The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security issues due to enabling normal shell access for cpanel user in VPS

Discussion in 'Security' started by actived, Apr 2, 2012.

  1. actived

    actived Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Hi,
    If a cPanel user john1 who has his account in /home/john1, is given shell access (as john1, not root access) what would the primary security issues be - any howto's or articles for the same?

    Anything important other than standard linux permissions issues to be remembered?

    We have a VPS account with root access too, but running scripts as john1 is safer than logging in as root.
    I just want to confirm that there are no glaring security issues I overlooked.

    Also, how does one allow scripts running as john1 to access apache and mysql error logs?
    I suspect adding john1 to the root group is a bad idea.

    TIA,
    Dave
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: security issues due to enabling normal shell access for cpanel user in

    For access to the Apache error logs, those can be read by a shell user even if that user isn't root at /usr/local/apache/logs/error_log location due to having 644 file permissions. MySQL logs are owned by the mysql:mysql user and group and cannot be read by another user other than MySQL and root due to having 660 file permissions.

    I would recommend the user having jailed shell access unless it is really required to allow a non-jailed shell environment. A user with normal shell access could be a higher security risk than one with jailed shell access.
     
  3. actived

    actived Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    [solved] Re: security issues due to enabling normal shell access

    Thanks for the clarification.

    So,
    1. Jailed shell access
    2. No chance of using php scripts to directly display httpd access, error / suphp / mysql logs in the browser.

    The problem is that sometimes shell access is shaky, and sometimes, technical users who are not system admins (eg. php/mysql developers who aren't familiar with bash) have to refer to logs - so giving root access is risky - hence the browser log display solution is attractive.

    3. My workaround now would be to run a shell script under cron (as root if possible?) to copy the logs to another secure location and then process from there - viewed in https only and viewed in a restricted part of the site.

    Thanks again.
    Dave
     
    #3 actived, Apr 3, 2012
    Last edited: Apr 3, 2012
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: security issues due to enabling normal shell access for cpanel user in

    Hi Dave,

    I would say copying the logs periodically to provide to those users would definitely be preferable as you've suggested.

    Thanks!
     
  5. actived

    actived Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Re: security issues due to enabling normal shell access for cpanel user in

    I stumbled upon the excellent cPanel module LogView ( LogView - cPanel add-on - LogView ) which removes the need to login to SSH just for seeing logs.
    It's easy to install, free and works like a charm!
     
Loading...

Share This Page