access to user list -possible security hole?
- Thread starter stars
- Start date
zEitEr
Super Moderator
Hello,
It is possible in most cases:
- you should know how directadmin server is based, and where files are located.
- and know bash/perl scripting, php is useless here in some cases with open basedire restriction.
to get a full list of all domains and their owners from inside a server. You just need a hosting account on such a server, and run a BASH/Perl programm with cron, and you get a list of all accounts.
Do you want to check it with me? Will you create a test account for me? And I'll probably list all domains on your server.
It is possible in most cases:
- you should know how directadmin server is based, and where files are located.
- and know bash/perl scripting, php is useless here in some cases with open basedire restriction.
to get a full list of all domains and their owners from inside a server. You just need a hosting account on such a server, and run a BASH/Perl programm with cron, and you get a list of all accounts.
Do you want to check it with me? Will you create a test account for me? And I'll probably list all domains on your server.
It's most likely that /etc/passwd was read, which is "word-readable". Like Alex mentioned, that could happen within cgi-bin, cronjobs or even PHP with open basedir restriction, if PHP is not secured (I mean if it doesn't have dangerous functions in disable_functions list). Please check http://help.directadmin.com/item.php?id=247, which tells you how-to secure PHP, and I'd also suggest paying attention to securing /tmp directory, for it to be noexec,nosuid. Other files could be /etc/virtual/domainowners (and /etc/virtual/domains to list domains).
Last edited:
zEitEr
Super Moderator
I've sent you a link to a list of all domains and their owners from your server by PM. Please check it.
I've reported the issue privately to Directadmin support.
Yes, that's why I was talking about some world-readable files, that could be read using cgi-bin, cronjobs etc. 
A change regarding this: https://www.directadmin.com/features.php?id=1624.
A change regarding this: https://www.directadmin.com/features.php?id=1624.@smtalk - thanks for this tip, according to https://www.directadmin.com/features.php?id=1624 this will be introduced in next version.
Is it safe to change
from 644 to 600 manually already?
There is information:
Is it safe to change
Code:
/etc/virtual/domains
/etc/virtual/domainownersfrom 644 to 600 manually already?
There is information:
zEitEr
Super Moderator
That's what John said regarding the subject:
Changes will be uploaded to the pre-release section shortly.
Changes will be uploaded to the pre-release section shortly.
Arieh
Verified User
Just would like to mention that software like CloudLinux offers a complete solutions from all angles for this, for instance each user gets a virtual passwd file rather than the system file.
Sure it has had its vulnerabilities (like any other software), and it isn't free: I still think it's the best option regarding shared files visibility/execution (and a lot of other stuff).
Sure it has had its vulnerabilities (like any other software), and it isn't free: I still think it's the best option regarding shared files visibility/execution (and a lot of other stuff).
roman_m
Verified User
In any case you must set 711 permissions to /etc/virtual directory and 640 for /etc/virtual/domains and /etc/virtual/domainowners