Security of accounts on cpanel servers.

**numberonehost** · 05-28-2006 06:02 PM

If a cpanel server is running PHP as a module in Apache I will be able to read/edit other peoples files if (assuming that apache runs with user nobody):
I upload a CGI/PHP script so that it is owned by user nobody. PHP will then be restricted by safe_mode or open_basedir, but CGI will not be restricted by anything. If another account on the same server has files owned by user nobody, I will have full access to these using CGI (and might have access with PHP depending on safe_mode/open_basedir).

Are my assumtions correct? I'm writing a master thesis so I would really appreciate if anyone could reply

**cooldude7273** · 05-28-2006 07:57 PM

Off topic, but I am the Number1Host

**dgbaker** · 05-28-2006 07:59 PM

Originally Posted by cooldude7273

Off topic, but I am the Number1Host

Why did you not register it?

**cooldude7273** · 05-28-2006 08:03 PM

Originally Posted by dgbaker

Why did you not register it?

I don't think I was Number1Host when I signed up here, not a big deal to me though.

**numberonehost** · 05-28-2006 08:07 PM

Well I registered in Apr 2003 with that nick (and domain) so I think I was before you

Though we have changed name since then.

But on topic, someone here able to answer?

**pilot51198** · 05-28-2006 08:15 PM

Originally Posted by numberonehost

If a cpanel server is running PHP as a module in Apache I will be able to read/edit other peoples files if (assuming that apache runs with user nobody):
I upload a CGI/PHP script so that it is owned by user nobody. PHP will then be restricted by safe_mode or open_basedir, but CGI will not be restricted by anything. If another account on the same server has files owned by user nobody, I will have full access to these using CGI (and might have access with PHP depending on safe_mode/open_basedir).

Are my assumtions correct? I'm writing a master thesis so I would really appreciate if anyone could reply

I think you're correct. Of course this is basing upon simular ways I do this. Although not too sure about every single detail with 'safe_mode/open_basedir' . Since I prefer to let my clients edit their own files and their sites, I find myself just leaving things alone.

Originally Posted by cooldude7273

Off topic, but I am the Number1Host

Lol, I thought I was the World's Number 1 hosting Company. Well, I'm at least one of the best in support.... oh well, btw nice site you have there numberonehost!

**cooldude7273** · 05-28-2006 08:19 PM

Nonono, you see, I am the Number1Host

See?

**numberonehost** · 05-29-2006 11:43 AM

btw nice site you have there numberonehost!

Thanks

BTW I got forbidden on your pages?

So this is basically possible:
If a file "file" in
/home/userA/public_html/file
is owned by nobody and a directory "dir" in
/home/userB/public_html/dir
is owned by nobody (and all the subdirs and files), then userA would have access to everything within directory dir of userB?

**cooldude7273** · 05-29-2006 11:51 AM

As long as you have open_basedir enabled, you won't have a problem.

**chirpy** · 05-29-2006 12:18 PM

That's not true. If you have open_basedir enabled it makes it a tiny bit more tricky, but it's trivial to bypass.

**cooldude7273** · 05-29-2006 01:31 PM

^^ What he said. Chirpy > cooldude

**numberonehost** · 05-29-2006 02:36 PM

So to sum up my assumtion is correct?

Thank you all for your answers so far

LinkBack

Thread Tools