The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious Security Issue - how to fix?!

Discussion in 'Security' started by brianteeter, Mar 11, 2003.

  1. brianteeter

    brianteeter Well-Known Member

    Joined:
    Jan 6, 2002
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Here it is:

    root@servername [/home]#

    drwx--x--x 11 user1 user1 4096 Nov 27 13:09 user1/
    drwx--x--x 12 user2 user2 4096 Oct 8 03:46 user2/

    root@servername [/home]# su - user1
    bash-2.05$ pwd
    /home/user1
    bash-2.05$ cd ..
    bash-2.05$ pwd
    /home
    bash-2.05$ cd user2
    bash-2.05$ pwd
    /home/user2
    bash-2.05$ ls
    ls: .: Permission denied

    Looks good so far right? User 1 cannot see User 2's stuff. Well:

    bash-2.05$ pwd
    /home/user2
    bash-2.05$ cd public_html
    bash-2.05$ pwd
    /home/user2/public_html
    bash-2.05$ ls
    cart index.php cgi-bin time.php


    Doh! This is seriously not good. Users can browse into, and read other user's site data. Do I need to spell out the implications here?

    OK, here's the fix that we've put in place:

    chmod 751 /home/*/public_html

    But, I doubt that it the best fix or even the right one. Not to mention, next time CPanel creates an account it will create it insecurely.

    Any suggestions? CPanel folks, is there a better way to fix this?

    Thanks - Brian
     
  2. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
Loading...

Share This Page