The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issues and others

Discussion in 'Security' started by SupermanInNY, Jul 22, 2003.

  1. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Hi All,

    I'm in the process of purchasing my own server and of course a Control Panel.
    Now there are several of them out there cPanel, Ensim, Plesk etc. Just by looking at these 3 as the leading brands, What would you recommend I should go with. I saw a gui of cPanel which I liked (with the icons) as compared with Ensim's.
    However, Ensim Pro is suppose to have a tight security where you can't prob other site's directories.
    So the comparison of advantages/disadvantages can be long,. but I'm still searching for the 'ultimate' one.
    Any thoughts of why pick one vs. the other?

    Thanks,

    -Alon.

    cPanel.net Support Ticket Number:
     
  2. Richard Ward

    Richard Ward Member

    Joined:
    Jul 10, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I moved almost all my network from Ensim to cPanel. Love it. No problems to speak of. Worth every dime of the highly expensive costs for a cPanel license.

    cPanel.net Support Ticket Number:
     
  3. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    What about the security issues?
    Using a telnet session, can you 'visit' neigbouring sites?
    In Ensime 3.1.1 it is very easy to do. In ensime Pro, the issue has been resolved and presumably (I haven't tested it yet) the groups schema has been revised to prevent the Apache server from giving out the info about your neigbours.
    If you don't know what I'm talking about, I'll give a cgi script that when invoked in Ensime it makes a lot of people very nervous and it is not a malicious code. It is a simple 'ls' telnet command.

    -Alon.

    cPanel.net Support Ticket Number:
     
  4. Richard Ward

    Richard Ward Member

    Joined:
    Jul 10, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Telnet is a very insecure clear text medium. I wouldn't be caught dead running telnet. As for 'ls' it's not a telnet command, it's a UNIX command and all it does is list files. :) No harm there.

    cPanel.net Support Ticket Number:
     
  5. stratagem

    stratagem Member

    Joined:
    Jul 10, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Search the forums for 'jail shell' / 'jailshell' to get a feel for cPanel's in-house solution.

    cPanel.net Support Ticket Number:
     
  6. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Well,.. I'm not happy with what the search produced. Check this answer and the time of post!
    This is already implemented with Ensim. This is very critical especially for Shared Virtual Hosting.

    -Alon.


    bdraco
    Administrator

    Registered: Feb 2003
    Location:
    Posts: 327
    Jail shell has not yet been fully integrated with the rest of cPanel/WHM. When it is out of its test phase it will (including the option in packages/setup time)


    05-22-2003 11:07 PM

    cPanel.net Support Ticket Number:
     
  7. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Yeah a long way ago. It's become better by now. Assumptions don't make it you know?

    cPanel.net Support Ticket Number:
     
  8. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    What assumptions are you talking about?

    Oh.. for Richard Ward:

    Telnet is a very insecure clear text medium. I wouldn't be caught dead running telnet. As for 'ls' it's not a telnet command, it's a UNIX command and all it does is list files. No harm there.

    I'm sorry,. but my friend, you obviosly don't understand the implication of using a Shell (Telnet was just an example.. use SSH2 for the same result).

    with a simple ls command, I can do a walkthrough of the sites near me. So viewing files isn't a big deal.. of course not,. espcially viewing those files... that look like:

    config.php

    That happen to hold values like... database name, database user name, and database password, all in plain text.

    You are obviously thinking you can only view the list of files... well.. I'll let you in a little secret.
    You can also issue a vi command that will run from the server and it will display the content of the files. You just need to know the syntax.. and HELLO WORLD... show me the neigbours. I'll find my way there.


    So what's the harm of accessing your website and deleting
    all the user accounts from the database (bye bye nuke-php accounts),... and what is the harm of going shopping with your customers credit card numbers (all verified with addresses,...even through a secure server just to pile the list
    in my 'un harming' hands and my 'so innocent' ls command).

    I see no harm there. Heck.. can you give me your credit card number now? Don't be difficult. After all it is harmless.

    cPanel.net Support Ticket Number:
     
  9. Tim Greer

    Tim Greer Well-Known Member

    Joined:
    Aug 11, 2002
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    I believe Cpanel has an option to deny users from reading other user's directories. I've not tried it, but I imagine that it's just running PHP as CGI and not the web server module *(it wouldn't work otherwise)* and uses SuEXEC for CGI scripts. Thus, all CGI and PHP scripts (which are actually CGI scripts now) will run as the user's own user/group, instead of the global web server user.

    Now, since that's the case, you can set it so only the user themselves and the web server can access the user's /home/useraccount directory and anything beyond. Since any scripts running through the web server are not running as the web server user itself anymore, due to SuEXEC on CGI and PHP running as CGI, you prevent anyone else from accessing the other user's directories.

    This is a newer feature in Cpanel, and it's pretty basic and simple--many of us have been doing this for years without issue. You just have to decide if it's worth running PHP as CGI, instead of as a web server module. From there, it's very simple and nowCpanel does this simple task for you. Of course, this is only one of several shared server issues, but you now have a choice to use it or not.
     
Loading...

Share This Page