The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

advanced security

Discussion in 'Security' started by khorinis, Dec 26, 2010.

  1. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Hello,
    i got 2 ideas for improve the security of cpanel:

    1) Don't let any account run under user 'root' (why should be this able? I have never saw any suggestion for it)
    2) second one will be addet after i got the idea again (i forgot it currently)
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Can you please elaborate on what you mean by "Don't let any account run under user 'root'?" When a user logs into cPanel, functions run as the cPanel account user, not as root. I am not exactly sure what you are requesting.
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Are you referring to if you login using the user's username and your root (or reseller) password, that their cPanel runs reseller override mode? This behavior can be customized in Tweak Settings: "Accounts that can access a cPanel user account."

    Generally speaking, a root password should not be so weak that another user manages to choose it as their password, or guess it.
     
  4. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Hello,
    cPanelJared: I read that the scripts of the user (not his cpanel functions) will run as root. For example his website (php scripts on ftp). I'm not sure if that's still so.

    Is it able that it give a feature for make a backup with a selfdefined/random password in cpanel? If someone download the backup he don't know the password and would need to crack it anyway if possible.
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    On contemporary installations of cPanel&WHM, we install SuPHP and SuExec by default. If you are using an older installation (>1 year), you can just use EasyApache to install SuPHP and SuExec. This forces user scripts to always run as the user. Otherwise, you are running the script as user nobody (not root). The issue with running as user nobody is that any script can rewrite another user's scripts, since they all run as the same user. SuPHP and SuExec instead force scripts to run as the actual system/cPanel user and thus this is no longer possible thanks to the enforcement of Operating System permissions. SuPHP and SuExec is recommended practice for commercial shared hosting servers running cPanel&WHM.

    In cPanel&WHM, cPanel user passwords are never encrypted, they are hashed. Hashing means something can be compared to see if it is correct, but it is infeasible to reverse that hash to reveal the password that hash represents. This means there is no practical way to retrieve a password, but we do backup the password hash inside the backup file so the same password can be used on a new cPanel server. Remember, the act of restoring a cPanel account also creates that cPanel account using the password hash, so the user can maintain the same password they always had.

    If you could mention why a backup file would need to be "cracked" I may be able to address your concern through existing functionality of our software.
     
  6. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    It makes sense if you let the backup get sent to a remote server and someone got there unauthorized access. Then he can't do anything with the backup, except of delete it.
     
    #6 khorinis, Dec 28, 2010
    Last edited: Dec 28, 2010
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Okay, let's explore this scenario:

    You make a backup because you want to move to a new hosting provider

    The new hosting provider can setup a shell account so you can have your backup SCP'd from your current cPanel account to your new hosting provider. The transmission is encrypted (since SCP is done within SSH) so data cannot be intercepted easily. Since this is being transferred as a system user (SSH cannot be done as a virtual user in cPanel&WHM environments at this time), operating system permissions are enforced meaning only that the (likely temporary) shell user and root have access to that file.

    If the root user becomes compromised, there's bigger issues to be dealing with than just backups.


    Is there a specific item you desire for us to implement?

    I don't mind an intellectual discussion about the security capabilities of our software, I just think such a discussion is more appropriate for our cPanel & WHM Security forum rather than a feature request thread.
     
  8. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Absolutely.

    I'm not sure where this discussion is headed myself, as cPanel doesn't "let users run programs as root". Backups are run as root, but that's for security. That's not really a cPanel issue though.

    Too many people insist that cPanel is responsible for "administration of servers" and "security", when that's not the case. Sure, cPanel does make the job easier, but security and administration is always something that should be taken care of manually.
     
  9. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    I'm not talking about transfer the datas to a new hoster. There are some people which provide backup space and this you can define in cpanel (if i'm logged in cpanel - not WHM) the backup space as a remote server with login details. You won't own the server and if it's getting compromised your files are safe because of the password and you don't have to worry. Sorry for chose the wrong forum categorie.
     
Loading...

Share This Page