httpd.conf How to prevent user to view it?

[AlexAT]

httpd.conf has 644 by default.
This means that any user can view this file from any (php, cgi) script.

Anybody knows how to make it unaccessible for users?

 

[chirpy]

AFAIK, you can't because the user accounts needs access to it when running under suexec.

 

[AlexAT]

unfortunately, she can.

and only because 644.

 

[AlexAT]

Try to run the following cgi, guys, on your cPanel server and get httpd.conf into your browser even if you have suexec installed:
*********************
open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line";
}
close(MYINPUTFILE);
*********************

640 will stop this but it'll broke the cPanel.
How can I prevent this?

 

[SarcNBit]

and get httpd.conf into your browser even if you have suexec installed:

I think you misunderstood chirpy's reply.

 

[chirpy]

Maybe I wan't clear I don't think you can change the permissions because apache needs access to your users files, so conversely your users can access the apache configuration file. It's just one of those things in a virtual hosting environment. There's all sorts of things your users can view on your server that you might not like, but there's little you can do about it, short of using a VPS.

 

[casey]

So mod_security can't be invoked here to block access?

 

[dgbaker]

mod_security should help yes.

Try the following setting.

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,deny

 

[casey]

Hmm. I tried that, but it still allowed it. I would have thought that would work...

 

[SupermanInNY]

/public_html/cgi-bin => vi my.cgi

#!/bin/sh
open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line";
}
close(MYINPUTFILE);


I tried to run this, but I get Internal Server Error.
Am I 'safe' or did I mistyped the file?

I gave it chown of the user
I gave it chmod 755 and then tried 777
both give me Internal Server Error.
Should I be a happy puppy?

-Alon.

 

[SarcNBit]

Did you try it with a perl shebang?

 

[dgbaker]

Change the code to this and it will work.

#!/usr/bin/perl -w
print "content-type: text/html\n\n";
open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line<br>";
}
close(MYINPUTFILE);

Basically added the content-type

 

[SupermanInNY]

Change the code to this and it will work.

#!/usr/bin/perl -w
print "content-type: text/html\n\n";
open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line<br>";
}
close(MYINPUTFILE);

Basically added the content-type

I'm happy to repeat again: This is not working on my server.
I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job

I am running Suexec Enabled.

-Alon.

 

[chirpy]

Sadly, mod_security is very easily bypassed.

The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
print "content-type: text/html\n\n";
open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
@lines = <IN>;
close (IN);
foreach $line (@lines) {print "$line<br>"}

 

[AlexAT]

2 chirpy:
Yes, now it is clear for me.
Sorry for inconvenience.

I'm happy to repeat again: This is not working on my server.
I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job

I am running Suexec Enabled.

-Alon.

Very good.
Please provide his credentials for contact if it is possible.

 

[SupermanInNY]

Sadly, mod_security is very easily bypassed.

The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
print "content-type: text/html\n\n";
open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
@lines = <IN>;
close (IN);
foreach $line (@lines) {print "$line<br>"}

MUMMMYYYY... Yaaaeeekksss... Holly Toledo..
Friday the 13th wasn't so scarry as this little script!

Ok,.. somebody find a solution for this please!
Bad CGI,.. Bad...

What logic would work to prevent it ever?
Apache must have access to this file.
The file location is always known to everyone with phpinfo(), so how do you train Apache not to disclose its internal affairs?
Is there a 3rd party mod_security_enhancement_thingy that can take care of this?
Some super suexec mod that can be compiled in and save us all?

-Alon.

 

[chirpy]

Like I said, there's little you're going to be able to do about it. I can give you much scarier examples than being able to read httpd if you want. It's something you have to accept in a shared hosting environment.

 

[AlexAT]

I can give you much scarier examples than being able to read httpd if you want.

I want.
Could you please give them to me?

 

[chirpy]

OK. This isn't for the faint-hearted and if you don't like it I would suggest complaining to cPanel and don't shoot the messenger

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);

print "content-type: text/html\n\n";
opendir (DIR, "/var/cpanel/users") or die $!;
while ($user = readdir (DIR)) {
	if ($user =~ /^\./) {next}
	open (FILE, "/var/cpanel/users/$user") or die $!;
	my @data = <FILE>;
	close (FILE);
	chomp @data;
	print "<p>cPanel Account: <b>$user</b>...<br><blockquote>\n";
	foreach my $line (@data) {print "$line<br>\n"}
	print "</blockquote>\n";
}
closedir (DIR);

Btw, that took me approximately 2 minutes to write, so it's not rocket science.

 

[AlexAT]

You can only said: /var/cpanel/users/*user*

Not very nice place though.


And this is not virtual hosting problem but definitely cPanel problem.