httpd.conf How to prevent user to view it?

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
httpd.conf has 644 by default.
This means that any user can view this file from any (php, cgi) script.

Anybody knows how to make it unaccessible for users?
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
Try to run the following cgi, guys, on your cPanel server and get httpd.conf into your browser even if you have suexec installed:
*********************
open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line";
}
close(MYINPUTFILE);
*********************

640 will stop this but it'll broke the cPanel.
How can I prevent this?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Maybe I wan't clear :) I don't think you can change the permissions because apache needs access to your users files, so conversely your users can access the apache configuration file. It's just one of those things in a virtual hosting environment. There's all sorts of things your users can view on your server that you might not like, but there's little you can do about it, short of using a VPS.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Hmm. I tried that, but it still allowed it. I would have thought that would work...
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
/public_html/cgi-bin => vi my.cgi

#!/bin/sh
open(MYINPUTFILE, "</usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line";
}
close(MYINPUTFILE);


I tried to run this, but I get Internal Server Error.
Am I 'safe' or did I mistyped the file?

I gave it chown of the user
I gave it chmod 755 and then tried 777
both give me Internal Server Error.
Should I be a happy puppy?

-Alon.
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,531
10
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Change the code to this and it will work.

Code:
#!/usr/bin/perl -w
print "content-type: text/html\n\n";
open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line<br>";
}
close(MYINPUTFILE);
Basically added the content-type
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
dgbaker said:
Change the code to this and it will work.

Code:
#!/usr/bin/perl -w
print "content-type: text/html\n\n";
open(MYINPUTFILE, "/usr/local/apache/conf/httpd.conf");
my(@lines) = <MYINPUTFILE>;
my($line);
foreach $line (@lines)
{
print "$line<br>";
}
close(MYINPUTFILE);
Basically added the content-type

I'm happy to repeat again: This is not working on my server.
I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job :)

I am running Suexec Enabled.

-Alon.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Sadly, mod_security is very easily bypassed.

The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:
Code:
#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
print "content-type: text/html\n\n";
open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
@lines = <IN>;
close (IN);
foreach $line (@lines) {print "$line<br>"}
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
2 chirpy:
Yes, now it is clear for me.
Sorry for inconvenience.


SupermanInNY said:
I'm happy to repeat again: This is not working on my server.
I have techi here who added all sorts of tweaks from the kernel to the directory structure and it seems like he did a good job :)

I am running Suexec Enabled.

-Alon.
Very good.
Please provide his credentials for contact if it is possible.
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
chirpy said:
Sadly, mod_security is very easily bypassed.

The script as quoted is missing the < in the open command which defaults to read/write otherwise, so you may not be protected. Give this one a whirl and post the die message if it does:
Code:
#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);
print "content-type: text/html\n\n";
open (IN, "</usr/local/apache/conf/httpd.conf") or die "Enable to open httpd.conf: $!";
@lines = <IN>;
close (IN);
foreach $line (@lines) {print "$line<br>"}

MUMMMYYYY... Yaaaeeekksss... Holly Toledo..
Friday the 13th wasn't so scarry as this little script!

Ok,.. somebody find a solution for this please!
Bad CGI,.. Bad...

What logic would work to prevent it ever?
Apache must have access to this file.
The file location is always known to everyone with phpinfo(), so how do you train Apache not to disclose its internal affairs?
Is there a 3rd party mod_security_enhancement_thingy that can take care of this?
Some super suexec mod that can be compiled in and save us all?

-Alon.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Like I said, there's little you're going to be able to do about it. I can give you much scarier examples than being able to read httpd if you want. It's something you have to accept in a shared hosting environment.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
OK. This isn't for the faint-hearted and if you don't like it I would suggest complaining to cPanel and don't shoot the messenger ;)
Code:
#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);

print "content-type: text/html\n\n";
opendir (DIR, "/var/cpanel/users") or die $!;
while ($user = readdir (DIR)) {
	if ($user =~ /^\./) {next}
	open (FILE, "/var/cpanel/users/$user") or die $!;
	my @data = <FILE>;
	close (FILE);
	chomp @data;
	print "<p>cPanel Account: <b>$user</b>...<br><blockquote>\n";
	foreach my $line (@data) {print "$line<br>\n"}
	print "</blockquote>\n";
}
closedir (DIR);
Btw, that took me approximately 2 minutes to write, so it's not rocket science.
 
Last edited:

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
You can only said: /var/cpanel/users/*user* :)

Not very nice place though.


And this is not virtual hosting problem but definitely cPanel problem.
 
Last edited: