security: 5 minutes howto on hacking linux websites in HC8

because of the lack of real security combining a little information about the host will make it so easy to deface all websites on a server running HC8

1) you need all domains running on a given host. There are lots of databases on this on the internet.
2) you need access to a webhotel on the server. Buy one :) or hack one of the sites you found in 1) by maybe a unpatched CMS
3) test that its running HC8 by just checking the dir structure from a php script
4) start running through all the reseller, customers and combining the /webspace/"reseller"/"customer"/"webdomain"/www/html and start doing what you want - read passwords, write files - what every you want. And all this from the most basic php script in the world.

What the different by using same php script on 2 different websites
1 = created via HC panel
2= Created manually in the apache.

Where permissions lack at server end ?

not sure what you are asking in the first part.

what Im finding, looking at the setup is that if I can break into ONE website - maybe by exploiding a unpatched joomla or something I find, then the hole server is wide open.

Users dont update CMS. So if they get hacked/defaced - bad luck, but mostly the webadmins problem. He can update his CMS and have less chance problems or not update and have big chance of problems.

what is MY problem is that compromising ONE webhotel/website should NOT compromice all the rest on the server. And in HC this seams to extreamly simple to do.

hacking (if thats the right word anyway) one site will allow you easy access to all sites. This is the problem - and a very BIG one at it.

hacking (if thats the right word anyway) one site will allow you easy access to all sites. This is the problem - and a very BIG one at it.

Can you please focus on this part of your query and elaborate the security hole which you are asking about.
So far HC concern we use tight permissions at end level user. That's why I asked previously that what sort of permissions you would use if you create a manual domain in the linux server ?

from my point of view the lack of security is in php not running with users ID but with some to high privileges.
Try installing su_php to force the php interpreter to run under users ID so the user would be isolated.

br
bd

well, I cannot really say to much about how to fix it since Im not sure what is needed and why you have done what you have done.

if the server is only running php you can, as some one was already writing about, look at su_php. One simple inprovement would be to implement open-basedir option. Make a setting to use openbasedir in the admin. The admin should have two imput - a checkbox for enable/disable openbasedir and a textfield where the admin can add dirs to add to the openbasedir setting appending to the root of the webhotel.

its really HC how should be the best to say why things like /webspace is world readable AND writable. Since the hole path into every. If its not apache running the adminscripts - why is there a need to have /webspace other than ug+2rx,o-rw (saying "others" should only be able to Xcute into the dir - not read the dir and absolutly not write it.

but openbasedir settings in httpd.conf

suphp ****, causes heavy load.

openbasedir yes, works. I will test hc8 security this days myself.