cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Secure default VirtualHosts

a289 shared this idea 6 years ago
Open Discussion

When looking at /server-info, I noticed the two VirtualHosts at the bottom of this email that appear to have been created by default. They run PHP as the Apache user (nobody) and also are lacking a SuexecUserGroup which has CGI scripts run as a user other than the Apache nobody user. If a script were to be exploited on these virtualhosts, because it’d be running as the Apache user, it could read the files of other sites.


I’m not saying this is a vulnerability, but I certainly think as part of defense in depth, security would be better if these were set to run scripts as some isolated user, especially since there are various ScriptAlias, ScriptAliasMatch, and Alias directives that expose CGI scripts which may eventually have a vulnerability discovered in one of them (hopefully not, but you never know). Thinking of a few examples, guestbook.cgi had a remote code execution vulnerability a long time ago and then of course there was shellshock more recently - the more we can contain things the better since it's unlikely any system will have perfect security.


I propose all new installs of cPanel have these locked down by default by having a special suPHP_UserGroup and SuexecUserGroup user/group rather than sharing Apache's, and for existing ones there be an option added to lock them down but that it default to off so as to not break anything that people are already relying on.


(from /usr/local/apache/conf/httpd.conf)

  1. # DO NOT EDIT. AUTOMATICALLY GENERATED. IF YOU NEED TO MAKE A CHANGE PLEASE USE THE INCLUDE FILES.


    <VirtualHost 172.x.x.x:80>

    ServerName 172.x.x.x:

    DocumentRoot /usr/local/apache/htdocs

    ServerAdmin test@example.com

    <IfModule mod_suphp.c>

    suPHP_UserGroup nobody nobody

    </IfModule>

    UserDir disabled

    </VirtualHost>


    # Default vhost for unbound IPs


    <VirtualHost *>

    ServerName example.com

    DocumentRoot /usr/local/apache/htdocs

    ServerAdmin test@example.com

    <IfModule mod_suphp.c>

    suPHP_UserGroup nobody nobody

    </IfModule>

    UserDir disabled

    </VirtualHost>

Leave a Comment
 
Attach a file