httpd.conf How to prevent user to view it?

AFAIK, you can't because the user accounts needs access to it when running under suexec.

 

I think you misunderstood chirpy's reply.

 

Maybe I wan't clear I don't think you can change the permissions because apache needs access to your users files, so conversely your users can access the apache configuration file. It's just one of those things in a virtual hosting environment. There's all sorts of things your users can view on your server that you might not like, but there's little you can do about it, short of using a VPS.

 

So mod_security can't be invoked here to block access?

 

mod_security should help yes.

Try the following setting.

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,deny

 

Hmm. I tried that, but it still allowed it. I would have thought that would work...

 

/public_html/cgi-bin => vi my.cgi

#!/bin/sh
open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line";
}
close(MYINPUTFILE);


I tried to run this, but I get Internal Server Error.
Am I 'safe' or did I mistyped the file?

I gave it chown of the user
I gave it chmod 755 and then tried 777
both give me Internal Server Error.
Should I be a happy puppy?

-Alon.

 

Did you try it with a perl shebang?

 

Change the code to this and it will work.

Code:

#!/usr/bin/perl -w
print "content-type: text/html\n\n";
open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line<br>";
}
close(MYINPUTFILE);
 

Basically added the content-type

 

I'm happy to repeat again: This is not working on my server.
I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job

I am running Suexec Enabled.

-Alon.

 

Sadly, mod_security is very easily bypassed.

The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:

Code:

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
print "content-type: text/html\n\n";
open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
@lines = <IN>;
close (IN);
foreach $line (@lines) {print "$line<br>"}
 

 

MUMMMYYYY... Yaaaeeekksss... Holly Toledo..
Friday the 13th wasn't so scarry as this little script!

Ok,.. somebody find a solution for this please!
Bad CGI,.. Bad...

What logic would work to prevent it ever?
Apache must have access to this file.
The file location is always known to everyone with phpinfo(), so how do you train Apache not to disclose its internal affairs?
Is there a 3rd party mod_security_enhancement_thingy that can take care of this?
Some super suexec mod that can be compiled in and save us all?

-Alon.

 

Like I said, there's little you're going to be able to do about it. I can give you much scarier examples than being able to read httpd if you want. It's something you have to accept in a shared hosting environment.

 

OK. This isn't for the faint-hearted and if you don't like it I would suggest complaining to cPanel and don't shoot the messenger

Code:

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);

print "content-type: text/html\n\n";
opendir (DIR, "/var/cpanel/users") or die $!;
while ($user = readdir (DIR)) {
	if ($user =~ /^\./) {next}
	open (FILE, "/var/cpanel/users/$user") or die $!;
	my @data = <FILE>;
	close (FILE);
	chomp @data;
	print "<p>cPanel Account: <b>$user</b>...<br><blockquote>\n";
	foreach my $line (@data) {print "$line<br>\n"}
	print "</blockquote>\n";
}
closedir (DIR);

Btw, that took me approximately 2 minutes to write, so it's not rocket science.