Results 1 to 12 of 12
  1. #1

    user can see /etc/passwd. how to stop this

    Hello,

    We have CentOS and WHM 11 on the server. Also we have PHP 4.4.4 and open base dir enabled on the server . We have a shared server with many website configured on it.

    Now The user uses the following PHP code and can see the /etc/passwd file
    =============================================
    <?
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include("/etc/passwd");
    ini_restore("safe_mode");
    ini_restore("open_basedir");
    echo ini_get("safe_mode");
    echo ini_get("open_basedir");
    include("/etc/passwd");
    ?>
    ============================================


    Now how to stop this. This is a security hole . So please suggest to how to stop this.

    Thanks.
    its_joe

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    That's not a security hole.

    The /etc/passwd file contains nothing of any real value...
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  3. #3
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,481
    The security hole is if passwords are composed from single words

  4. #4
    this is true.

    the ability to view the etc/passwd is only useful in certain things.

    1. it provides a list of usernames, important for bruting.
    2. that same list of usernames, could aid in cross server attacks.
    (/home[username]/public_html/)
    3. could show who has shells or not. (for bruting)

    other than this, its not that important, but I would suggest not worrying about it that much. Usernames can be emulated, or guessed with programs such as nikto.pl

    just make sure the ability to brute your ssh is denied, cross server attacks, usually by setting directory permissions of the users directory to something like 711

    google has many many hardening tutorials on all your services and server security.

  5. #5
    Join Date
    Nov 2005
    Posts
    352
    The fact is that "/etc/passwd" must be world readable, otherwise certain services that drop root privileges when running (e.g., bind, proftpd, apache, etc.) may or may not function properly if they can't match usernames to system UID's.

  6. #6
    Join Date
    Feb 2006
    Location
    Melbourne, Australia
    Posts
    141
    Correct, it isn't a security hole.

    The passwords cannot be decrypted to my knowledge (Don't quote me on that) and dexxtreme stated, the file MUST be world readable, otherwise you WILL find yourself in a heap of trouble.
    Dymestry Interactive | Australian Co-Location - Dymestry.com
    Fully Managed Dedicated Servers And Co-Location (Sydney & Melbourne)

  7. #7
    Join Date
    Nov 2005
    Posts
    352
    Quote Originally Posted by Dexqt View Post
    Correct, it isn't a security hole.

    The passwords cannot be decrypted to my knowledge (Don't quote me on that) and dexxtreme stated, the file MUST be world readable, otherwise you WILL find yourself in a heap of trouble.
    To read the master password file (/etc/shadow on Linux, /etc/master.passwd on FreeBSD) you have to gain root access anyway. Once you gain root access, you have little need for additional passwords.

  8. #8
    Join Date
    Jan 2004
    Location
    Greece
    Posts
    2,211
    There were OS many years ago that store encrypted passwords inside /etc/passwd. Then system users use john the ripper (don't remember if the name is correct) to try to find the root password

  9. #9
    you dont need to gain root access in all cases.

    it all depends on who set up the box.

    ive seen the shadow file as user 'nobody'

    with jtr, its easy.

    you just take the passwd file, the shadow file, and run it thru.

    problem is, unless you used a password of something stupid like 'rosebud' or anything else thats in a word list, then your screwed.


    either way, this could take a very very long time.

    you could tighten your security, by forcing all passwords to be a minimum or 16 chars, require at least 1 uppercase, 1 special char, 1 underscore, etc...

    and the most troubling chars for cracking programs, are spaces.

  10. #10
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by psychomarine View Post
    ive seen the shadow file as user 'nobody'.
    Yikes!

    That's far from the norm... if the shadow file was readable by the user nobody, someone screwed up on an unimaginable level.

  11. #11
    I am not very good at php , but by setting open_basedir value under the vhost in httpd.conf will stop php scripts from accessing files outside of the users home dir.

  12. #12
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    One thing you can do is run the php as CGI, so "nobody" user cannot upload and execute php script.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •