Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : /etc/passwd and /etc

[danielx]

Hi is normal that some user in the sistem can list files in /etc and /etc/password?

Can you confirm if this is true:
is normal that the server allow a user to list all users with php? This is part of a cPanel server, this is done by getting a list of the directories in /home/

Is normal that a user with php can see all contenct of /etc?
The contents of the /etc shouldn't be 100% viewable but yes some files will be viewable

is normal that a user can check the /etc/passwd?
All users must be able to access this file in order for the operating system to spawn shells

I want to know if is safely that one user with php can read /etc/passwd an see al information that this file have

Thanks, Daniel.

[RDSNetworking]

Enabling open_basedir should remedy this for you.

[inerail-chris]

Yes, /etc/passwd is world readable, it's really /etc/shadow that shouldn't be.

[Patrick]

Perfectly normal and safe for users to be able to view /etc/passwd and most files under the /etc/ directory. As Chris pointed out, it's the /etc/shadow file that the users shouldn't be able to read - it's what contains the actual password hashes.