Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Security: directory and file permissions

Discussion in 'Security' started by Pda0, Jul 9, 2003.

  1. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    Ive researched around, and finally I have seen that these commands are good for searching for unsecure file/dirs:

    find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldu '{}' \;
    find / -type d \( -perm -4000 -o -perm -2000 \) -exec ls -ldu '{}' \;
    find / -type d -perm -0777 -exec ls -ldu '{}' \;
    find /home -type f -perm -0777 -exec ls -ldu '{}' \;

    1] The two first ones look for setuid files and directories (Latest access time will show instead of creation time - comes handy). On a standard cpanel6 install there are not that much to see (there shouldnt anyway), unless there's a writable dir/file.

    I thought that it would be nice to build a script that checks suid/sgid files/dirs _with_ write permissions, but I would like to know if im following the right theory before coding it (Any opinions?).

    2] The third command looks for world-writeable directories. On a standard cpanel6 install I got A LOT of them!. Is this really bad, other than possible letting a user scatter files through the server?

    3] The fourth and last command looks for world-writable executable files through the standard account directory of cpanel6. This is bad, as by doing this a user can easily hijack other user's account if the file is a .php,.pl, etc, executable file. In plain cpanel6 I think there are no files like this (im unsure).

    What about building a script that looks for these world-writeable files on each users web directory, mailing a warning?

    ......

    Well, that's about it. Im dying for opinions :)

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    Anyone?

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. SteveD3

    SteveD3 Member

    Joined:
    Jul 3, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    I think its a good idea, however Im not a script writer.

    my $0.02


    -Steve

    cPanel.net Support Ticket Number:
     
  4. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    166
    It would be fairly simple.. would you just want it to run via cron?

    A simple bash script like..

    CHECK1= `find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldu '{}' \`

    CHECK2= `find / -type d \( -perm -4000 -o -perm -2000 \) -exec ls -ldu '{}' \;`

    etc. then splice them together and mail it.

    cPanel.net Support Ticket Number:
     
  5. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    Actually, I was hoping for comments to the questions I stated :D

    1] Suid/Guid files without write permissions are ok?
    2] Are world-writable directories ok?
    3] World-writable php files can lead to account hijacks, right? (Assuming phpsuexec enabled)

    Thanks ;)

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. howard

    howard Well-Known Member

    Joined:
    Apr 20, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    166
    Not entirely sure about 1) so will just answer 2) and 3)

    2) World writable directorys are in general a bad idea (unless it has sticky bit set) and are often exploited to hide cracker tools in

    3) Yes, also can be used in website defacements

    find / -nouser -or -nogroup can also be useful in identifying files which don't have a user or group assigned to them (this will be espically obviously on a busy cpanel system as previously noted elsewhere cpanel doesn't tidy up that well after a account deletion)
     
    #6 howard, Jul 13, 2003
    Last edited: Jul 13, 2003
  7. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    The bad part is that in Cpanel there are ZILLIONS of [2]!!

    :(

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    166
    Just about every gallery script or upload manager has these.. I wish things were just more secure!

    cPanel.net Support Ticket Number:
     
  9. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    No.. world-writable permissions aren't needed when using phpsuexec.

    As the http process is forked with the user's uid/gid, only group or user write permissions allow the script to write.

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    166
    Yea, but we don't run phpsuexec. I guess its too developmental. And I dont think it works with the lastest php version.

    cPanel.net Support Ticket Number:
     
  11. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Egypt
    It works with it now.


    Anyway, Cpanel 7.2.0 updates makes a lot of files world writable. :( :(

    I reported that but I did not get any reply.

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    What do you mean developmental? :) Have you actually tried it? ;)

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Egypt
    try this program:
    http://www.r-fx.net/faf.php

    It will report to you all the unowned files , and world writable (not only 777, there are many forms of world writable) and more ...

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    Looks nice.

    Ill check it out. Thanks

    .pd

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice