The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

File Manager * deny certain files to be uploaded

Discussion in 'General Discussion' started by georgeb, May 23, 2010.

  1. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    I don't know if I am in a good place to post (I am sorry if I am wrong).
    Is there any way to disable .httaccess to be uploaded via File Manager cPanel?
    I really want this because of security of my server.


    Regards,
    George B.
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Say what? :rolleyes:

    Care to elaborate? :D
     
  3. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    So this is my problem. I am running suPHP and suEXEC. I have some restrictions in php.ini (all my users are taking a global php.ini * and some users php.ini with no restrictions). I can control what .httaccess is uploading via pure-ftpd with pure-uploadscript and a bash script (this is made by me) so is searching for string "suPHP_configpath" (because with this a user can change his php.ini) and remove the file if exist. I have no control over File Manager cPanel and I found this like a very unsecure thing for my server. In the mean time I am running another script to detect phpshell scripts. So Is there any way to disable dot files to be uploaded via File Manager?

    Sorry for my bad english.

    Regards,
    George B.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Why not just simply disable user parsed PHP.INI from PHP and limit the SuPHP_ConfigPath to httpd.conf access only and be done with it?

    Seems a lot more complicated to setup elaborate upload monitoring systems which is pointless since you could write a simple PHP or CGI script to create the files even if you limited uploads everywhere and no disable_functions you set is going to prevent that from being possible.
     
  5. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Can you tell me how to do it? My httpd.conf won't be modify when apache will update?

    I don't want a global php.ini for all my server. I have some special accounts on this server for creation of user accounts. How I 'll enable others php.ini for those accounts?

    Thank you
     
  6. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    If a user is planting suPHP_Configpath in his .htaccess and a php.ini in his directory yes. But I am controling this with some bash scripts to search for this directive. So in fact on my server no.
     
    #6 georgeb, May 29, 2010
    Last edited: May 29, 2010
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    No, not if you properly ran the distiller script after updates ---

    Your changes will remain the same even through updates

    Also, if you modify in the Apache template files or setup a "vhost.local" then your changes can be automatically deployed to all sites at once and future sites at the next httpd.conf rebuild.

    Who said anything about having a global "php.ini" file? :rolleyes:

    On hosting provider client's I work with, I typically disable user's from being able to set any .htaccess directives or SuPHP overrides and disable parsing of any custom PHP.INI files in their own account folders but at the same time setup automatically generated custom PHP.INI files for every hosting account under /usr/local/phpconf that is accessible and editable by server administrator's only on an account by account basis.
     
  8. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    What do you mean with "/usr/local/phpconf " maybe php.conf...There is a posibility to disable to execute any php.ini file on the server and in the same time using diffrent php.ini for special accounts? I don't want to disable any htaccess file. Before when I ran PHP with no suPHP was a better control and I think suPHP is not very secure...

    Thank you for your response.

    George B.
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Good! You are beginning to realize the not so subtle point I was making :D

    I knew from your first post that you did not actually realize that you could completely turn off the user's access to custom settings under SuPHP while still allowing yourself the ability to make custom modifications on an account by account bases.

    Well the good news is that yes you can have your cake and eat it too! :p

    The options for restricting user level PHP.INI and SuPHP_Config are not set by default during compile so you have to manually recompile with the correct settings and that will take care of that. Then the modification I mentioned allowing each account to operate on it's own administrator restricted PHP.INI outside the user's web space is a very simple mod that only takes just a couple seconds to setup.

    You don't need to disable or delete user's .htaccess as they can still use those just any SuPHP_Config command would cause an error 500 since it's an invalid command to them as well as "php_" commands of course and uploading PHP.INI files would be meaningless as they aren't read when you have PHP setup the way that I described.

    I agree on the security comment in that the way SuPHP is deployed by default it indeed has a larger security hole than the cross-site scripting it otherwise fixes coming from DSO and that namely is that under DSO, users have a limited number of PHP settings they can override using .htaccess but under SuPHP, there is no limit to the settings they can override and they can by default reset anything within the PHP.INI file and their PHP.INI superceeds the system PHP.INI.

    Surprisingly, a lot of people don't know that. :rolleyes:
     
  10. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Can you pleasde help me how to do it?
    I tried a lot of things like premain_conf, user dir conf, etc but no solution.
    I am very worried about this hole.

    Regards,
    George B.
     
  11. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    No problem! I'm shooting you over my chat info. ;)
     
Loading...

Share This Page