05-17-2003 04:32 PM

if you want further information on this topic just visit:

http://admin0.net

regards

**shaun** · 05-17-2003 10:41 PM

Dont 000 your compilers... use 700 if your going to chmod them....

**sexy_guy** · 05-18-2003 12:30 AM

Actually is that really correct? Im running phpsuexec. I found all /usr/bin/*cc* chmod to 755 before i did chmod 000 on them!

**sexy_guy** · 05-18-2003 12:30 AM

Originally posted by shaun
Dont 000 your compilers... use 700 if your going to chmod them....

Why is that?

**shaun** · 05-18-2003 01:32 AM

cuz anybody who can run it with 700 perms can chmod 700 it just as easily... if sombody can run it as 700 you have bigger problems...

LinkBack

Thread Tools