user can see /etc/passwd. how to stop this

Portal Home > Knowledgebase > Articles Database > user can see /etc/passwd. how to stop this

Posted by its_joe, 09-01-2007, 06:31 PM
Hello, We have CentOS and WHM 11 on the server. Also we have PHP 4.4.4 and open base dir enabled on the server . We have a shared server with many website configured on it. Now The user uses the following PHP code and can see the /etc/passwd file ============================================= ============================================ Now how to stop this. This is a security hole . So please suggest to how to stop this. Thanks. its_joe
Posted by Patrick, 09-01-2007, 06:33 PM
That's not a security hole. The /etc/passwd file contains nothing of any real value...
Posted by Steve_Arm, 09-01-2007, 08:44 PM
The security hole is if passwords are composed from single words
Posted by psychomarine, 09-01-2007, 09:46 PM
this is true. the ability to view the etc/passwd is only useful in particular things. 1. it provides a list of usernames, important for bruting. 2. that same list of usernames, could aid in cross server attacks. (/home[username]/public_html/) 3. could show who has shells or not. (for bruting) other than this, its not that important, but I would suggest not worrying about it that much. Usernames can be emulated, or guessed with programs such as nikto.pl just make sure the ability to brute your ssh is denied, cross server attacks, usually by setting directory permissions of the users directory to something like 711 google has many many hardening tutorials on all your services and server security.
Posted by dexxtreme, 09-02-2007, 01:06 AM
The fact is that "/etc/passwd" must be world readable, otherwise particular services that drop root privileges when running (e.g., bind, proftpd, apache, etc.) may or may not function properly if they can't match usernames to system UID's.
Posted by Dexqt, 09-02-2007, 01:36 AM
Correct, it isn't a security hole. The passwords cannot be decrypted to my knowledge (Don't quote me on that) and dexxtreme stated, the file MUST be world readable, otherwise you WILL find yourself in a heap of trouble.
Posted by dexxtreme, 09-02-2007, 06:21 AM
To read the master password file (/etc/shadow on Linux, /etc/master.passwd on FreeBSD) you have to gain root access anyway. Once you gain root access, you have little need for additional passwords.
Posted by CretaForce, 09-02-2007, 06:33 AM
There were OS many years ago that store encrypted passwords inside /etc/passwd. Then system users use john the ripper (don't remember if the name is correct) to try to find the root password
Posted by psychomarine, 09-02-2007, 12:29 PM
you dont need to gain root access in all cases. it all depends on who set up the box. ive seen the shadow file as user 'nobody' with jtr, its easy. you just take the passwd file, the shadow file, and run it thru. problem is, unless you used a password of something stupid like 'rosebud' or anything else thats in a word list, then your screwed. either way, this could take a very very long time. you could tighten your security, by forcing all passwords to be a minimum or 16 chars, require at least 1 uppercase, 1 special char, 1 underscore, etc... and the most troubling chars for cracking programs, are spaces.
Posted by Patrick, 09-02-2007, 02:31 PM
Yikes! That's far from the norm... if the shadow file was readable by the user nobody, someone screwed up on an unimaginable level.
Posted by Tech4server, 09-02-2007, 04:19 PM
I am not very good at php , but by setting open_basedir value under the vhost in httpd.conf will stop php scripts from accessing files outside of the users home dir.
Posted by david510, 09-02-2007, 11:34 PM
One thing you can do is run the php as CGI, so "nobody" user cannot upload and execute php script.