The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shell Access

Discussion in 'General Discussion' started by kt, Oct 18, 2002.

  1. kt

    kt Active Member

    Joined:
    May 4, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I was wondering...One of my clients had mentioned being able to view other users accounts. Shell users cannot access them, or execute functions on them, however, they can see all of the other users, and all folders on the servers. I think this is a pretty big security threat. I checked it out and was able to access public_html dir, beacuse I knew it was there..from there I could view all the files.

    How can I prevent users from viewing other dir except their own....?
     
  2. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    I am not a security expert, would someone please confirm these steps?:

    Disable shell access. If you don't disable shell access, chroot it. I wish cpanel boxes did that by default, but it seems it's not that easy.

    Disable CGI. If you don't disable CGI, install PHP as CGI and use suExec. Remind your users to chmod their scripts 0700.

    If you disable CGI, use PHP open_basedir directives. Switch PHP safe mode on if you can.

    There must be other things. I don't know how secure an account on shared hosting can really be.
     
  3. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:535db98096][i:535db98096]Originally posted by kt[/i:535db98096]

    I was wondering...One of my clients had mentioned being able to view other users accounts. Shell users cannot access them, or execute functions on them, however, they can see all of the other users, and all folders on the servers. I think this is a pretty big security threat. I checked it out and was able to access public_html dir, beacuse I knew it was there..from there I could view all the files.

    How can I prevent users from viewing other dir except their own....?


    [/quote:535db98096]
    It is very clear that files, which have read access permission for the public, are readable by the public as well as those, which have write access permission for the public are writable by the public and those with execute access permission for the public are executable by the public

    (when you read this consider the public as those users who are not in your user group)

    However, if you can read a file it doesn't mean that you can modify it unless you have write access permission

    Unfortunately, it is beyond the size and time of a post to explain this in details just read a Unix/Linux Guide/Administrative book, or even use
    man chmod
    in a ssh session to get more information.

    However if you don't like your customers have a shell access just disable Shell access for them.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    This is what we did and have found no problems so far. Users cannot view or execute another users directories.

    NOTE: do only the directories not the quota files.
    in /home
    chgrp nobody *
    chmod 750 *

    This allows the owner full access, the webserver to read and excute and denies anyone else not even doing ls /home/username/public_html will work. They get &Permission denied&
     
  5. mikerayner

    mikerayner Well-Known Member

    Joined:
    Apr 10, 2002
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    [quote:1caa2a4ee7][i:1caa2a4ee7]Originally posted by dgbaker[/i:1caa2a4ee7]

    This is what we did and have found no problems so far. Users cannot view or execute another users directories.

    NOTE: do only the directories not the quota files.
    in /home
    chgrp nobody *
    chmod 750 *

    This allows the owner full access, the webserver to read and excute and denies anyone else not even doing ls /home/username/public_html will work. They get &Permission denied&[/quote:1caa2a4ee7]
    There would be some problems with suEXEC this way also all of them are accessible by PHP scripts
    However, it's not harmful to read public_html directory by any user on the system as this directory is accessible through the web and you cannot use this solution for the entire system (all directories)

    Also as ITF, wrote above if someone could read a file, it doesn't mean he/she can modify it too unless he/she has a write access permission.
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Agree, but there can be sensitive information in the public_html folder. For example when using post-nuke or the like passwords are stored in files in the public area.
     
  7. kt

    kt Active Member

    Joined:
    May 4, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for all the help.
     
Loading...

Share This Page