Shell Access

[kt]

I was wondering...One of my clients had mentioned being able to view other users accounts. Shell users cannot access them, or execute functions on them, however, they can see all of the other users, and all folders on the servers. I think this is a pretty big security threat. I checked it out and was able to access public_html dir, beacuse I knew it was there..from there I could view all the files.

How can I prevent users from viewing other dir except their own....?

 

[Juanra]

I am not a security expert, would someone please confirm these steps?:

Disable shell access. If you don't disable shell access, chroot it. I wish cpanel boxes did that by default, but it seems it's not that easy.

Disable CGI. If you don't disable CGI, install PHP as CGI and use suExec. Remind your users to chmod their scripts 0700.

If you disable CGI, use PHP open_basedir directives. Switch PHP safe mode on if you can.

There must be other things. I don't know how secure an account on shared hosting can really be.

 

[itf]

[quote:535db98096][i:535db98096]Originally posted by kt[/i:535db98096]

I was wondering...One of my clients had mentioned being able to view other users accounts. Shell users cannot access them, or execute functions on them, however, they can see all of the other users, and all folders on the servers. I think this is a pretty big security threat. I checked it out and was able to access public_html dir, beacuse I knew it was there..from there I could view all the files.

How can I prevent users from viewing other dir except their own....?


[/quote:535db98096]
It is very clear that files, which have read access permission for the public, are readable by the public as well as those, which have write access permission for the public are writable by the public and those with execute access permission for the public are executable by the public

(when you read this consider the public as those users who are not in your user group)

However, if you can read a file it doesn't mean that you can modify it unless you have write access permission

Unfortunately, it is beyond the size and time of a post to explain this in details just read a Unix/Linux Guide/Administrative book, or even use
man chmod
in a ssh session to get more information.

However if you don't like your customers have a shell access just disable Shell access for them.

 

[dgbaker]

This is what we did and have found no problems so far. Users cannot view or execute another users directories.

NOTE: do only the directories not the quota files.
in /home
chgrp nobody *
chmod 750 *

This allows the owner full access, the webserver to read and excute and denies anyone else not even doing ls /home/username/public_html will work. They get &Permission denied&

 

[mikerayner]

[quote:1caa2a4ee7][i:1caa2a4ee7]Originally posted by dgbaker[/i:1caa2a4ee7]

This is what we did and have found no problems so far. Users cannot view or execute another users directories.

NOTE: do only the directories not the quota files.
in /home
chgrp nobody *
chmod 750 *

This allows the owner full access, the webserver to read and excute and denies anyone else not even doing ls /home/username/public_html will work. They get &Permission denied&[/quote:1caa2a4ee7]
There would be some problems with suEXEC this way also all of them are accessible by PHP scripts
However, it's not harmful to read public_html directory by any user on the system as this directory is accessible through the web and you cannot use this solution for the entire system (all directories)

Also as ITF, wrote above if someone could read a file, it doesn't mean he/she can modify it too unless he/she has a write access permission.

 

[dgbaker]

Agree, but there can be sensitive information in the public_html folder. For example when using post-nuke or the like passwords are stored in files in the public area.

 

[kt]

Thanks for all the help.