Security problem
Hello,
I'm playing with security of my test box (centos 4.4, cpanel release). I just found one security problem... jail shell users can see content of /var/spool/mail and see list of usernames on server.
Maybe guys from cPanel already fix this issue, but I didn't found any solution yet. I don't know how should chmod work in this case, could system use mail's normal or not?
Thanks for advice.
Last edited by 1ONE; 04-20-2007 at 03:16 AM.
This would be a fine example of why I don't recommend any kind of shell access for users
and would avoid giving any SSH access to users, jailshell or otherwise.
Totally agree. I make it very clear from the start, no shell period. U no like, go bye bye..
Could some one explain, is there anything that could be done in shell that is impossible to do with perl/php?
/var/spool/mail is prefectly readable with a simple PHP script...
Maybe ... maybe not .... It depends on your PHP configuration.Originally Posted by maysoft
PHP has openbasedir, disable_functions, and/or safe mode protections
which could be mixed and matched as needed to block such activity.
In other words, PHP can be configured explicitly as to what a script
is and is not permitted to do on your server.
Directly in an SSH shell, such limitations are far more difficult to implement
I agree with you, but on other hand, users have they're needs and if you want to keep up with your competitors, then you need to offer shell as well.
But, does anyone have fix for this issue? cPanel guys?!? Anyone?
Shell
I've been in business for a while now, and I've NEVER given shell out, jail or otherwise. It's just too dangerous.
You need to ask your client(s) exactly why they need any type of shell. I've never found anybody with a hosting account that has come up with an answer good enough for me to break my rule yet.
That's a cop out! I directly own or otherwise have a top level executive role of
76 hosting companies and many of those names you would recognize ...
I additionally have more than 600 other host clients that are resellers, vds, or
dedicated clients operating their hosting business under our network brands ...
NONE OF US ALLOW ANY KIND OF SHELL ACCESS WHATSOEVER!
Those newbie hosts out there who do allow shell usually don't last very long.
The few of those same hosts who survive are almost always the very ones who
wised up and changed their policy regarding shell access.
And in the extremely rare instance that they might actually find a legitimate need,You need to ask your client(s) exactly why they need any type of shell. I've never found anybody with a hosting account that has come up with an answer good enough for me to break my rule yet.
it is usually to set something up that would be better if an administrator of the server
did on their behalf. And given that, the client still doesn't need any shell access!
Last edited by Spiral; 04-23-2007 at 11:15 PM.
cpanel doesn't use /var/spool/mail so you could just chmod it 0700
We offer shell to people we know well. Well means that we know them personally or we know someone who knows them personally. They also have to have a good reason for shell access. This adds up to about 1 in 100 clients overall for us.
We don't advertise that we offer shell access. I wouldn't offer it if I wasn't an experienced Unix admin, you'd be crazy to offer it otherwise.
Well if you secure your server properly, I think it is safe to give shell to your users if they got reasonable explanation. Mostly users need they're shell to untar some file or something similar. wget, lynx, and other stuff I forbid them to use (there is nice lil' tool called LES - http://www.rfxnetworks.com/les.php)
@cpanelnick - can I chmod 700 /var/spool , because I see some folders there which I think users should not see.
Thanks’ for advice !
LinkBack URL
About LinkBacks
Reply With Quote