Duncan, i agree. it sucks. i`ve asked this question before on the list but it went abit off topic however a few people did contribute some good information. The problem being is that there are some parts of the admin control panel which have to run under root privileges. It has to be able to add DNS entries, add users in /etc/passwd, etc etc. all that stuff which cannot be done in a shell using the "Admin" account.
The general view is that the cobalts were designed for non-nix people to be able to be able to administor their box without having to do anything from a shell. I`ve spoken to the people who i rent our box from and they reckon this issue has been reported before but there have never been any confirmed break-ins via this route. Obviously just because they claim none have been confirmed does not mean it doesnt exist. If you are comfortable setting up accounts and administering the box from a secure shell then i`d advise doing that although again this destroys the point of the RAQ`s ease of use for the non-nixers. concerning this the following quote is from Michael Stauber on this list who replied before when i bought this issue up ::: <snip> "Running the GUI as root is a must with the given architecture as anything else is asking for a complete redesign of the administration interface. Sure, you could disable the GUI, but then all you've got is an (hardware wise) redicularly outdated server which still has tons of design flaws (software wise) and no easy ways of administrations for the point-and-click community, which the machine was designed for. The only thumbs up I can give in that regards is the following: Even though the Admin GUI runs as user "root" I haven't heard that it has been sucessfully exploited in any way - so far. Which is a tribute to the Perl-programmers behind the GUI - no doubt. The Apache GUI has been running as root since ... 1997 with the introduction of the RaQs - if I'm not mistaken. There are other issues with the Cobalts which most/many/nobody (your mileage might vary) could find more worrying. For instance that any FTP user can wander outside his own directories and sniff around on almost the entire machine. So there are no chrooted and sandboxed home directories and/or services. Heck, even Bind-8 was running as user root for years, until a long overdue official patch fixed it. Furthermore the permissions of certain files and folders look like they've been designed in Redmond <shudder>. " </snip> so as you can see there are other flaws with the raqs. also do your logs point to the break-in originating from Apache ? anyway in answer to your questions A. Nope ( well yeah maybe but with some serious nightmares ) B. you coudl try running the panel through SSL but then you have problems with certificates not matching to the domain names. anyway hope this info helps you. also if u have any decent logs which points the finger at apache or any other service would you mind sharing them ? g`luck. fragga ----- Original Message ----- From: "duncan gray" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 21, 2002 3:05 AM Subject: [cobalt-security] Securing Admin Pages > Hi, > Ive recently just had one of my websites hacked on my > server I have know Idea how as I thought my server was > pretty secure, As I've kept up to date with all the > latest patches, switched my tellnet over to SSH, and > so forth, my bigest guess is that you have to pass the > root password to the machine while logging in over the > Web admin pages, this scare me some what. But raises > some questions in my mind. > > A. is there a way to make the main admin pages work > off a different user account, If not why not as it > seems like a huge security hole to me. > > B. Secondly I dont know much about certificates, but > Is it possible to issue a client certificate or some > sort of certificate so you can limit only certain > browsers/users to access that site? and making sure > that the link between the server and the client is > secure? > > Thanks > > Duncan. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
