The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"nobody" ownership and security problems

Discussion in 'Security' started by BigLebowski, Jan 4, 2008.

  1. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hi there

    I have never used SuExec/PHPSuExec. Therefore I have a large number of sites with areas owned by "nobody". This happens when customers install applications like Joomla. This appears to result in a range of problems as follows:

    1. Cpanel, FTP password compromise

    Anyone running a shell as nobody can with impunity graze passwords from ini files owned by nobody. It is a technical doddle to graze files in an account not belonging to you and I gather that "open basedir" restrictions can be circumvented with ease. The ini files in question must be set readable by nobody for the web application to work. Since passwords in these files tend to use the Cpanel password there is a corresponding total account compromise. This typically results in iframe and virus insertions, "You've been hacked" messages, phising sites, bulk email sending etc. In any event, if the password in the ini file is not the same as the Cpanel password, there is usually some sort of problem with hackers modifying data specific to the application.

    2. Exploitation of areas writeable by "nobody"

    Again, anyone running a shell as nobody can with impunity write to any area writeable by nobody. This results in bulk emailers, phising sites, redirectors via .htaccess to mysterious Russian websites, the uploading of more shells, the corruption of applications, bots and general mayhem.

    3. Time spent changing ownerships and/or deleting objects owned by "nobody"

    I have to regularly spend time and therefore money deleting items owned by "nobody" in customer's accounts. The user cannot delete them because he has no permission. The application that created them is unable to delete thes stuff and the customer wants it removed.

    Does anyone strongly reccommend using SuExec/PHPSuExec for new server setups (including CPanel) because of the problems above? In terms of existing server setups, has anyone successfully managed to switch on SuExec/PHPSuExec on a server with many existing accounts with "nobody" objects and what was involved please?

    Thanks
    Dude
     
  2. troxalias

    troxalias Well-Known Member

    Joined:
    Nov 21, 2001
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Athens - Greece
    I would strongly suggest Suexec and SuPHP (as phpsuexec is not support on the easyapache3 script), i use it on all my server and i cannot imagine the nightmare of not having it enabled! As for the migration process regarding permissions i have not done it but a simple shell script should be enough for the job.
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Welcome to the forums. You've come across one of the most common security issues for web servers and summed it up in a nutshell quite nicely.

    The only real way to lock each users account is by installing phpsuexec or suphp. This basically forces PHP to run under the user who owns the files and doesn't allow access to files owned by another user. This is strongly recommend on a shared hosting environment with multiple client accounts. If the server was a handful of your own personal sites it's not as much of a big deal but still a good idea.

    If you're not already using phpsuexec or suphp you can migrate over to it from an existing plain nobody setup with some changes and a good server admin. Usually I can get everything working the way it was after the migration with some tinkering.

    After phpsuexec or suphp has been setup there are some other security measures that should be added.

    1) Mod_security - a web firewall or web filter that scans POST/GET requests for malicious requests like /etc/passwd or known script holes. This is a must have but only works as well as the ruleset that it uses. The default cPanel ruleset that installs is completely useless and will not protect you so you will need your own.

    2) suhosin - another type of web filter and PHP lockdown addon that gives greater security fixing known PHP holes and other common mistakes in real time. Again this is great but you need to modify the default configuration so it doesn't break scripts on your server.

    3) Upload Guardian - tuting my own horn a bit but this is a wonderful File Upload Scanner. In real time, it scans PHP and FTP file uploads for web shell scripts or malicious files that are used to exploit a customers account or the server. It also does scheduled full server scans and have email and file logging as well as a quarantine.

    4) Of course a few PHP.ini changes will go a long way as well, disabling certain functions and DL can go a long way.


    Do all that and you'll be in very good shape and should see clearly now the rain is gone :D

    Let me know if you need some help with any of these.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Dude... Nice. :)

    This is the perfect thread. A most excellent first post, clear and precise, looking for advice from his peers and getting the perfect answer clearly and precisely to it, quick and easy. Well done.

    Of course this has been asked and answered many times on this forum, but this thread was worth commeting on, imho. :p

    /spam

    You can of course chown a users directory easy enough so they can delete their own files for the moment, but upgrading to SuPHP and apache2 is the best suggestion that could be made. I have not tried upload guardian yet but did give suhosin a try. My lack of experience with it left me with less hair on my head.

    Search the forums for this topic and you'll come to see whats best. Threads like this one you may not find though. ;)
     
  6. -jdk-

    -jdk- Well-Known Member

    Joined:
    Aug 28, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    It doesnt look like suPHP has been updated in more than a year and a half.
     
  7. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Hey Mr. cPanel staff... Isn't there a way you guys could put a "Magic Button" to reset all file ownership under the user's home directory within the cPanel interface?

    This would at least empower the user or web developer to change their file perms to somethign they can edit without the server administrators help.

    chown -R $user:$user /home/$user/*

    Or something to that effect. I get so many requests for this it's stupid. Many web applications create files and cause them to be uneditable by the site owner.

    I'll submit a Bugzilla feature request if this hasn't been done before unless it's a stupid idea :)

    Thanks,
    Chuck
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you are using SuExec or SuPHP (or phpSuExec for those of you on older versions of cPanel), the files created by web apps will already have proper file ownership.

    However, here is a link to the existing feature request for what you mentioned:

    http://bugzilla.cpanel.net/show_bug.cgi?id=3326
     
  9. -jdk-

    -jdk- Well-Known Member

    Joined:
    Aug 28, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    edit........
     
  10. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Thanks, I voted for the bugzilla bug.

    There were some reasons we didn't use phpsuExec. I believe one of them was the ability to use the php flags in users .htaccess files. You can't do that with phpsuExec enabled.

