The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disallow normal user read named.conf file?

Discussion in 'Security' started by garconcn, Jun 11, 2012.

  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Hacker run a PHP script on an user account and can list all the domains and users on the same server. I have no evidence showing they can get the password, but it's not good to reveal the user ID.

    The script is simple, it gets the domain name from /etc/named.conf file, then get the users from /etc/valiases/. I tested with a normal user, but it does not have permission to read the files under /etc/valiases/. How can this PHP script read it?

    Thanks for any help.

    Code:
     ls -lah /etc/valiases/
    /bin/ls: /etc/valiases/: Permission denied
    
    Hack code snippet:

    Code:
    $d0mains = @file("/etc/named.conf");
    Code:
    $user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
     
  2. ChrisFirth

    ChrisFirth Active Member
    PartnerNOC

    Joined:
    Apr 10, 2008
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    The snippet pasted doesn't read the contents of the file itself. Because it has the list of domains from /etc/named.conf, it then knows what files are going to be there. The userid that owns the file is converted using the posix_getpwuid function. This way the user is matched up with the domain as opposed to just looking at the /etc/passwd file (where you can guess the domain that matches the user most of the time anyway). You can test this yourself by doing 'stat /etc/valiases/domain' as a non privileged user which will give you the username/userid etc.

    Not sure if any other users need access to named.conf, but if you chmod it 640 so that only root can read/write and named can read it should be ok in theory.
     
  3. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    You are right. I can get the username and userid as a non privileged user. The default named.conf permission is 644, not sure any impact after change it to 640. I will test this later.

    I also tried turn on safe mode, thus the hacker script shows "CANT READ named.conf" immediately. I guess this can stop the tools like c99 and Madspot shell? I am hesitated to turn on safe mode because I see many open source scripts need safe mode off and PHP does not support it in version 5.3.0.
     
  4. mahinder

    mahinder Well-Known Member

    Joined:
    Jun 12, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    matrix
    put this line in php.ini and hackers will not have access to named.conf through php. however, they will still be able to read it through other ways which i don't want to describe here.

    open_basedir = /home/:/usr/lib/php:/usr/local/lib/php:/tmp

    you may also control users php.ini to make sure hackers are not able to override this setting.
     
  5. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Yes, this works. I had found this solution in the forum. Thanks.
     
  6. hostnex

    hostnex Well-Known Member

    Joined:
    May 2, 2008
    Messages:
    77
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan
    cPanel Access Level:
    Root Administrator
    open_basedir does not work in case of SUPHP so how to do it on servers where SUPHP is enabled.
     
  7. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I can confirm that "open_basedir" in php.ini is working. So they have no access (on my servers SUPHP is enabled).

    Regards,
    George B.
     
Loading...

Share This Page