The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security of accounts on cpanel servers.

Discussion in 'Security' started by numberonehost, May 28, 2006.

  1. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    If a cpanel server is running PHP as a module in Apache I will be able to read/edit other peoples files if (assuming that apache runs with user nobody):
    I upload a CGI/PHP script so that it is owned by user nobody. PHP will then be restricted by safe_mode or open_basedir, but CGI will not be restricted by anything. If another account on the same server has files owned by user nobody, I will have full access to these using CGI (and might have access with PHP depending on safe_mode/open_basedir).

    Are my assumtions correct? I'm writing a master thesis so I would really appreciate if anyone could reply :)
     
  2. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    Off topic, but I am the Number1Host :rolleyes:

    :cool:
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Why did you not register it? ;)
     
  4. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    I don't think I was Number1Host when I signed up here, not a big deal to me though. :cool:
     
  5. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    Well I registered in Apr 2003 with that nick (and domain) so I think I was before you :D Though we have changed name since then.

    But on topic, someone here able to answer?
     
  6. pilot51198

    pilot51198 Member

    Joined:
    May 26, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I think you're correct. Of course this is basing upon simular ways I do this. Although not too sure about every single detail with 'safe_mode/open_basedir' . Since I prefer to let my clients edit their own files and their sites, I find myself just leaving things alone.

    Lol, I thought I was the World's Number 1 hosting Company. Well, I'm at least one of the best in support.... oh well, btw nice site you have there numberonehost!
     
  7. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
  8. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    Thanks :) BTW I got forbidden on your pages?

    So this is basically possible:
    If a file "file" in
    /home/userA/public_html/file
    is owned by nobody and a directory "dir" in
    /home/userB/public_html/dir
    is owned by nobody (and all the subdirs and files), then userA would have access to everything within directory dir of userB?
     
  9. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    As long as you have open_basedir enabled, you won't have a problem. :cool:
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's not true. If you have open_basedir enabled it makes it a tiny bit more tricky, but it's trivial to bypass.
     
  11. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    ^^ What he said. Chirpy > cooldude
     
  12. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    So to sum up my assumtion is correct?

    Thank you all for your answers so far :)
     
Loading...

Share This Page