A user can access all account :(

[masood]

[quote:301102d68e][i:301102d68e]Originally posted by (SH)Saeed[/i:301102d68e]

[quote:301102d68e][i:301102d68e]Originally posted by masood[/i:301102d68e]

Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

that means all db passwords as well in php files :p[/quote:301102d68e]

That's not true. If you set a users FTP root directory to /home/user then they can not read /home or any other directory outside of /home/user.[/quote:301102d68e]

Give me an FTP account on your server and I'll show you how You don't need &FTP& to exploit this. There are many other ways :p

Unless someone uses the solution I have suggested, you CAN NOT PROTECT any files in user directories.

:-((((

 

[moronhead]

[quote:832de732e2][i:832de732e2]Originally posted by masood[/i:832de732e2]

SOLUTION:

for (a) php-cgiwrap
for (b) zend_optimizer or cpanel directories to be read only by &cpanel& user.
[/quote:832de732e2]
php-cgiwrap seems to be needing php.cgi and I'm not sure if cpanel servers install this.

 

[masood]

I'm just trying to install php-cgiwrap but no luck yet :p

php.cgi is pretty easy to install. but php-cgiwrap :-((((((

 

[moronhead]

[quote:46bcf41394][i:46bcf41394]Originally posted by masood[/i:46bcf41394]

php.cgi is pretty easy to install[/quote:46bcf41394]
How did you manage that?

I'd advise everyone to enable safe_mode in their php.ini. Otherwise any user can easily read your server's config files and even the /etc/password file without too much difficulty. You can then disable safe_mode for a virtual host if needed.

 

[masood]

[quote:f52f9e0d9d][i:f52f9e0d9d]Originally posted by moronhead[/i:f52f9e0d9d]

[quote:f52f9e0d9d][i:f52f9e0d9d]Originally posted by masood[/i:f52f9e0d9d]

php.cgi is pretty easy to install[/quote:f52f9e0d9d]
How did you manage that?

[/quote:f52f9e0d9d]

1) download tar.gz from php.net
2) tar zxvf ...tar.gz
3) cd php...
4) ./configure --with-config-file-path=whereever_you_want --with-mysql --prefix=the_dir_where_you_want_to_install
5) make install

 

[SHSaeed]

[quote:8f3049228c][i:8f3049228c]Originally posted by moronhead[/i:8f3049228c]

I'd advise everyone to enable safe_mode in their php.ini. Otherwise any user can easily read your server's config files and even the /etc/password file without too much difficulty. You can then disable safe_mode for a virtual host if needed. [/quote:8f3049228c]

safe_mode disables some PHP functions and causes a lot of headache. Instead, I've modified /scripts/wwwacct to add an open_basedir to all new accounts upon creation. This way you lock the user in their own homedir without taking away PHP functions or having any problems what so ever.

 

[moronhead]

& 4) ./configure --with-config-file-path=whereever_you_want --with-mysql -- prefix=the_dir_where_you_want_to_install
& 5) make install

Ah, so php needs a second install as a cgi in addition to the DSO module then. And you didn't have have to do &make& before &make install&?

 

[moronhead]

[quote:1790c54618][i:1790c54618]Originally posted by (SH)Saeed[/i:1790c54618]

[quote:1790c54618][i:1790c54618]Originally posted by moronhead[/i:1790c54618]

I'd advise everyone to enable safe_mode in their php.ini. Otherwise any user can easily read your server's config files and even the /etc/password file without too much difficulty. You can then disable safe_mode for a virtual host if needed. [/quote:1790c54618]

safe_mode disables some PHP functions and causes a lot of headache. Instead, I've modified /scripts/wwwacct to add an open_basedir to all new accounts upon creation. This way you lock the user in their own homedir without taking away PHP functions or having any problems what so ever.[/quote:1790c54618]
No problems with safe_mode = OFF so far. Most of the disabled functions are the ones that open the server to misuse. The open_basedir solution is a good one too if you really want safe_mode disabled server-wide.

 

[Curt]

[quote:cd21e340f8][i:cd21e340f8]Originally posted by moronhead[/i:cd21e340f8]

[quote:cd21e340f8][i:cd21e340f8]Originally posted by masood[/i:cd21e340f8]

php.cgi is pretty easy to install[/quote:cd21e340f8]
How did you manage that?

I'd advise everyone to enable safe_mode in their php.ini. Otherwise any user can easily read your server's config files and even the /etc/password file without too much difficulty. You can then disable safe_mode for a virtual host if needed. [/quote:cd21e340f8]

Norman,
How do you go about disabling safemode for a individual account?

Thanks!

 

[furquan]

[i:185ce8cede]Originally posted by (SH)Saeed[/i:185ce8cede]

[quote:185ce8cede][i:185ce8cede]Originally posted by moronhead[/i:185ce8cede]
safe_mode disables some PHP functions and causes a lot of headache. Instead, I've modified /scripts/wwwacct to add an open_basedir to all new accounts upon creation. This way you lock the user in their own homedir without taking away PHP functions or having any problems what so ever.[/quote:185ce8cede]

Saeed could u explain this in detai as to how u have done this ?

regards/-

 

[mnt]

evil php.cgi

0. ftp to user

1. put evil_php (compiled --with-config-file-path=/home/user) to /cgi-bin

2. put php.ini (with safe mode = off) to /home/user

3. put .htaccess to /home/user/www (with Action evil_php /cgi-bin/evil_php and AddHandler evil_php .xxx)

4. put php_read_others_passwd.xxx to /home/user/www

5. http://userdomain/php_read_others_passwd.xxx

and enjoy

Can you run apache with &chmod o-rwx& for all users ?

