The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Directory Permissions

Discussion in 'General Discussion' started by Brad, Jan 12, 2002.

  1. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Just curious what directory and file permission settings the [b:4e5a00ea94]/usr/local/apache/domlogs/domain.com [/b:4e5a00ea94] should have? Right now anyone can look at anyone elses logs, I don\'t like it. I haven\'t changed it for fear of breaking something in Cpanel.

    The directory settings
    drwxr-xr-x 2 root root 8192 Jan 12 01:43 domlogs/

    All logs are currently:
    -rw-r--r-- 1 root root domain.com
     
  2. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    Hmmmmmmmmmmmmm....
    rw-r-r
    Seems to be the standard for domlog permissions on any cpanel box I have ever touched- and linux machines that don\'t have cpanel.

    If you want to delve into security here , you can of course deny remote shell access.. :)
    Or.... change permissions to your liking on a particular domain and then perform the ritual of seeing \"what you blew up\" in CPanel/apache, if anything.

    Such as, can apache still write everything possible to the file / is http bandwidth tracking still working / is http bandwidth quota affected / are things busted in the http reports within the WHM..... does webalizer or analog break....

    With situations like that you basically have to venture out and beat the hell out of a dummy account to see what occurs-
    *unless* someone of a higher power/understand can shed some technical light on this.

    ;)
     
  3. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Feanor,

    I noticed that your company gives SSH access to users. Can you give us an idea how you are handling security? ;)

    [quote:142712a088]If you want to delve into security here , you can of course deny remote shell access.. [/quote:142712a088]
     
  4. bdraco

    bdraco Guest

    domlogs

    Can anyone give a reason why someone would even care enough to want to access another site\'s domlogs, or why this would ever be a problem?
     
  5. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Privacy!

    All sites should have a privacy policy but I\'ll bet most or never address the fact that all server log files are viewable by others when they are, do you?

    Yes. One of the requirements of responsible net citizenship is respecting the privacy of others. Just as you don\'t forward or post private email without the author\'s consent, in general you shouldn\'t use or post Web usage statistics that can be attributed to an individual or business.

    If you are a government site, you may be required by law to protect the privacy of your readers. For example, U.S. Federal agencies are not allowed to collect or publish many types of data about their clients. Yes, most of you are not hosting government sites but you may be hosting local government which many times follows the big brothers rules and regulations and this information being viewable could open up a can of worms at a later date.

    Although not the problem of cpanel but of other software developers programming techniques, passwords are often sent as clear text in the url when accessing cgi and php scripts. Often times a URL requested (including the values of any variables from a form submitted using the GET method) are visible. The programmers of these scripts claim the server is not secure if people can see other peoples logs and throw the blame on the server administrators. The server administrators blame the script makers, thus the problem exists.

    Many times the passwords are sent by accident and are recorded in the logs, where access could be attained.

    It\'s just another avenue of privacy that should be addressed but is still lagging behind. Its a blueprint of operations for the domain or business that is exposed to the public that I\'m sure they don\'t wan\'t visible to be used in any way you can imagine.

    Basically it comes down to our responsibility to provide a level of privacy to our users that they would expect to have. I don\'t think the current system does a job to be proud of. Hopefully, this and other areas of concern will be secured in the near future.

    Brad



    [quote:c2a956407d][i:c2a956407d]Originally posted by bdraco[/i:c2a956407d]
    Can anyone give a reason why someone would even care enough to want to access another site\'s domlogs, or why this would ever be a problem? [/quote:c2a956407d]
     
  6. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    If the concern is so great that one particular site\'s domlogs should never, under any circumstance, be viewable by anyone other than the owner, ever - then the site is unsuitable for shared hosting [b:87cbef4ece]in this environment[/b:87cbef4ece] and probably in any other as well, since there is absolutely no way you can guarantee them that such access will never happen.

    While I\'m all in favor of privacy - more so than most, in fact - there are ways around this if you choose to pursue them. For starters, you could start writing the logfiles to the user\'s own space. Or, you could turn one (or more) into root-only access and see if anything breaks, as suggested above. You could also restrict shell access to the server (turn off telnet, do not enable SSH by default for any account). And so on. The way things are set up right now are pretty common in a shared environment, Alabanza notwithstanding. That doesn\'t mean they can\'t be changed by you even if the dev team doesn\'t feel it necessary to change them for you.
     
  7. bdraco

    bdraco Guest

    Making the dir root readable only will break webalizer/analog.

    The problem with putting the log files in the user\'s dir is the user could delete the log dir

    CustomLog /home/web/logs/web.cpanel.net combined

    /home/web/logs doesn\'t exist.. so
    [Mon Jan 14 07:28:26 2002] [error] (2)No such file or directory: could not open transfer log file /home/web/logs/web.cpanel.net.
    Apache dies ..

    If anybody has an idea on how to make this more practical, I\'d love to hear it.
     
Loading...

Share This Page