    Many of our customers have old or crappy applications that still require register_globals on or some other custom php values. I believe there was at least one other reason we couldn't enable that too, but I can't remember at this time.

    Either way, if anyone needs that magic button feature, log into Bugzilla and vote for it.

    Thanks,
    Chuck
     
  11. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    As root you can fix everyones by running:

    /scripts/chownpublichtmls
     
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    See if the correctnobodyopen.pl script I have at http://www.spareknet.org/scripts will do what you want.

    It goes through and changes all of the files that are owned by nobody to the owner of the home directory. It also changes all open directories (directories with 777 permissions) down to 755.
     
  13. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    suhosin does need extra values put into php.ini so it doesn't break things like your forums and other scripts since it has variable limitations and such. With the right config it will be transparent.

    Give me a shout about Upload Guardian, I'd be happy to offer a discount
     
  14. dexus

    dexus Well-Known Member

    Joined:
    Jan 14, 2006
    Messages:
    169
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This script will not change .php files atributes... Is there any good reason for that...?

    Will maybe cPanel change .php files atributes when installing suPHP with EasyApache?
     
  15. fenixer

    fenixer Well-Known Member

    Joined:
    Feb 23, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Could someone offer here those Suhosin configuration values at php.ini, so it might be almost transparent???

    Thanks.
     
  16. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    http://www.hardened-php.net/suhosin/configuration.html

    Also - taken from http://www.webhostgear.com/416.html
    Code:
    Advanced Suhosin Configuration
    
    Configuring Suhosin – example suhosin configuration
    
     
    
    You can manually configure options for Suhosin in the php.ini for PHP.  This is the most confusing part that most people get lost at.
    
    If you want advanced configuration to change the default settings form Suhosin you can edit the PHP.ini and add in these values below the extension=suhosin.so
    
     
    
    Note this part isn’t required, only for your own liking.
    
     
    
    ;;;;;;;;;;;;;;;;;;;
    
    ; Module Settings ;
    
    ;;;;;;;;;;;;;;;;;;;
    
    [suhosin]
    
    ; Logging Configuration
    
    suhosin.log.syslog.facility = 9
    
    suhosin.log.use-x-forwarded-for = Off
    
     
    
    ; Executor Options
    
    suhosin.executor.max_depth = 0
    
    suhosin.executor.include.max_traversal = 4
    
    suhosin.executor.disable_emodifier = Off
    
    suhosin.executor.allow_symlink = Off
    
     
    
    ; Misc Options
    
    suhosin.simulation = Off
    
     
    
    ;
    
    suhosin.apc_bug_workaround = Off
    
    suhosin.sql.bailout_on_error = Off
    
    suhosin.multiheader = Off
    
    suhosin.mail.protect = 1
    
    suhosin.memory_limit = 20
    
     
    
    ; Transparent Encryption Options
    
    suhosin.session.encrypt = On
    
    suhosin.session.cryptua = On
    
    suhosin.session.cryptdocroot = On
    
    suhosin.session.cryptraddr = 0
    
    suhosin.cookie.encrypt = On
    
    suhosin.cookie.cryptua = On
    
    suhosin.cookie.cryptraddr = 0
    
     
    
    ; Filtering Options
    
    suhosin.filter.action = 406
    
    suhosin.cookie.max_array_depth = 100
    
    suhosin.cookie.max_array_index_length = 64
    
    suhosin.cookie.max_name_length = 64
    
    suhosin.cookie.max_totalname_length = 256
    
    suhosin.cookie.max_value_length = 10000
    
    suhosin.cookie.max_vars = 100
    
    suhosin.cookie.disallow_nul = On
    
    suhosin.get.max_array_depth = 50
    
    suhosin.get.max_array_index_length = 64
    
    suhosin.get.max_name_length = 64
    
    suhosin.get.max_totalname_length = 256
    
    suhosin.get.max_value_length = 512
    
    suhosin.get.max_vars = 100
    
    suhosin.get.disallow_nul = On
    
    suhosin.post.max_array_depth = 100
    
    suhosin.post.max_array_index_length = 64
    
    suhosin.post.max_totalname_length = 256
    
    suhosin.post.max_value_length = 65000
    
    suhosin.post.max_vars = 200
    
    suhosin.post.disallow_nul = On
    
    suhosin.request.max_array_depth = 100
    
    suhosin.request.max_array_index_length = 64
    
    suhosin.request.max_totalname_length = 256
    
    suhosin.request.max_value_length = 65000
    
    suhosin.request.max_vars = 200
    
    suhosin.request.max_varname_length = 64
    
    suhosin.request.disallow_nul = On
    
    suhosin.upload.max_uploads = 25
    
    suhosin.upload.disallow_elf = On
    
    suhosin.upload.disallow_binary = Off
    
    suhosin.upload.remove_binary = Off
    
    suhosin.session.max_id_length = 128
    
     
  17. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
    chownpublichtmls

    What will be the owner and group of /home/user/public_html/ if I use this script? nobody:user or user:user?
     
  18. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Looking through the script, appears to be username:username.

    You can confirm it though if you look through /scripts/safetybits.pl

    Which is the script that's called from chownpublichtmls - does it for files/directorys but not hard/soft links I believe.
     
  19. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    The terms of service

    ServerProgress TOS Terms of Service Agreement After reading the terms of service, it is quite clear that the legal language indemnifies their company should one of their employees totally hose up your server by accident. There is no civil procedure due to the arbitration clause allowing their company to choose the arbitrator. If you like Los Vegas, like to gamble, then hire them. But, you have no recourse if they screw up.
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Seems like a fairly standard TOS to me. And what do you have against Las Vegas? I love Las Vegas. And gambling. :p
     
Loading...

Share This Page