 

[Radio_Head]

[quote:c337563e95][i:c337563e95]Originally posted by mnt[/i:c337563e95]

0. ftp to user

1. put evil_php (compiled --with-config-file-path=/home/user) to /cgi-bin

2. put php.ini (with safe mode = off) to /home/user

3. put .htaccess to /home/user/www (with Action evil_php /cgi-bin/evil_php and AddHandler evil_php .xxx)

4. put php_read_others_passwd.xxx to /home/user/www

5. http://userdomain/php_read_others_passwd.xxx

and enjoy

Can you run apache with &chmod o-rwx& for all users ?

[/quote:c337563e95]

I received only an Internal server error , can you explain better point 1) ?

 

[Juanra]

[quote:cd37d395b5][i:cd37d395b5]Originally posted by masood[/i:cd37d395b5]
On shared hosting listing /home is no concern for me, but

a) reading files of other users (like config.php with db passwords)
b) reading php code in /usr/local/cpanel/base/frontend/my_super_cool_php_theme

IS A NIGHTMARE for me!!!
[/quote:cd37d395b5]

Aie, yes...!

[quote:cd37d395b5]
The solution is available, but looks like unfortunately Cpanel does not use it!! (Except suExec for cgi scripts)

SOLUTION:

for (a) php-cgiwrap
for (b) zend_optimizer or cpanel directories to be read only by &cpanel& user.
[/quote:cd37d395b5]

What about Apache 2.0 perchild MPM? That's what we really need. Is this ready for us?

http://httpd.apache.org/docs-2.0/mod/perchild.html

 

[mnt]

to tech support cpanel

Answer what you think about this?

0. ftp to user

1. put evil_php (compiled --with-config-file-path=/home/user) to /cgi-bin

2. put php.ini (with safe mode = off) to /home/user

3. put .htaccess to /home/user/www (with Action evil_php /cgi-bin/evil_php and AddHandler evil_php .xxx)

4. put php_read_others_passwd.xxx to /home/user/www

5. http://userdomain/php_read_others_passwd.xxx

and enjoy

it's work on ALL cpanel servers!
Any person knowing ftp - username&pswd can get access to the information on other users

How it to repair?
Whether there are methods of blocking Action and AddHandler directives in .htaccess?

 

[Juanra]

[quote:6894347b80][i:6894347b80]Originally posted by mnt[/i:6894347b80]
Any person knowing ftp - username&pswd can get access to the information on other users

How it to repair?[/quote:6894347b80]

For starters, disabling cgi-bin altogether.

 

[Chern Ann]

[quote:9fc14cb0cc][i:9fc14cb0cc]Originally posted by (SH)Saeed[/i:9fc14cb0cc]
safe_mode disables some PHP functions and causes a lot of headache. Instead, I've modified /scripts/wwwacct to add an open_basedir to all new accounts upon creation. This way you lock the user in their own homedir without taking away PHP functions or having any problems what so ever.[/quote:9fc14cb0cc]

The problem with open_basedir is that it doesn't prevent the use of include. eg.
[code:1:9fc14cb0cc]
&?
include &/home/otheruser/public_html/config.inc.php&;
echo $dbpassword;
echo $dbuser;
etc etc
?&
[/code:1:9fc14cb0cc]
If you happen to know the other user has a standard installation of say, phpbb, postnuke, phpnuke, then it'd be pretty easy to get the database passwords out.

I'd personally globally turn safemode on, set open_basedir via the wwwacct script, then go in and turn safemode off for users where there's a medium trust level.

What would be good for a shared environment would be if php allowed the include/require function to be restrictable with a open_basedir like statement, but I understand this is no longer viewed as necessary when the Apache virtual host UID support rolls out.

@mnt, how many &advanced& users need or have written a custom cgi-executable? I agree that just turning off user-defined cgi completely and only allowing trusted users access.

 

[Juanra]

[quote:e5be8e708c][i:e5be8e708c]Originally posted by Chern Ann[/i:e5be8e708c]
I'd personally globally turn safemode on, set open_basedir via the wwwacct script, then go in and turn safemode off for users where there's a medium trust level.[/quote:e5be8e708c]

The problem with that is that you can't do the same thing with subdomains, or is there a way?

 

[dgbaker]

As I had stated in another post.

This is what we did and have found no problems so far. Users cannot view or execute another users directories.

NOTE: do only the directories not the quota files.
in /home
chgrp nobody *
chmod 750 *

This allows the owner full access, the webserver to read and excute and denies anyone else not even doing ls /home/username/public_html will work. They get &Permission denied&

 

[parhelic]

of course it would be nice if Cpanel would eliminate some of these security nightmares and just chroot jail every user automatically :p

 

[netarus]

Is there a way to 'chroot' people when they SSH in? This would eliminate the problem discussed in this thread. There is no reason for them to navigate outside of their home directory anyhow.