The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A small suggestion to cpanel regarding nobody permissions.. :)

Discussion in 'General Discussion' started by amal, Sep 7, 2005.

  1. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    It would be nice to prevent the user nobody from having acess to some powerful binaries like perl. I have done this on of my servers and only thing that didn't work was the cpanel and whm redirect.. that is domain.com/whm and domain.com/cpanel URLs...

    Now, my question is "Is there anyway to make domain.com/whm redirect to work without giving execute permissions for user - nobody on perl binary?"

    Thanks in Advance.. :)

    #####

    Regards,
    Amal.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not really possible because there are people who disable SUEXEC and then all perl scripts are run as nobody. The real problem is the crappy php security model (or extreme lack of it) which I 've never been able to fathom considering the whole point of php is as a language for web sites. Ah well.
     
  3. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    But, if there is an option for only those users who use suexec, it would have been very nice, considering the wide range of security exploits by allowing nobody to have execute permissions on powerful binaries - especially perl. .. :)

    The people who do not want suexec can continue that way..

    What I'm trying to suggest is to bring in an option like - "switch to secure mode" where nobody has got restricted access..

    I really appreciate your thoughts on it... :)

    And yeah, I agree with that.. :)
     
  4. shameer

    shameer Registered

    Joined:
    Dec 1, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I think this would be easier in near future when SE Linux become popular. It provide the administrator with lot flexibility once mastered :p
    I think we now have two options.

    1) Replace binary with dummy scripts which checks for the user ( may terribly affect performance )
    2) Put users in a system group which can execute these binaries and remove permission for others.

    Both of these methods can cause more headache than current situation. But these are the ones I can think of now.
    Anyway what I do is

    install mod_security
    remove permissions for usual downloading tools ( like wget lynx )

    and i find these two steps help me to fight against nobody getting shell

    Cheers
    Shameer
     
  5. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I have already tried that it's very nice, except for the http://domain/cpanel and http://domain/whm. These links will work only if nobody has got execute permissions to perl binary. But the domain:2082 and domain:2086 link will work without any problem... I think, it becomes a problem, only when the redirect.cgi is used by cpanel.. :(

    If there is something that cpanel can do about it, it would really really great :)

    Some of the users even uses curl to download scripts to the server . :(

    Thanks for your reply, Shameer
     
  6. shameer

    shameer Registered

    Joined:
    Dec 1, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Then we need to play with ld ( linker/locader )
    file open system calls are first passed through this library. We should be able to identify and filter such attacks

    http://lists.nas.nasa.gov/archives/ext/linux-security-audit/2000/01/msg00027.html

    I am currently doing a project which deals with modification of ld . I will give you more information once i completed that. In the meantime , if you are confident with C and linux you should be able to implement a filter yourself.
    Best of Luck



    Cheers,
    Shameer
    Bobcares
     
Loading...

Share This Page