The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

find/ln permissions for better security

Discussion in 'Security' started by myBox, Jun 6, 2010.

  1. myBox

    myBox Active Member

    Joined:
    Jan 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    due to hacking attempts I am getting, I thought of restricting access to FIND and LN binaries.

    I have cpanel with suphp, and most of the hacks I see if ppl creating symbolic links to other ppl directories and then directly connecting to mysql using the other users credentials.

    even if i block the use of symlink function in php, they get over it by make one in a perl script. i already have -EXECGI but they get over it by adding AddHandler cgi-script directive into .htaccess

    so my question, will there be a problem if I set find and ln to be chmod 700 ?

    what other possible way I can stop them from creating symbolic links? or running CGI scripts outside cgi-bin directory.

    thanks
     
  2. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    The first thing you should do is terminate any clients who do such things.

    Have you tried setting the "PHP open_basedir Tweak" in cPanel's security settings?

    You can also install mod_security

    Restricting access to find and link should not create any issues for a static host but you will need to monitor your logs to see if any applications / cPanel have issues.

    To solve the perl script hack:



    edit httpd config



    nano /usr/local/apache/conf/httpd.conf

    and search

    <Directory /> if not matched search for "/"

    you will see this



    <Directory />
    Options
    </Directory>

    change it to



    <Directory />
    Options -ExecCGI
    </Directory>



    and edit access.conf



    nano /usr/local/apache/conf/access.conf


    and put this code



    <Directory />
    Options -ExecCGI
    </Directory>


    and restart apache

    /etc/init.d/httpd restart


    Remove the ability for end users to create htaccess files: http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

    Lastly, edit permissions on /home and remove read ability from everyone except owner.
     
    #2 ne0shell, Jun 7, 2010
    Last edited: Jun 7, 2010
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, editing the httpd.conf has a bit more to it than just editing and saving these days.
    cPanel - Apache & PHP Customization

    Also, you can edit your Directory options via:

    WHM >> Service Configuration >> Apache Configuration >> Global Configuration
     
  4. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Yeah and actually thanks to Drupal and Joomla and other "iffy" php applications you can't disable symlinks entirely or remove .htaccess from user web roots.

    A better option is to edit the default apache.conf (using the new process the previous poster linked to) and under the Options directive add SymLinksIfOwnerMatch

    This will enable symlinks only if they are in the same folder structure owned by the same user who owns the htaccess file - which should prevent the symlink hack from exposing other user's files.

    If you're enabling SSH access for end users, don't. If it's really needed for your business then install Xen or another VPS kernel and use VPS for end users in place of shared hosting. SSH and shared hosting is asking for trouble.
     
Loading...

Share This Page