The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WEBSERVER user access to MAIL folder

Discussion in 'Security' started by Schottkey, Oct 24, 2012.

  1. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi guys,

    cPanel have a major security risk regarding how php handler is configure: DSO or suPHP.

    As DSO configuration the risk is the hacker can access to the webserver folder of all users, because the PHP is executed with nobody permissions for all accounts.

    As suPHP the webserver is execute with the user account permissions, so it can access to mail folder.

    I think the best way is the suPHP configuration, but the webserver must use a second user of the account. One user have access to all files in home folder and the second user have access only to the webserver folder. The webserver have the same permissions of the webserver folder of the account.


    Example:

    /etc/passwd
    USER_ALL:group_ALL:/home/USER
    USER_WEB:group_WEB:/home/user/public_html

    /etc/groups
    group_ALL: USER_ALL
    group_WEN: USER_ALL,USER_WEB



    Please see the following post: /http://boomshadow.net/tech/php-handlers/

    Please help me, us, to obligate cPanel to resolve this issue.

    Thanks guys,
    Daniel Pereira
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Resolve what, exactly?
     
  3. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If hacker PHP file is upload to the webserver (configured with suPHP) they can see the contents of the home folder, so they can see all the mails of that account.

    I just want cPanel to fixed this problem, the webserver hacked cannot access to mail folder.
     
  4. theboomshadow

    theboomshadow Registered

    Joined:
    Oct 27, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I know I already replied to your post on my site, but I wanted to follow up here as well. You stated here that DSO has the same issue.

    Honestly, I doubt this is a common problem. Most user level site compromises that I've seen over the years are to send mail, set up redirects, replace pages, etc... Not to go scanning through the mail. You're right, it could let someone read the mail which could be used for Social Engineering. If you're really worried about mail security from PHP scripts, you should use DSO. With DSO, files written to the server by Apache would be owned by 'nobody' and therefore wouldn't have access to the user's mail or etc folder.
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    How would your proposal work for applications that store the UI in the document root, but store the data outside the document root?

    For example on my Gallery 2 setup, I store all my photo albums in /home/user/albums, not in /home/user/public_html/gallery2/albums.

    How would your proposal work for domains whose document root is not in /home/user/public_html?

    For example some of my domains are setup with the following document roots:

    /home/user/addon.one
    /home/user/addon.two

    How would your proposal be effective for CGI?
     
  6. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I think the answer is in this question: "Why you need to store website data (photos) on the home user folder (/home/user)?"

    If the hacker enters in your website (suphp) it will have access to the home user folder (/home/user) and all the contents (/home/user/addon.one ...etc), including mail.

    The mail server also have bugs and can be hacked but it's more difficult. Also there are (security) patchs available when the security bugs are found.

    In the other side, the websites are build by differents persons which don't give support after the site is bought. Also the most known CMS distributions are the most hacked (joomla, drupal, etc..).

    In my point of view a hacked site is a concern of the person that bought/implemented but if that give access to other services like MAIL, this is a major security risk.

    Please imagine you have a simple website (php) and that was hacked. Now imagine that the hacker download all your emails..
    It's or it's not a major security risk?

    If you want i can sent a hacker PHP file to see what i'm talking about.
     
    #6 Schottkey, Oct 31, 2012
    Last edited: Oct 31, 2012
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It prevents direct linking to my data.
     
  8. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I understand, but that is a false protection, because if the webserver upload the data to that directory the hacker have access to that directory. It will have no direct http access to your directory but if the hacker find a flaw in the php website it can access to all files in the /home/user, including your data and mail.

    In my point of view putting the data used by webserver in the "/home/user" is the same putting in the "/home/user/www". The protection of your data must be in your php code and in the .htaccess.

    Saying that, I'm saying that a flaw in PHP website cannot give access to your MAIL but will give access to all the information the webserver have permission to read/write.

    Hence again, if the mail server have different permissions than the webserver, a flaw in the php code will not give access to your mail.

    The CPanel UI will have permissions to read write in all folders because those users will belong to the account. The account will have several users for several services (http, mail, ftp, etc). For example: user_cpanel, user_web, user_mail, user_ftp, etc...

    Using this permissions protections, the only flaw i can imagine is in the cPanel vendor, because accessing the cpanel it will have access to all account services. I chose cPanel to manage my website because I trust in your code and if the flaw is detected cPanel will respond immediately.
     
  9. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your post.

    The DSO have a different issue that if hacker execute php scritp it will have access to the other accounts/websites folders, but will not have access to the MAIL folder. This is because the sites have all the same permissions, nobody user.

    The DSO have also a security issue, because it's just need an website (an account) with a php flaw for the hacker have access to all the websites hosted on the webserver.

    The damage will be in all the websites and the security risk is greater also. It's for that reason that i prefer suPHP because it will separate user space from differents accounts.

    But suPHP must be used with a different user in the account to separate the webserver from the mail server.
     
    #9 Schottkey, Nov 2, 2012
    Last edited: Nov 2, 2012
  10. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Apparently my point was not clear. The purpose for storing my data outside the document root is to prevent easy theft of bandwidth and copyrighted data via a hyperlink. To get to the data they have to go through my application (which is protected via other means, such as member name and password).

    To follow the same pattern with your proposal means I, as the cPanel user, need a way to grant this extra user access to my data.

    How would your proposal work for people that may be using their own web application to read mail directly from their mail directory?

    Indeed if every cPanel account on the system has two system level users (user and user_web) we've now complicated all accounting and management functions.
     
  11. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I don't think i understand very well this issue, because i can write a php code that masquerade the URL path on the webserver where is really the image. For example:


    <img src="/fakepath.php?img=1" />


    The php script will read the image on WWW/IMAGE_DIRECTORY/ folder and protect from any WWW user that is not authenticate. The folder must be unknow for the WWW and it's protect from direct access (.htaccess).

    But there is another way, if you want to put the web data on "/home/user/addon.1" you must give user_web permissions to this folder on cPanel.

    If the user want to read the mail directly to MAIL folder with a web application, just go on cPanel and add user_web permissions to this folder. But cPanel will warning that user_web permissions is not recommended.

    Who have access to the cPanel account have the ability to manage user permissions, so they can modify the default permissions for MAIL folder.
     
Loading...

Share This Page