#1 (permalink)  
Old 09-07-2005, 09:48 AM
amal's Avatar
Registered User
 
Join Date: Nov 2003
Location: India
Posts: 153
amal
Smile A small suggestion to cpanel regarding nobody permissions.. :)

Hi,

It would be nice to prevent the user nobody from having acess to some powerful binaries like perl. I have done this on of my servers and only thing that didn't work was the cpanel and whm redirect.. that is domain.com/whm and domain.com/cpanel URLs...

Now, my question is "Is there anyway to make domain.com/whm redirect to work without giving execute permissions for user - nobody on perl binary?"

Thanks in Advance..

#####

Regards,
Amal.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 09-07-2005, 12:58 PM
chirpy's Avatar
Moderator
 
Join Date: Jun 2002
Location: Go on, have a guess
Posts: 13,495
chirpy will become famous soon enough
Not really possible because there are people who disable SUEXEC and then all perl scripts are run as nobody. The real problem is the crappy php security model (or extreme lack of it) which I 've never been able to fathom considering the whole point of php is as a language for web sites. Ah well.
__________________
Jonathan Michaelson
cPanel Forum Moderator

Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 09-07-2005, 02:21 PM
amal's Avatar
Registered User
 
Join Date: Nov 2003
Location: India
Posts: 153
amal
Smile

Quote:
Originally Posted by chirpy
Not really possible because there are people who disable SUEXEC and then all perl scripts are run as nobody.
But, if there is an option for only those users who use suexec, it would have been very nice, considering the wide range of security exploits by allowing nobody to have execute permissions on powerful binaries - especially perl. ..

The people who do not want suexec can continue that way..

What I'm trying to suggest is to bring in an option like - "switch to secure mode" where nobody has got restricted access..

I really appreciate your thoughts on it...

Quote:
Originally Posted by chirpy
The real problem is the crappy php security model (or extreme lack of it) which I 've never been able to fathom considering the whole point of php is as a language for web sites. Ah well.
And yeah, I agree with that..
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 09-07-2005, 03:13 PM
Registered User
 
Join Date: Dec 2003
Posts: 4
shameer
I think this would be easier in near future when SE Linux become popular. It provide the administrator with lot flexibility once mastered
I think we now have two options.

1) Replace binary with dummy scripts which checks for the user ( may terribly affect performance )
2) Put users in a system group which can execute these binaries and remove permission for others.

Both of these methods can cause more headache than current situation. But these are the ones I can think of now.
Anyway what I do is

install mod_security
remove permissions for usual downloading tools ( like wget lynx )

and i find these two steps help me to fight against nobody getting shell

Cheers
Shameer
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 09-07-2005, 03:23 PM
amal's Avatar
Registered User
 
Join Date: Nov 2003
Location: India
Posts: 153
amal
Quote:
Originally Posted by shameer
2) Put users in a system group which can execute these binaries and remove permission for others.

Both of these methods can cause more headache than current situation. But these are the ones I can think of now.
Anyway what I do is
I have already tried that it's very nice, except for the http://domain/cpanel and http://domain/whm. These links will work only if nobody has got execute permissions to perl binary. But the domain:2082 and domain:2086 link will work without any problem... I think, it becomes a problem, only when the redirect.cgi is used by cpanel..

If there is something that cpanel can do about it, it would really really great

Quote:
Originally Posted by shameer

remove permissions for usual downloading tools ( like wget lynx )
Some of the users even uses curl to download scripts to the server .

Thanks for your reply, Shameer
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 09-07-2005, 03:42 PM
Registered User
 
Join Date: Dec 2003
Posts: 4
shameer
Then we need to play with ld ( linker/locader )
file open system calls are first passed through this library. We should be able to identify and filter such attacks

http://lists.nas.nasa.gov/archives/e.../msg00027.html

I am currently doing a project which deals with modification of ld . I will give you more information once i completed that. In the meantime , if you are confident with C and linux you should be able to implement a filter yourself.
Best of Luck



Cheers,
Shameer
Bobcares
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 05:49 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc