WEBSERVER user access to MAIL folder

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
Hi guys,

cPanel have a major security risk regarding how php handler is configure: DSO or suPHP.

As DSO configuration the risk is the hacker can access to the webserver folder of all users, because the PHP is executed with nobody permissions for all accounts.

As suPHP the webserver is execute with the user account permissions, so it can access to mail folder.

I think the best way is the suPHP configuration, but the webserver must use a second user of the account. One user have access to all files in home folder and the second user have access only to the webserver folder. The webserver have the same permissions of the webserver folder of the account.


Example:

/etc/passwd
USER_ALL:group_ALL:/home/USER
USER_WEB:group_WEB:/home/user/public_html

/etc/groups
group_ALL: USER_ALL
group_WEN: USER_ALL,USER_WEB



Please see the following post: /http://boomshadow.net/tech/php-handlers/

Please help me, us, to obligate cPanel to resolve this issue.

Thanks guys,
Daniel Pereira
 

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
If hacker PHP file is upload to the webserver (configured with suPHP) they can see the contents of the home folder, so they can see all the mails of that account.

I just want cPanel to fixed this problem, the webserver hacked cannot access to mail folder.
 

theboomshadow

Registered
Oct 27, 2011
3
0
126
cPanel Access Level
DataCenter Provider
I know I already replied to your post on my site, but I wanted to follow up here as well. You stated here that DSO has the same issue.

Honestly, I doubt this is a common problem. Most user level site compromises that I've seen over the years are to send mail, set up redirects, replace pages, etc... Not to go scanning through the mail. You're right, it could let someone read the mail which could be used for Social Engineering. If you're really worried about mail security from PHP scripts, you should use DSO. With DSO, files written to the server by Apache would be owned by 'nobody' and therefore wouldn't have access to the user's mail or etc folder.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
How would your proposal work for applications that store the UI in the document root, but store the data outside the document root?

For example on my Gallery 2 setup, I store all my photo albums in /home/user/albums, not in /home/user/public_html/gallery2/albums.

How would your proposal work for domains whose document root is not in /home/user/public_html?

For example some of my domains are setup with the following document roots:

/home/user/addon.one
/home/user/addon.two

How would your proposal be effective for CGI?
 

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
I think the answer is in this question: "Why you need to store website data (photos) on the home user folder (/home/user)?"

If the hacker enters in your website (suphp) it will have access to the home user folder (/home/user) and all the contents (/home/user/addon.one ...etc), including mail.

The mail server also have bugs and can be hacked but it's more difficult. Also there are (security) patchs available when the security bugs are found.

In the other side, the websites are build by differents persons which don't give support after the site is bought. Also the most known CMS distributions are the most hacked (joomla, drupal, etc..).

In my point of view a hacked site is a concern of the person that bought/implemented but if that give access to other services like MAIL, this is a major security risk.

Please imagine you have a simple website (php) and that was hacked. Now imagine that the hacker download all your emails..
It's or it's not a major security risk?

If you want i can sent a hacker PHP file to see what i'm talking about.
 
Last edited:

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
I understand, but that is a false protection, because if the webserver upload the data to that directory the hacker have access to that directory. It will have no direct http access to your directory but if the hacker find a flaw in the php website it can access to all files in the /home/user, including your data and mail.

In my point of view putting the data used by webserver in the "/home/user" is the same putting in the "/home/user/www". The protection of your data must be in your php code and in the .htaccess.

Saying that, I'm saying that a flaw in PHP website cannot give access to your MAIL but will give access to all the information the webserver have permission to read/write.

Hence again, if the mail server have different permissions than the webserver, a flaw in the php code will not give access to your mail.

The CPanel UI will have permissions to read write in all folders because those users will belong to the account. The account will have several users for several services (http, mail, ftp, etc). For example: user_cpanel, user_web, user_mail, user_ftp, etc...

Using this permissions protections, the only flaw i can imagine is in the cPanel vendor, because accessing the cpanel it will have access to all account services. I chose cPanel to manage my website because I trust in your code and if the flaw is detected cPanel will respond immediately.
 

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
Theboomshadow: Registered User I know I already replied to your post on my site, but I wanted to follow up here as well. You stated here that DSO has the same issue.
Thanks for your post.

The DSO have a different issue that if hacker execute php scritp it will have access to the other accounts/websites folders, but will not have access to the MAIL folder. This is because the sites have all the same permissions, nobody user.

The DSO have also a security issue, because it's just need an website (an account) with a php flaw for the hacker have access to all the websites hosted on the webserver.

The damage will be in all the websites and the security risk is greater also. It's for that reason that i prefer suPHP because it will separate user space from differents accounts.

But suPHP must be used with a different user in the account to separate the webserver from the mail server.
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
I understand, but that is a false protection.
Apparently my point was not clear. The purpose for storing my data outside the document root is to prevent easy theft of bandwidth and copyrighted data via a hyperlink. To get to the data they have to go through my application (which is protected via other means, such as member name and password).

To follow the same pattern with your proposal means I, as the cPanel user, need a way to grant this extra user access to my data.

How would your proposal work for people that may be using their own web application to read mail directly from their mail directory?

Indeed if every cPanel account on the system has two system level users (user and user_web) we've now complicated all accounting and management functions.
 

Schottkey

Member
Oct 24, 2012
12
0
1
cPanel Access Level
Root Administrator
Apparently my point was not clear. The purpose for storing my data outside the document root is to prevent easy theft of bandwidth and copyrighted data via a hyperlink. To get to the data they have to go through my application (which is protected via other means, such as member name and password).
I don't think i understand very well this issue, because i can write a php code that masquerade the URL path on the webserver where is really the image. For example:


<img src="/fakepath.php?img=1" />


The php script will read the image on WWW/IMAGE_DIRECTORY/ folder and protect from any WWW user that is not authenticate. The folder must be unknow for the WWW and it's protect from direct access (.htaccess).

But there is another way, if you want to put the web data on "/home/user/addon.1" you must give user_web permissions to this folder on cPanel.

If the user want to read the mail directly to MAIL folder with a web application, just go on cPanel and add user_web permissions to this folder. But cPanel will warning that user_web permissions is not recommended.

Who have access to the cPanel account have the ability to manage user permissions, so they can modify the default permissions for MAIL folder.