mod_fcgid user can access other's files

luschache

Verified User
Joined
Mar 1, 2012
Messages
24
After I upgraded to Custombuild 2.0 and installed Apache 2.4 and PHP 5.5 with mod_fcgid I noticed that users can access other's files. For example:

PHP:
<?php 
	exec('ls -l /home/otheruser/domains/domain.com/public_html', $result);
	
	echo '<pre>';
		print_r($result);
	echo '</pre>';
?>

Disabling exec() and all other functions is not an option, they are used by customers.

Users can also list which other users are present on the server:

PHP:
<?php 
	exec('ls -l /home', $result);
	
	echo '<pre>';
		print_r($result);
	echo '</pre>';
?>

I searched a lot, but cannot find a solution for these two problems. Who can help me?
 
I have no experience in using mod_fcgid through custombuild, but try looking what under what user your script is being executed, echo exec('whoami');
 
Enabling SAG seems to solve the first problem. Users cannot see files of other users anymore, so thumbs up for that one! Thank you :)

Unfortunately, this does not solve the second problem. A user can still list files in root (/) or home (/home).
 
After enabling SAG, /home/ should not be readable (user list), are you sure about that one?

Other system directories can't be shielded that easily, not by DA at all. You could chmod root / to be not readable but you still have all sorts of other directories.

I don't know all the options using chmod, there are probably some. But by design it's just not a 100% bullet proof. CloudLinux for example has tackled this issue by creating a virtual environment for each user.
 
Is your /home chmodded 711?

I'm currently not an active CL user but it is still in the planning to switch to it. I've been testing with it a year ago. The reason I'm not using it right now is the license costs and time it needs to make the switch, shared hosting is not my number one business.
 
It was not chmodded 711, now it is and that fixed the issue, thank you!

I will ask my provider about their opinion of using CloudLinux, thank you for your information.
 
That's a problem of open_basedir too, it will be included by default into the next release of DA (currently open_basedir restriction is not set by default, when mod_fcgid is used).
 
Back
Top