The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SECURITY HOLE = Disabling Feature Manager (BETA)

Discussion in 'Security' started by garak, Feb 1, 2004.

  1. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Is possible disable Feature Manager (BETA) for resellers accounts ?

    If is feature is enable, the reseller can create packages with Crontab, what is a serious security hole (for example: if a customer create a cronjobs with the follow command : ls /var/named > result.txt, this customer will find all the resellers and customers inside this machine! By the way, through CronJobs, is possible run any serious command with success! )
     
  2. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6

    So, try create a cronjob in Cpanel, like a customer of a reseller, and put the command "ls /var/named > /home/customerdir/result.txt"

    You will get all the zone names inside /var/named, and all the zones is owned by users root or named.

    Before post this message, I try for myself, and I have sure about what I'm talking (unfortunately) :(
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    you don't need a cron job to do that. What's feature manager got to do with that anyway. Anyone can create a cron job if they have ssh. If they ssh they don't even need cron.
     
  4. garak

    garak Active Member

    Joined:
    Jan 23, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Surely. :)

    But I don't give to anyone SSH access.
    But now, with Cron's 'possibilities' I'm really worried...

    I don't know how to blocking Crontab in resellers Cpanel, without remove completely the "creation packages" abilities...

    And, remove the "creation packages" abilities, could be a big trouble for my resellers..... :(
     
  5. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    do you block cgi and php scripts? very simple 3-4 line scripts can simply print to httpd output all kinds of stuff you sould be worried about then.

    It's a scared box. You have to watch your users.
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    And while you are at it, block all pop access and turn off exim. Firewall all ports except port 80. On all users sites put a .htaccess password protection. When they need people to see their sites they can give out passes on a first come first temeorory basis.

    If you do all this ..you may be able to keep that server hacker free for over 60 days.
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    And if all else fails, unplug server.

    Welcome to the world of hosting.
     
  8. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    I'm not sure who started the rumor being a web host was easy. :D
     
Loading...

Share This Page