How to disallow normal user read named.conf file?

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
Hacker run a PHP script on an user account and can list all the domains and users on the same server. I have no evidence showing they can get the password, but it's not good to reveal the user ID.

The script is simple, it gets the domain name from /etc/named.conf file, then get the users from /etc/valiases/. I tested with a normal user, but it does not have permission to read the files under /etc/valiases/. How can this PHP script read it?

Thanks for any help.

Code:
 ls -lah /etc/valiases/
/bin/ls: /etc/valiases/: Permission denied
Hack code snippet:

Code:
$d0mains = @file("/etc/named.conf");
Code:
$user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
 

ChrisFirth

Active Member
PartnerNOC
Apr 10, 2008
35
0
56
cPanel Access Level
DataCenter Provider
The snippet pasted doesn't read the contents of the file itself. Because it has the list of domains from /etc/named.conf, it then knows what files are going to be there. The userid that owns the file is converted using the posix_getpwuid function. This way the user is matched up with the domain as opposed to just looking at the /etc/passwd file (where you can guess the domain that matches the user most of the time anyway). You can test this yourself by doing 'stat /etc/valiases/domain' as a non privileged user which will give you the username/userid etc.

Not sure if any other users need access to named.conf, but if you chmod it 640 so that only root can read/write and named can read it should be ok in theory.
 

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
The snippet pasted doesn't read the contents of the file itself. Because it has the list of domains from /etc/named.conf, it then knows what files are going to be there. The userid that owns the file is converted using the posix_getpwuid function. This way the user is matched up with the domain as opposed to just looking at the /etc/passwd file (where you can guess the domain that matches the user most of the time anyway). You can test this yourself by doing 'stat /etc/valiases/domain' as a non privileged user which will give you the username/userid etc.

Not sure if any other users need access to named.conf, but if you chmod it 640 so that only root can read/write and named can read it should be ok in theory.
You are right. I can get the username and userid as a non privileged user. The default named.conf permission is 644, not sure any impact after change it to 640. I will test this later.

I also tried turn on safe mode, thus the hacker script shows "CANT READ named.conf" immediately. I guess this can stop the tools like c99 and Madspot shell? I am hesitated to turn on safe mode because I see many open source scripts need safe mode off and PHP does not support it in version 5.3.0.
 

mahinder

Well-Known Member
Jun 12, 2003
69
0
156
matrix
put this line in php.ini and hackers will not have access to named.conf through php. however, they will still be able to read it through other ways which i don't want to describe here.

open_basedir = /home/:/usr/lib/php:/usr/local/lib/php:/tmp

you may also control users php.ini to make sure hackers are not able to override this setting.
 

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
put this line in php.ini and hackers will not have access to named.conf through php. however, they will still be able to read it through other ways which i don't want to describe here.

open_basedir = /home/:/usr/lib/php:/usr/local/lib/php:/tmp

you may also control users php.ini to make sure hackers are not able to override this setting.
Yes, this works. I had found this solution in the forum. Thanks.
 

hostnex

Well-Known Member
May 2, 2008
77
1
58
Islamabad, Pakistan, Pakistan
cPanel Access Level
Root Administrator
put this line in php.ini and hackers will not have access to named.conf through php. however, they will still be able to read it through other ways which i don't want to describe here.

open_basedir = /home/:/usr/lib/php:/usr/local/lib/php:/tmp

you may also control users php.ini to make sure hackers are not able to override this setting.
open_basedir does not work in case of SUPHP so how to do it on servers where SUPHP is enabled.