A small suggestion to cpanel regarding nobody permissions.. :)

[amal]

Hi,

It would be nice to prevent the user nobody from having acess to some powerful binaries like perl. I have done this on of my servers and only thing that didn't work was the cpanel and whm redirect.. that is domain.com/whm and domain.com/cpanel URLs...

Now, my question is "Is there anyway to make domain.com/whm redirect to work without giving execute permissions for user - nobody on perl binary?"

Thanks in Advance..

#####

Regards,
Amal.

 

[chirpy]

Not really possible because there are people who disable SUEXEC and then all perl scripts are run as nobody. The real problem is the crappy php security model (or extreme lack of it) which I 've never been able to fathom considering the whole point of php is as a language for web sites. Ah well.

 

[amal]

Not really possible because there are people who disable SUEXEC and then all perl scripts are run as nobody.

But, if there is an option for only those users who use suexec, it would have been very nice, considering the wide range of security exploits by allowing nobody to have execute permissions on powerful binaries - especially perl. ..

The people who do not want suexec can continue that way..

What I'm trying to suggest is to bring in an option like - "switch to secure mode" where nobody has got restricted access..

I really appreciate your thoughts on it...

The real problem is the crappy php security model (or extreme lack of it) which I 've never been able to fathom considering the whole point of php is as a language for web sites. Ah well.

And yeah, I agree with that..

 

[shameer]

I think this would be easier in near future when SE Linux become popular. It provide the administrator with lot flexibility once mastered :p
I think we now have two options.

1) Replace binary with dummy scripts which checks for the user ( may terribly affect performance )
2) Put users in a system group which can execute these binaries and remove permission for others.

Both of these methods can cause more headache than current situation. But these are the ones I can think of now.
Anyway what I do is

install mod_security
remove permissions for usual downloading tools ( like wget lynx )

and i find these two steps help me to fight against nobody getting shell

Cheers
Shameer

 

[amal]

2) Put users in a system group which can execute these binaries and remove permission for others.

Both of these methods can cause more headache than current situation. But these are the ones I can think of now.
Anyway what I do is

I have already tried that it's very nice, except for the http://domain/cpanel and http://domain/whm. These links will work only if nobody has got execute permissions to perl binary. But the domain:2082 and domain:2086 link will work without any problem... I think, it becomes a problem, only when the redirect.cgi is used by cpanel..

If there is something that cpanel can do about it, it would really really great

remove permissions for usual downloading tools ( like wget lynx )

Some of the users even uses curl to download scripts to the server .

Thanks for your reply, Shameer

 

[shameer]

Then we need to play with ld ( linker/locader )
file open system calls are first passed through this library. We should be able to identify and filter such attacks

http://lists.nas.nasa.gov/archives/ext/linux-security-audit/2000/01/msg00027.html

I am currently doing a project which deals with modification of ld . I will give you more information once i completed that. In the meantime , if you are confident with C and linux you should be able to implement a filter yourself.
Best of Luck



Cheers,
Shameer
Bobcares