The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

httpd.conf How to prevent user to view it?

Discussion in 'General Discussion' started by AlexAT, Sep 21, 2004.

  1. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    httpd.conf has 644 by default.
    This means that any user can view this file from any (php, cgi) script.

    Anybody knows how to make it unaccessible for users?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    AFAIK, you can't because the user accounts needs access to it when running under suexec.
     
  3. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    unfortunately, she can.

    and only because 644.
     
  4. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    Try to run the following cgi, guys, on your cPanel server and get httpd.conf into your browser even if you have suexec installed:
    *********************
    open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
    my(@lines) = <MYINPUTFILE>;
    my($line);
    foreach $line (@lines)
    {
    print "$line";
    }
    close(MYINPUTFILE);
    *********************

    640 will stop this but it'll broke the cPanel.
    How can I prevent this?
     
  5. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    I think you misunderstood chirpy's reply. ;)
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Maybe I wan't clear :) I don't think you can change the permissions because apache needs access to your users files, so conversely your users can access the apache configuration file. It's just one of those things in a virtual hosting environment. There's all sorts of things your users can view on your server that you might not like, but there's little you can do about it, short of using a VPS.
     
  7. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    So mod_security can't be invoked here to block access?
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    mod_security should help yes.

    Try the following setting.

    # WEB-ATTACKS conf/httpd.conf attempt
    SecFilter "conf/httpd\.conf" log,deny
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Hmm. I tried that, but it still allowed it. I would have thought that would work...
     
  10. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    /public_html/cgi-bin => vi my.cgi

    #!/bin/sh
    open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
    my(@lines) = <MYINPUTFILE>;
    my($line);
    foreach $line (@lines)
    {
    print "$line";
    }
    close(MYINPUTFILE);


    I tried to run this, but I get Internal Server Error.
    Am I 'safe' or did I mistyped the file?

    I gave it chown of the user
    I gave it chmod 755 and then tried 777
    both give me Internal Server Error.
    Should I be a happy puppy?

    -Alon.
     
  11. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Did you try it with a perl shebang?
     
  12. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Change the code to this and it will work.

    Code:
    #!/usr/bin/perl -w
    print "content-type: text/html\n\n";
    open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
    my(@lines) = <MYINPUTFILE>;
    my($line);
    foreach $line (@lines)
    {
    print "$line<br>";
    }
    close(MYINPUTFILE);
     
    Basically added the content-type
     
  13. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16

    I'm happy to repeat again: This is not working on my server.
    I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job :)

    I am running Suexec Enabled.

    -Alon.
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sadly, mod_security is very easily bypassed.

    The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:
    Code:
    #!/usr/bin/perl
    use CGI::Carp qw(fatalsToBrowser);
    print "content-type: text/html\n\n";
    open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
    @lines = <IN>;
    close (IN);
    foreach $line (@lines) {print "$line<br>"}
     
     
  15. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    2 chirpy:
    Yes, now it is clear for me.
    Sorry for inconvenience.


    Very good.
    Please provide his credentials for contact if it is possible.
     
  16. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16

    MUMMMYYYY... Yaaaeeekksss... Holly Toledo..
    Friday the 13th wasn't so scarry as this little script!

    Ok,.. somebody find a solution for this please!
    Bad CGI,.. Bad...

    What logic would work to prevent it ever?
    Apache must have access to this file.
    The file location is always known to everyone with phpinfo(), so how do you train Apache not to disclose its internal affairs?
    Is there a 3rd party mod_security_enhancement_thingy that can take care of this?
    Some super suexec mod that can be compiled in and save us all?

    -Alon.
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Like I said, there's little you're going to be able to do about it. I can give you much scarier examples than being able to read httpd if you want. It's something you have to accept in a shared hosting environment.
     
  18. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    I want.
    Could you please give them to me?
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    OK. This isn't for the faint-hearted and if you don't like it I would suggest complaining to cPanel and don't shoot the messenger ;)
    Code:
    #!/usr/bin/perl
    use CGI::Carp qw(fatalsToBrowser);
    
    print "content-type: text/html\n\n";
    opendir (DIR, "/var/cpanel/users") or die $!;
    while ($user = readdir (DIR)) {
    	if ($user =~ /^\./) {next}
    	open (FILE, "/var/cpanel/users/$user") or die $!;
    	my @data = <FILE>;
    	close (FILE);
    	chomp @data;
    	print "<p>cPanel Account: <b>$user</b>...<br><blockquote>\n";
    	foreach my $line (@data) {print "$line<br>\n"}
    	print "</blockquote>\n";
    }
    closedir (DIR);
    Btw, that took me approximately 2 minutes to write, so it's not rocket science.
     
    #19 chirpy, Sep 23, 2004
    Last edited: Sep 23, 2004
  20. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    You can only said: /var/cpanel/users/*user* :)

    Not very nice place though.


    And this is not virtual hosting problem but definitely cPanel problem.
     
    #20 AlexAT, Sep 23, 2004
    Last edited: Sep 23, 2004
Loading...

Share This Page