Chmod 000 c compilers

It seems that cpanel does not use gcc or other c compilers .
It uses a cpanel gcc compiler on /root . And if the hacker uses the
gcc compiler usued by cpanel ?

 

Hi, Radio_Head,

I've seen other of your posts, and you seemed to know your way around town.

But what you say here conflicts with my experience.

I have had several situations where I turned off compilers for an extended time. During that time, cpanel can update most packages just fine, because most packages are rpms which do not recquire compilation.

However, there are some packages which do require compilation. For example some of the perl stuff. On those days I get the usual cpanel nightly email and I can see the attempt to compile and I can see that it failed.

So, in that case, the next day I turned on the compilers and ran the cpanel update command and everything updated just fine. Then turned off the compilers again, and next night cpanel made no further attempt to update that package because it was already updated.

(The cpanel update command is either upcp or cpup, something like that. It's listed right at the beginning of the cpanel nightly email, but I don't have one handy to look it up.)

Anyway, Radio_Head, I don't think this seems much like cpanel is using its own compilers. If so, why would nightly compilation break when *my* compiler is deactivated?

Much or all cpanel compilation (using my compilers) does seem to take place IN the root directory, but I've not seen any compilers in there. (Of course, maybe I don't know where or how to look!)

Of course, I am still very interested to know why you believe that cpanel has its own compilers. So I would be thankful if you could tell me what led you to say they had their own compiler in /root?

 

you are right . I was confused from this script

scripts/checkccompiler

Code:

system("gcc /root/cpanel-gcc-test.c -o /root/cpanel-gcc-test 2>/dev/null");
unlink("/root/cpanel-gcc-test.c");
$compilerworks = `/root/cpanel-gcc-test 2>/dev/null`;
if ($compilerworks !~ /C Compiler Works/i) {
#       print "The C Compiler is Broken\n";
        system("/scripts/fixheaders");
#       print "The C Compiler has been Repaired!\n";
}
unlink("/root/cpanel-gcc-test");

At first , I was thinking that cpanel-gcc-test was a Cpanel c compiler
but I was wrong , it only a c file to test if gcc works .
So , cpanel needs gcc on /usr/bin .

Doing only MANUAL cpanel updates and executing
#chmod 700 /usr/bin/*cc* before updating
and #chmod 000 /usr/bin/*cc* after the update I think
it's a good way to sleep better ...

I disable also
#chmod 000 /usr/bin/*++* (c++ compilers)

About red hat updates...
Do you think that the installation redhat rpm packages needs c compiler activated (I suppose yes) ?

 

suppose the hacker is able to execute

/scripts/fixheaders

it re-enable the compilers .... or am I wrong .?

 

Hi, Radio_Head,

You got me there. I don't know. But I'd guess that a minute and a half on your server with a simple experiment would reveal the answer!

If you are checking to see, also su to some ordinary user, and see if the script can be run by an ordinary user.

Because if the guy is root, of course he can enable the compilers any way he wants, no?

 

/scripts/fixheaders is set by default to 700. The hacker can't run it unless he already has root. And if he does...

 

Dont 000 your compilers... use 700 if your going to chmod them....

 

Actually is that really correct? Im running phpsuexec. I found all /usr/bin/*cc* chmod to 755 before i did chmod 000 on them!

 

Why is that?

 

cuz anybody who can run it with 700 perms can chmod 700 it just as easily... if sombody can run it as 700 you have bigger problems...