The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Security] Disabling compilers , is it a good idea ?

Discussion in 'Security' started by Radio_Head, Apr 24, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello,

    usually when an hacker obtain a way to enter on the server , usually compile a .c file , or try to install something .

    I red often on this forum that an idea to reduce risk
    could be to change permissions on c compilers ..

    Do you think it's a good idea ?
     
  2. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Would also like to hear people's opinions.

    Mike
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I have done a chmod 000 on the compilers, no problems so far.
    Ofcourse I have to do chmod 700 if I want to run buildapache for example. But it causes no problems with rpm updates etc.

    If you don't have clients on the server that need to compile their own programs then I don't think it is a problem chmodding the compilers to 000 or 700

    When it comes to security I think it's good to make it as difficult as possible for the 'hackers' to take over your server.
    Especially the 'script kiddies' will move on to the next server if it they can't get in immediately.

    One other thing is mounting /tmp and /home as nosuid.
    Many people do this and say it increases security. I'm sure there others who can explain how it works exactly :)

    I didn't do this yet for my CPanel server, also because I have software RAID on this server, and I've read nosuid partitions can cause problems with software RAID.
     
  4. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38

    Thank you for suggestions ,
    exactly , can you indicate what compiler files you have changed permission ?
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    The compilers are located in /usr/bin/ , they usually have 'cc' in the name (bcc, gcc, kgcc, perlcc)

    ls -l /usr/bin/ | grep cc
     
  6. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I have these ...

    bcc
    yacc
    gcc
    gcc
    gcc3
    redhat-linux-gcc
    perlcc
    yacc

    ok thanks , I will try it.
     
  7. Dattatec

    Dattatec Active Member
    PartnerNOC

    Joined:
    Mar 12, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Argentina
    Disabling scripts exec in shell?

    Not is more secure disable option of run banaries in the shell, but is one user compile a exploit in your pc and upload via ftp can exec the exploit or not? how to stop this problem?
     
  8. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Re: Disabling scripts exec in shell?

    How to disable options to run binaries in the shell ?
     
  9. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    What exactly does 'nosuid' do? Thanks.
     
  10. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    simple answer is disable chmod so the hacker cant chmod his binary file.
     
  11. ricoche

    ricoche Well-Known Member

    Joined:
    Feb 7, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    What would be the recommended way to do this? Wouldn't this then be disabled for you too? Would this affect users?

    This is an interesting possibility that I haven't heard before.

    Thanks.
     
    #11 ricoche, Jan 2, 2004
    Last edited: Jan 2, 2004
  12. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    its been long since i did this but you can chmod 700 chmod
    and keepa copy in the root dir
     
  13. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    I was going to change /home to 'nosuid,nodev,noatime', however I guess thats not going to work too well, as I assume it will prevent users from chmod their cgi scripts. What about nodev? Anything negative about having that?
     
  14. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hi-
    Just to clarify what nosuid does, it does not disable the use of chmod, just a specific feature that is enabled with chmod.

    Suid is a feature that allows programs to be ran as a user other than themselves.

    good examples are sudo, ping, and passwd. They need root in order to work, but are designed so that normal users can run them.

    When a program is set with an suid bit (chmod +s file, I believe) then the program is executed with the permissions of its owner, even it it was ran by someone else. So if you run passwd with your normal login, that program will run as root (it needs to in order to modify /etc/shadow).

    As you might guess, nosuid causes the suid bit not to work on the partition nosuid is enabled on. The reasoning for having nosuid in /home is that programs needing suid are generally administrative in nature, and there is no reason that there should be an suid file in a user's home directory.

    In /tmp I recommend going one step further and setting noexec, which means that no programs can be executed from /tmp (watch out for the mysql socket in /tmp though, I've heard reports of problems with using a socket in a noexec partition, haven't gotten around to testing it myself.).

    Hope this helps.

    Regards,
    Erek Dyskant
    Unix Consultant
     
    #14 dysk, Jan 2, 2004
    Last edited: Jan 2, 2004
  15. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Compilers

    Hi All,
    I have heard mixed reviews about disabling compilers. it may stop a script kiddie, but it will not hurt an experienced or even moderately skilled hacker. All you have to do to circumvent it is to compile the binary on a different box and copy it over, or copy your own compiler binary to your home dir.
    That being said, it isn't a lot of trouble to disable, and it's good policy not to give any more priveledges than a user needs to do their job.
    Instead of chmod 700ing them, I'd recommend chmod 750 and then create a compiler group for all your adminstrative users who may need to compile programs. That way you don't have to run all your makes as root.
    Happy Newyears!

    Regards,
    Erek Dyskant
    Unix Consultant
     
  16. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    In this day and age I'd be surprised if people still bother to compile on the target box. If I was a hacker I would be uploading compiled software.

    BTW compiled software is easily run on a noexec and nosuid /tmp. Just run as
    "/lib/ld-linux.so.2 /tmp/program".
     
    #16 rs-freddo, Jan 2, 2004
    Last edited: Jan 2, 2004
  17. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    ok... and what would happen if I chmod "/lib/ld-linux.so.2" to 700? Would that stop it or cause more problems?
     
  18. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Don't know. I do know that someone with /tmp set "noexec" and "nosuid" and with compilers disabled and with wget disabled - did get hacked via /tmp. I think this just gives the admin a false sense of security rather than being useful. I would like to be proved wrong...
     
  19. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    so few years now i never gave shell access to any of my users and thank god i never got hacked.
    i also keep updateing my system
    also it helps that i have a smal number of clients which i install stuff for personaly to be sure none can play around
    and i have one great site which get 100,000 visitors per day so i know for sure i get attcked on a daily bases but as long every thing is looked up i am safe
    i also think that luck plays a good rule here but then again i think i been doing a good jobe.
    it may also help that i run slackware and been useing it for like 9 years :)
    but now with a new system on redhat Ent and cpanel i am so worried about getting hacked
     
  20. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Seems like a lot of people getting hacked on cpanel lately. I would like to see cpanel introduce a proper chrooted system like Ensim does, instead of this half-half jailshell. It's really the only area that cpanel falls down.
     
Loading...

Share This Page