Hi there,
When you do a Apache Update in cPanel you get this option called "Prevent Users from reading other webroots"
Which got me thinking that the httpd process actually runs under the same user( user called "nobody")
So that's all the httpd processes for all your multi domain users under the same user.
So, everyone's php scripts are being executed by the same user access. Hence one user could write script to read another user's directory files at least in the public_html directory. E.g.
In some cases, say they can read database access passwords and access db for credit card info (say xcart dbs):
This happens even after I rebuilt apache in cpanel with "Prevent Users from reading other webroots" option.
Can someone please shed some light on how this can be prevented?
Cheers,
MediaWrap's newbie admin
When you do a Apache Update in cPanel you get this option called "Prevent Users from reading other webroots"
Which got me thinking that the httpd process actually runs under the same user( user called "nobody")
Code:
# finger nobody
Login: nobody Name: Nobody
Directory: / Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
So, everyone's php scripts are being executed by the same user access. Hence one user could write script to read another user's directory files at least in the public_html directory. E.g.
Code:
<?php
readfile('/home/neighbour/public_html/wp-config.php');
?>
In some cases, say they can read database access passwords and access db for credit card info (say xcart dbs):
Code:
<?php
readfile('/home/neighbour/public_html/shop/config.php');
?>
Can someone please shed some light on how this can be prevented?
Cheers,
MediaWrap's newbie admin