The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security problem

Discussion in 'Security' started by 1ONE, Apr 19, 2007.

  1. 1ONE

    1ONE Member

    Joined:
    Mar 18, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Croatia
    Hello,

    I'm playing with security of my test box (centos 4.4, cpanel release). I just found one security problem... jail shell users can see content of /var/spool/mail and see list of usernames on server.

    Maybe guys from cPanel already fix this issue, but I didn't found any solution yet. I don't know how should chmod work in this case, could system use mail's normal or not?

    Thanks for advice.
     
    #1 1ONE, Apr 19, 2007
    Last edited: Apr 20, 2007
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    This would be a fine example of why I don't recommend any kind of shell access for users
    and would avoid giving any SSH access to users, jailshell or otherwise.
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Totally agree. I make it very clear from the start, no shell period. U no like, go bye bye..
     
  4. maysoft

    maysoft Well-Known Member

    Joined:
    Nov 10, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Could some one explain, is there anything that could be done in shell that is impossible to do with perl/php?

    /var/spool/mail is prefectly readable with a simple PHP script...
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Maybe ... maybe not .... It depends on your PHP configuration.

    PHP has openbasedir, disable_functions, and/or safe mode protections
    which could be mixed and matched as needed to block such activity.

    In other words, PHP can be configured explicitly as to what a script
    is and is not permitted to do on your server.

    Directly in an SSH shell, such limitations are far more difficult to implement
     
  6. 1ONE

    1ONE Member

    Joined:
    Mar 18, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Croatia
    I agree with you, but on other hand, users have they're needs and if you want to keep up with your competitors, then you need to offer shell as well.

    But, does anyone have fix for this issue? cPanel guys?!? Anyone?
     
  7. niccell

    niccell Well-Known Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Shell

    I've been in business for a while now, and I've NEVER given shell out, jail or otherwise. It's just too dangerous.

    You need to ask your client(s) exactly why they need any type of shell. I've never found anybody with a hosting account that has come up with an answer good enough for me to break my rule yet.
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That's a cop out! I directly own or otherwise have a top level executive role of
    76 hosting companies and many of those names you would recognize ...

    I additionally have more than 600 other host clients that are resellers, vds, or
    dedicated clients operating their hosting business under our network brands ...

    NONE OF US ALLOW ANY KIND OF SHELL ACCESS WHATSOEVER!

    Those newbie hosts out there who do allow shell usually don't last very long.

    The few of those same hosts who survive are almost always the very ones who
    wised up and changed their policy regarding shell access.

    And in the extremely rare instance that they might actually find a legitimate need,
    it is usually to set something up that would be better if an administrator of the server
    did on their behalf. And given that, the client still doesn't need any shell access!
     
    #8 Spiral, Apr 23, 2007
    Last edited: Apr 23, 2007
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    cpanel doesn't use /var/spool/mail so you could just chmod it 0700
     
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    We offer shell to people we know well. Well means that we know them personally or we know someone who knows them personally. They also have to have a good reason for shell access. This adds up to about 1 in 100 clients overall for us.

    We don't advertise that we offer shell access. I wouldn't offer it if I wasn't an experienced Unix admin, you'd be crazy to offer it otherwise.
     
  11. 1ONE

    1ONE Member

    Joined:
    Mar 18, 2004
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Croatia
    Well if you secure your server properly, I think it is safe to give shell to your users if they got reasonable explanation. Mostly users need they're shell to untar some file or something similar. wget, lynx, and other stuff I forbid them to use (there is nice lil' tool called LES - http://www.rfxnetworks.com/les.php)

    @cpanelnick - can I chmod 700 /var/spool , because I see some folders there which I think users should not see.

    Thanks’ for advice !
     
Loading...

Share This Page