The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Chmod 000 c compilers

Discussion in 'General Discussion' started by iago, Mar 11, 2003.

Thread Status:
Not open for further replies.
  1. iago

    iago Member

    Joined:
    Aug 26, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    A user at WHT (Admin0) suggested to chmod 000 the c compilers on a cpanel server (chmod 000 *cc*) so, in the event that script kiddie upload an exploit to the tmp directory he would not be able to compile it.

    Then just chmod back to 700 when i need to compile something. I dont give away shell access to my clients, and the ones that have this kind of access dont requiere to compile programs.

    I know i have to chmod to 700 when running scripts like buildapache that need the compilers, but, what about the autoupdates features.

    Does this autoupdate needs the compiler in some way? or does it installs just binaries or rpms?

    If the autoupdate feature requires access to the compiler i was thinking to do the following: turn the update options to manual and chmod 000 the compiler, and chmod back to 700 to run the update option.

    Hope a cpanel support tech or an experienced user could shed some light on this.

    Regards
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    It seems that cpanel does not use gcc or other c compilers .
    It uses a cpanel gcc compiler on /root . And if the hacker uses the
    gcc compiler usued by cpanel ?:eek:
     
  3. buckarootimb

    buckarootimb Registered

    Joined:
    May 16, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi, Radio_Head,

    I've seen other of your posts, and you seemed to know your way around town.

    But what you say here conflicts with my experience.

    I have had several situations where I turned off compilers for an extended time. During that time, cpanel can update most packages just fine, because most packages are rpms which do not recquire compilation.

    However, there are some packages which do require compilation. For example some of the perl stuff. On those days I get the usual cpanel nightly email and I can see the attempt to compile and I can see that it failed.

    So, in that case, the next day I turned on the compilers and ran the cpanel update command and everything updated just fine. Then turned off the compilers again, and next night cpanel made no further attempt to update that package because it was already updated.

    (The cpanel update command is either upcp or cpup, something like that. It's listed right at the beginning of the cpanel nightly email, but I don't have one handy to look it up.)

    Anyway, Radio_Head, I don't think this seems much like cpanel is using its own compilers. If so, why would nightly compilation break when *my* compiler is deactivated?

    Much or all cpanel compilation (using my compilers) does seem to take place IN the root directory, but I've not seen any compilers in there. (Of course, maybe I don't know where or how to look!)

    Of course, I am still very interested to know why you believe that cpanel has its own compilers. So I would be thankful if you could tell me what led you to say they had their own compiler in /root?
     
  4. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38

    you are right . I was confused from this script

    scripts/checkccompiler


    Code:
    system("gcc /root/cpanel-gcc-test.c -o /root/cpanel-gcc-test 2>/dev/null");
    unlink("/root/cpanel-gcc-test.c");
    $compilerworks = `/root/cpanel-gcc-test 2>/dev/null`;
    if ($compilerworks !~ /C Compiler Works/i) {
    #       print "The C Compiler is Broken\n";
            system("/scripts/fixheaders");
    #       print "The C Compiler has been Repaired!\n";
    }
    unlink("/root/cpanel-gcc-test");
    
    At first , I was thinking that cpanel-gcc-test was a Cpanel c compiler
    but I was wrong , it only a c file to test if gcc works .
    So , cpanel needs gcc on /usr/bin .

    Doing only MANUAL cpanel updates and executing
    #chmod 700 /usr/bin/*cc* before updating
    and #chmod 000 /usr/bin/*cc* after the update I think
    it's a good way to sleep better ...

    I disable also
    #chmod 000 /usr/bin/*++* (c++ compilers)

    About red hat updates...
    Do you think that the installation redhat rpm packages needs c compiler activated (I suppose yes) ?
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    suppose the hacker is able to execute

    /scripts/fixheaders

    it re-enable the compilers .... or am I wrong .?
     
  6. buckarootimb

    buckarootimb Registered

    Joined:
    May 16, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi, Radio_Head,

    You got me there. I don't know. But I'd guess that a minute and a half on your server with a simple experiment would reveal the answer!

    If you are checking to see, also su to some ordinary user, and see if the script can be run by an ordinary user.

    Because if the guy is root, of course he can enable the compilers any way he wants, no?
     
  7. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    /scripts/fixheaders is set by default to 700. The hacker can't run it unless he already has root. And if he does... :(
     
  8. iago

    iago Member

    Joined:
    Aug 26, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    if you want further information on this topic just visit:

    http://admin0.net

    regards
     
  9. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Dont 000 your compilers... use 700 if your going to chmod them....
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Actually is that really correct? Im running phpsuexec. I found all /usr/bin/*cc* chmod to 755 before i did chmod 000 on them!
     
  11. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Why is that?
     
  12. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    cuz anybody who can run it with 700 perms can chmod 700 it just as easily... if sombody can run it as 700 you have bigger problems...
     
Loading...
Thread Status:
Not open for further replies.

Share This Page