Given standard server hardening was performed, can the /etc/passwd be accessed by a shared hosting account by using PHP or Perl scripts which is executed from the public_html of the shared account?
Asked
Active
Viewed 1,442 times
2
IMB
- 2,888
- 6
- 28
- 42
-
1If it's chrooted with chroot() - not, if it's SELinux or AppArmor - yes, if there is no extra security - yes, if it's using external auth server - no, if it runs cloud linux - no, if it runs standard cpanel - yes. Also it depends what do you mean with standard hardening. You can chroot(), SELinux, AppArmor, Cloud Linux, you can use also KVM, XEN, grsecurity and the list is very long how you can actually harden the cpanel machine. – Andrew Smith Aug 02 '12 at 18:44
-
Actually yes, I am just searching this subject on the forum, and I think that external authentication server is the best solution for the problem, and actually to follow all the rules of this, is not easy job at all, he, it's really easy to hack any cpanel machine so to harden it for serious commercial usage is taking long process to do if you consider applications and databases running on it this can be extreme to actually kill all viruses and worms from average cpanel system – Andrew Smith Aug 02 '12 at 20:03
1 Answers
1
Almost certainly. cpanel doesn't enforce access control and /etc/passwd is readable to everyone. /etc/shadow is the important file anyway, this contains the password hashes and is only readable by root.
rook
- 46,916
- 10
- 92
- 181