The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hardening shell_exec, system, exec and similar shell functions?

Discussion in 'Security' started by ITGabs, Oct 13, 2013.

  1. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    There is a way to lock the user in a directory in a similar way than open_basedir (php.ini) do

    Actually I can read all the files from the server that have the "xx4" attribute, I did some experiments that works with mod_fcgid actually I am uisng this script to test or revert changes.

    Code:
    #!/bin/sh
    #with $1 = user $2=user nobody fcgid!
    if [ $1 == "--help" ]
    then
    echo This will set the default www permisions based in a cpanel user account
    echo For a extended Security with FCGID add nobody as a second parameter
    exit
    fi
    
    
    if [ "$2" == "nobody" ]
    then
            chown $1:nobody /home/$1/www/ -R
            find /home/$1/www/ -type f -exec chmod 641 {} \;
            find /home/$1/www/ -type d -exec chmod 750 {} \;
    fi
    
    if [ "$2" == "" ]
    then
            chown $1:$1 /home/$1/www/ -R
            find /home/$1/www/ -type f -exec chmod 644 {} \;
            find /home/$1/www/ -type d -exec chmod 755 {} \;
    fi
    chown $1:nobody /home/$1/www/
    In this way I am changing the group from the [user] to [nobody] so apache have access and all the rest of the things ftp,ssh etc but the public access is completely blocked, but this works only in mod_fcgid, I tested with suPHP and doesn't work, another thing is that I am not sure how safe this will be from the group nobody or from apache.

    chown [user]:nobody /home/[user]/www/ -R
    find /home/[user]/www/ -type f -exec chmod 640 {} \;
    find /home/[user]/www/ -type d -exec chmod 750 {} \;


    The big problem of doing this is that all the new files uplaoded by ftp or created by php will have the default settings I guess I need to setup wrappers to do that because running a cron that detect file changes is not exactly a solution.

    -Cheers
     
    #1 ITGabs, Oct 13, 2013
    Last edited: Oct 14, 2013
  2. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
  3. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks sehh, are you the developer of this patch or mod?

    very clever and very strange that this is not included in the php core.
     
  4. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I only made the cPanel/WHM module, I am not the developer of the php patch.

    I always wondered the same thing, this is a must-have security enhancement! I've seen it work with devastating results, the uploaded backdoor script couldn't execute any commands it wanted to scan the system. Unfortunately, the patch hasn't been accepted to mainline php, that is why I made the module, now it automatically installs on all my servers.
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Please be advised that doing a recursive chown, as root, in the user's home directory is an unsafe operation. It can allow a malicious user to take ownership of any file on the same file system as his home directory.

    Simple example, assuming /etc is on the same partition:

    As User:

    $ ln /etc/shadow ~/www/my_meeting_notes.txt

    As root:
    #chown -R user:user /home/user/www

    User now owns /etc/shadow.
     
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    That is correct. That is why it is better to use "find" first. By default, it does NOT follow symbolic links (-P parameter), thus it will never follow the link to /etc/shadow as your example above.

    #find -P -print0 /home/user/www | xargs -0 chown user:user

    "find" parameters:
    -P = do not follow symbolic links
    -print0 = print the full file name on the standard output, followed by a null character.

    "xargs" parameters:
    -0 = Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not special


    The strange -print0 and -0 combination of parameters in "find" and "xargs" are there to help with files and paths that have special characters in them and/or spaces!

    Or just sudo as the user and run the command with the users permissions/ownership.

    How is that for a comprehensive answer? :D
     
    #6 sehh, Oct 15, 2013
    Last edited: Oct 15, 2013
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I didn't create a symbolic link. I created a hard link. They are very different things.
     
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Oh, indeed, I didn't notice, sorry for that :(
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    no problem. symlinks get so much attention that everyone forgets about hard links. :)

    Filtering out things not owned by the user is a general safety step, but doesn't necessarily accomplish your goal.
     
Loading...

Share This Page