Interesting data cPanel users know about the server

[postcd]

The cPanel user can see alot of data
For example these are readable to the cPanel user on standard CentOS/Apache/WHM server:

/etc/named.conf + /etc/dovecot/sni.conf - hosted domains
/etc/shadow + /etc/trueuserowners - cpanel user list
/etc/fstab - filesystems, like ramdisks
/etc/localaliases - e-mail of the root/nobody user
/etc/cron.d/ - cronjobs contents if have more than 700 permission (ie 644)
/etc/my.cnf - mysql configuration file
/usr/local/apache/conf/modsec2.user.conf - mod security rules
/etc/sysconfig/network-scripts/ - ips used on the server
+ phpinfo() - many other details about apache, php, mysql

 

[cPanelMichael]

Hello,

This is answered on your previous thread:

Prevent cpanel user to list server root directories and write into /tmp

You can also find more information on the jailed environment at:

VirtFS - Jailed Shell - Documentation - cPanel Documentation

Thank you.

 

[postcd]

the files i mentioned can be read without SSH access enabled on that particular cpanel.
it can be read thru a php script while following php functions are disabled on that particular cpanel: disable_functions: show_source, system, passthru, shell_exec, popen, proc_open, allow_url_fopen

i assume virtfs can't change this.

 

[cPanelMichael]

it can be read thru a php script

Information on how to prevent this is documented at:

PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation

In particular, the following option is useful:

PHP open_basedir Tweak - Documentation - cPanel Documentation

Thank you.

 

[postcd]

Thank you i went thru the pages you linked and applied all the things.

RE: PHP open_basedir Tweak - Documentation - cPanel Documentation

In Home >> Security Center >> PHP open_basedir Tweak i have option "Enable php open_basedir Protection." ticked, but at Yours linked page is mentioned "If you configure PHP to run as a CGI, suPHP, or FastCGI process, you must manually specify the open_basedir directive in the appropriate php.ini file.", and i am using suPHP and i think im happy with it. So i would need to setup some script that would append open_basedit for each cpanel to the global php.ini, only solution?
i mean like:

[PATH=/home/newcpanel/pubic_html]
open_basedir = /home/newcpanel/pubic_html

?

RE: PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation

The php script tells me: Disable Functions : show_source, system, passthru, shell_exec, popen, proc_open, proc_close, curl_exec, curl_multi_exec, allow_url_fopen, allow_url_include, symlink, link, unlink, copy, mkdir, rmdir, file, readfile, filegetcontents, dl, mail

yet all files i mentioned in first post are readable for a cpanel user and also following commands can be executed by cpanel user from within php script: netstat, ps aux, last, w, vmstat, /proc/version

Please any ideas what can be done to prevent some of these sensitive data be revealed?
CentOS 6.x, Apache, suPHP, EasyApache 3

 

[cPanelMichael]

Hello,
https://forums.cpanel.net/workarounds-optimization/448482-suphp-open_basedir-together-improved-security-post1810252.html
You may find the following thread helpful if you'd like to use suPHP:

suPHP and open_basedir together, for improved security.

That said, have you considered using DSO with Mod_Ruid2?

Thank you.