Hardening shell_exec, system, exec and similar shell functions?

[ITGabs]

Hi,

There is a way to lock the user in a directory in a similar way than open_basedir (php.ini) do

Actually I can read all the files from the server that have the "xx4" attribute, I did some experiments that works with mod_fcgid actually I am uisng this script to test or revert changes.

#!/bin/sh
#with $1 = user $2=user nobody fcgid!
if [ $1 == "--help" ]
then
echo This will set the default www permisions based in a cpanel user account
echo For a extended Security with FCGID add nobody as a second parameter
exit
fi


if [ "$2" == "nobody" ]
then
        chown $1:nobody /home/$1/www/ -R
        find /home/$1/www/ -type f -exec chmod 641 {} \;
        find /home/$1/www/ -type d -exec chmod 750 {} \;
fi

if [ "$2" == "" ]
then
        chown $1:$1 /home/$1/www/ -R
        find /home/$1/www/ -type f -exec chmod 644 {} \;
        find /home/$1/www/ -type d -exec chmod 755 {} \;
fi
chown $1:nobody /home/$1/www/

In this way I am changing the group from the [user] to [nobody] so apache have access and all the rest of the things ftp,ssh etc but the public access is completely blocked, but this works only in mod_fcgid, I tested with suPHP and doesn't work, another thing is that I am not sure how safe this will be from the group nobody or from apache.

chown [user]:nobody /home/[user]/www/ -R
find /home/[user]/www/ -type f -exec chmod 640 {} \;
find /home/[user]/www/ -type d -exec chmod 750 {} \;


The big problem of doing this is that all the new files uplaoded by ftp or created by php will have the default settings I guess I need to setup wrappers to do that because running a cron that detect file changes is not exactly a solution.

-Cheers

 

[sehh]

That's easy:

http://forums.cpanel.net/f402/custom-module-exec_dir-patch-easyapache-359822.html

 

[ITGabs]

Thanks sehh, are you the developer of this patch or mod?

very clever and very strange that this is not included in the php core.

 

[sehh]

I only made the cPanel/WHM module, I am not the developer of the php patch.

I always wondered the same thing, this is a must-have security enhancement! I've seen it work with devastating results, the uploaded backdoor script couldn't execute any commands it wanted to scan the system. Unfortunately, the patch hasn't been accepted to mainline php, that is why I made the module, now it automatically installs on all my servers.

 

[cPanelKenneth]

Please be advised that doing a recursive chown, as root, in the user's home directory is an unsafe operation. It can allow a malicious user to take ownership of any file on the same file system as his home directory.

Simple example, assuming /etc is on the same partition:

As User:

$ ln /etc/shadow ~/www/my_meeting_notes.txt

As root:
#chown -R user:user /home/user/www

User now owns /etc/shadow.

 

[sehh]

That is correct. That is why it is better to use "find" first. By default, it does NOT follow symbolic links (-P parameter), thus it will never follow the link to /etc/shadow as your example above.

#find -P -print0 /home/user/www | xargs -0 chown user:user

"find" parameters:
-P = do not follow symbolic links
-print0 = print the full file name on the standard output, followed by a null character.

"xargs" parameters:
-0 = Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not special


The strange -print0 and -0 combination of parameters in "find" and "xargs" are there to help with files and paths that have special characters in them and/or spaces!

Or just sudo as the user and run the command with the users permissions/ownership.

How is that for a comprehensive answer? :D

 

[cPanelKenneth]

That is correct. That is why it is better to use "find" first. By default, it does NOT follow symbolic links (-P parameter), thus it will never follow the link to /etc/shadow as your example above.

#find -P -print0 /home/user/www | xargs -0 chown user:user

"find" parameters:
-P = do not follow symbolic links
-print0 = print the full file name on the standard output, followed by a null character.

"xargs" parameters:
-0 = Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not sp cial


The strange -print0 and -0 combination of parameters in "find" and "xargs" are there to help with files and paths that have special characters in them and/or spaces!

Or just sudo as the user and run the command with the users permissions/ownership.

How is that for a comprehensive answer? :D

I didn't create a symbolic link. I created a hard link. They are very different things.

 

[sehh]

Oh, indeed, I didn't notice, sorry for that

 

[cPanelKenneth]

Oh, indeed, I didn't notice, sorry for that

no problem. symlinks get so much attention that everyone forgets about hard links.

Filtering out things not owned by the user is a general safety step, but doesn't necessarily accomplish your goal.