CPANEL user has access to root folder via PHP
How that is possible:
1. I add a new account to my WHM
2. Log into FTP with the CPANEL credentials
3. I upload a php file with:
<?php
$dir = '/';
$files1 = scandir($dir);
print_r($files1);
echo file_get_contents('/razor-agent.log');
?>
4. Then I can see the files/folders and also can read them?
How can I prevenet doing that.
Thanks!
-
Hey there! This seems like normal behavior to me. A user will frequently have read access to areas outside their home directory, which is necessary in order for things like PHP to function properly.
0 -
Oh okey, thanks for the info.
It just rise some security questions to me.
But if you say it is normal, then I am happy.
1 -
Sorry, I have an other question which seems not logical to me at all.
1. I add a new account (cpanel) to my WHM
2. I add a new user account to that cpanel (with ftp enabled, and with home directory: /public_html/dev2
If the user logs in with this ftp account then he can see only this files within dev2.
However he can easily access all other files outside of /public_html/dev2, with scandir, file_get_contents
Thats really misleading I think, beacuse gives an expression if you set a home directory, it will not allow to access other files.
How can I solve this that this user can not reach any other folder with php? thanks
0 -
I also believe this is normal behavior. If a directory has 755 permissions, that translates to the following:
rwxr-xr-x
That means any user on the system had read access to that directory, which is likely why the "scandir" tool shows them. It doesn't mean they'd be able to write anything to those areas, but they can see them.
0 -
Thank you for your quick answer.
"I also believe this is normal behavior"
I want to allow my "guest" to allow entering (FTP user) to only ONE room (home directory) in my house, so I ask janitor (cPanel) to setup.
He says its setup correctly (cpanel: Success: The system successfully updated the following user: xxxx
).I do not trust anybody, so I test if all my other rooms are locked, so he can not enter (I log with "guest" FTP account with FTP account, I see only the content of the home directory)
I am happy that I choose the right janitor and, I pay wage to my janitor regularly (cPanel subscription fee)...
One day my guest told me an information that he should NOT know, and the only way he knew is that he entered to one of my locked room.
So I try to investigate how he could enter my locked room, and accidentally I moved the entrance mat of one the room, and the key was there... (I just log in with the guest FTP user account to FTP, and uploaded a php file containing, scandir, file_get_contents)....
I called my janitor (wrote on cpanel forum), that why is that. The answer I got: thats absolutely normal, the key fits into the keyhole, so the door can be opened... (your last answer)...
It's just does not make any sense to me why do I have the possibily to create new ftp user, if by default he can access all files (open door by using key under the entrance mat), then I just can give mine.... Its just completely misleading, that the cpanel user thinks that his other folders are in safe.
If other restrictions needed, thats okey no problem with that, but why you do not this by default, or at least give a warning that other steps are needed? (like janitor should telI: sir, I locked the door, but I will put the key under the entrance mat, and if you want it more secure you need to take the key with you)...
Finally can you please tell what is the solution?
So I have an FTP user on my cpanel account with home directory: /home/cpaneluseracount/public_html/guest_folder
I do not want that if the user write in php scandir, file_get_contents he can access any file outside of this folder?
I have read open_basedir, but how to setup for that specific folder
Thank you!
0 -
Unfortunately there isn't going to be a way to change this behavior as this is just how Linux works even without cPanel being installed.
0
Please sign in to leave a comment.
Comments
6 comments