Prevent cpanel user to list server root directories and write into /tmp

[postcd]

Hello,

how can whm server admin prevent cpanel users seeing whm server directories (like /tmp. /etc, /var) contents and download the files? On default centos, WHM install this is possible for files with i assume -***-r**** permission and any cpanel user can also upload his files into /tmp folder of the server.

PS: some way without need of installing cloudlinux, mod ruid 2

thank you

 

[quizknows]

/tmp has to be world writeable for linux to function. It should always be chmod 1777 on a centos/redhat system

/ and other directories also have to be world readable for the server to function.

It pretty much requires modification of the kernel with things like cloudlinux to change this (so you can use jailed shells properly, etc.). Even chroot for shell access won't stop things like PHP shells etc from reading world readable files. I know it's not the answer you want, but that's just kinda how it is. It's nothing "new" to be honest, just linux working as intended.

 

[postcd]

thx, here is the oppinion of another person regarding this:

644 <-- The last digit means you can read a file, which is download it.

Writing to /tmp is completely normal for PHP scripts, but if a website is being used for malicious purposes they can just as easily browse a filesystem. You can even write a php script that does system("exec ls -la /etc"); to browse files.

Unfortunately there's not much that can be done to stop normal PHP functions, but there's some things you could try.

1.) Make sure your website software is up to date (PHP scripts are a common attack vector to be exploited)
2.) Use mod_security with OWASP rules to prevent generic SQL injection attacks (And others)

There are other options, like hardening php.ini via disable_functions but some of those options will break PHP applications.

i tried OWASP but i had to disable numerous rules and still i was discovering some of the content management systems functions not working properly, so im unsure how to use it so it do not cause any trouble to hosted websites.

Now im looking for the way to make sure on the filesystem there are no sensitive files with read access to the cpanel users. cpanel user writable /tmp looks to me like quite serious issue

 

[quizknows]

Users writing to /tmp is not a serious issue, it's how linux works.

 

[cPanelMichael]

Yes, this is standard due to the nature of how the filesystem works on Linux. Note that while you may be able to view some directories outside of /home, all account-specific data should be restricted.

Thank you.