Hardening shell_exec, system, exec and similar shell functions?

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
Hi,

There is a way to lock the user in a directory in a similar way than open_basedir (php.ini) do

Actually I can read all the files from the server that have the "xx4" attribute, I did some experiments that works with mod_fcgid actually I am uisng this script to test or revert changes.

Code:
#!/bin/sh
#with $1 = user $2=user nobody fcgid!
if [ $1 == "--help" ]
then
echo This will set the default www permisions based in a cpanel user account
echo For a extended Security with FCGID add nobody as a second parameter
exit
fi


if [ "$2" == "nobody" ]
then
        chown $1:nobody /home/$1/www/ -R
        find /home/$1/www/ -type f -exec chmod 641 {} \;
        find /home/$1/www/ -type d -exec chmod 750 {} \;
fi

if [ "$2" == "" ]
then
        chown $1:$1 /home/$1/www/ -R
        find /home/$1/www/ -type f -exec chmod 644 {} \;
        find /home/$1/www/ -type d -exec chmod 755 {} \;
fi
chown $1:nobody /home/$1/www/
In this way I am changing the group from the [user] to [nobody] so apache have access and all the rest of the things ftp,ssh etc but the public access is completely blocked, but this works only in mod_fcgid, I tested with suPHP and doesn't work, another thing is that I am not sure how safe this will be from the group nobody or from apache.

chown [user]:nobody /home/[user]/www/ -R
find /home/[user]/www/ -type f -exec chmod 640 {} \;
find /home/[user]/www/ -type d -exec chmod 750 {} \;


The big problem of doing this is that all the new files uplaoded by ftp or created by php will have the default settings I guess I need to setup wrappers to do that because running a cron that detect file changes is not exactly a solution.

-Cheers
 
Last edited:

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
Thanks sehh, are you the developer of this patch or mod?

very clever and very strange that this is not included in the php core.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
I only made the cPanel/WHM module, I am not the developer of the php patch.

I always wondered the same thing, this is a must-have security enhancement! I've seen it work with devastating results, the uploaded backdoor script couldn't execute any commands it wanted to scan the system. Unfortunately, the patch hasn't been accepted to mainline php, that is why I made the module, now it automatically installs on all my servers.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
76
308
cPanel Access Level
Root Administrator
Please be advised that doing a recursive chown, as root, in the user's home directory is an unsafe operation. It can allow a malicious user to take ownership of any file on the same file system as his home directory.

Simple example, assuming /etc is on the same partition:

As User:

$ ln /etc/shadow ~/www/my_meeting_notes.txt

As root:
#chown -R user:user /home/user/www

User now owns /etc/shadow.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
That is correct. That is why it is better to use "find" first. By default, it does NOT follow symbolic links (-P parameter), thus it will never follow the link to /etc/shadow as your example above.

#find -P -print0 /home/user/www | xargs -0 chown user:user

"find" parameters:
-P = do not follow symbolic links
-print0 = print the full file name on the standard output, followed by a null character.

"xargs" parameters:
-0 = Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not special


The strange -print0 and -0 combination of parameters in "find" and "xargs" are there to help with files and paths that have special characters in them and/or spaces!

Or just sudo as the user and run the command with the users permissions/ownership.

How is that for a comprehensive answer? :D
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
76
308
cPanel Access Level
Root Administrator
That is correct. That is why it is better to use "find" first. By default, it does NOT follow symbolic links (-P parameter), thus it will never follow the link to /etc/shadow as your example above.

#find -P -print0 /home/user/www | xargs -0 chown user:user

"find" parameters:
-P = do not follow symbolic links
-print0 = print the full file name on the standard output, followed by a null character.

"xargs" parameters:
-0 = Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not sp cial


The strange -print0 and -0 combination of parameters in "find" and "xargs" are there to help with files and paths that have special characters in them and/or spaces!

Or just sudo as the user and run the command with the users permissions/ownership.

How is that for a comprehensive answer? :D
I didn't create a symbolic link. I created a hard link. They are very different things.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
76
308
cPanel Access Level
Root Administrator
Oh, indeed, I didn't notice, sorry for that :(
no problem. symlinks get so much attention that everyone forgets about hard links. :)

Filtering out things not owned by the user is a general safety step, but doesn't necessarily accomplish your goal.