‘Addon’ Domains Are Terrible For Security And Should Never Be Used
Over the years I’ve spent a lot of time warning people about using cPanel’s addon domains feature (and anything like it, for that matter).
For some reason, whenever I bring the topic up, almost no-one has ever been aware of the dangers of using the feature and why it’s so fundamentally flawed that it shouldn’t even exist as a feature in the first place.
It doesn’t exactly help that most of the budget web hosts make use of it to offer ‘unlimited domains’ or other such perks for their low end hosting plans, using these is generally a bad idea, too.
I digress… first, let’s talk about the fundamental building block of computer security. The humble user account.
User Accounts Matter (Duh!)
The most important principle in any modern (or even decades old) computing environment is user security and user accounts. If you haven’t really thought about how this works, and why it matters, consider this a quick, shallow run through on why it matters and, crudely, how it ‘works’.
At its core, a modern user account can be thought of as identifying a single entity that has permission to perform various actions with objects that exist within the same system (or sometimes, connected systems) provided by the service you’re using it with.
That might be a little difficult to read, so an example or two is in order:
- Your ‘user account’ with a bank, allows you to transact with the money in your accounts, or borrow money within certain parameters.
- Your ‘user account’ with Google allows you to access your email, photos, etc.. as well as other resources that have been shared with you (Eg. shared photos).
- Your ‘user account’ with Facebook allows you to manage your profile, timeline, groups, etc.
Now try to imagine how bad it might be without user accounts:
- Anyone could ask to withdraw ‘your’ money from the bank
- Anyone could read ‘your’ email or view your photos at Google
- Anyone could do whatever they pleased with ‘your’ personal information at Facebook
Note: I use the word ‘your’ loosely here – without the concept of a user account, there really isn’t a concept of ‘ownership’ of resources in the first place!
User accounts are used for more than just ‘people’, too – they’re used to keep different services separate from each other, and prevent ‘bad things’ from happening.
For example, websites:
- Your website should not be able to access the files of another website (or vice versa)
- Your website should not be able to access the database(s) of another website (or vice versa)
- … And other related services too, of course
In short, user accounts are used to ensure that resources are only accessible to people and/or services that should have access to them.
‘Addon’ domains destroy that 🙁
What Website Security Should Look Like
It may be obvious after the previous section about user accounts, but I’ll go over it to make sure it’s clear…
In an ideal world, with few exceptions, no website should be able to access the files, data, or any other services/functions of another website.
This is for a multitude of reasons, but here are the main ones:
- If the credentials for a user account are obtained by a malicious third party, the damage they can do is limited to only one site
- If a site is compromised (eg. by a vulnerability, leaked user account, etc..), it should not be possible to use that access to gain access to another site
- If there is a bug in the website that does very bad things (eg. deletes files by accident), it should not be able to break other, unrelated sites
This translates to the following best practice for most ‘normal’ sites:
- Every site should run as a different user account
- Every site should use different accounts for services (eg. MySQL databases)
- No user should have read or write access to the files of another user
Now look, mistakes happen… it’s not uncommon for a rookie helpdesk operator to screw up file permissions and allow other sites/users to gain access they shouldn’t. It happens, and it’s part of the reason you should avoid cheap hosting – $5/month doesn’t exactly go far in hiring good talent!
For more complicated or larger sites, there are many other considerations – but these are the only ones that really come into play with Addon Domains.
How Addon Domains Break Web Security
When I first saw this, it blew my mind. Seriously.
cPanel’s ‘Addon Domain’ feature doesn’t use separate user accounts for each site.
Let me say that again: cPanel’s ‘Addon Domain’ feature doesn’t use separate user accounts for each site.
Instead, all your sites run under the same user account as your ‘main’ domain. This is also why you’ll find all your addon domains cluttering up your accounts public_html folder.
There are some serious implications of this:
- If your cPanel user account is compromised, all your sites can be compromised simultaneously
- If any single site under your account (‘addon’ or ‘main’), all other sites can be compromised too, even if they otherwise aren’t vulnerable
- Traversal of the filesystem between sites could create practical vulnerabilities that otherwise wouldn’t exist (Eg. using a partly vulnerable script on one site, combined with another partly vulnerable script on another). *
*In practice I’ve never seen this happen, but it’s a possibility for higher profile sites
In addition, it’s just plain messy and makes other activities more complicated than necessary (Eg. backups and restorations).
There really is no excuse for this as there’s no practical limitation on the numbers of user accounts that can happily coexist on GNU/Linux server at all. cPanel could have easily implemented different user accounts for each ‘addon’ domain.
This was just a really bad call that cPanel made in the past, and now it’s stuck.
What To Do Instead
In an ideal world, anyone building sites they plan on profiting from should really be using a VPS. For around $20 – $30 or so per month, you can host as many sites as you like (traffic dependent, of course), and you gain the added advantage of your sites being completely isolated from other people’s sites.
But, not everyone can afford a VPS – that’s understandable…
If you’re stuck with shared hosting, most ‘reseller’ plans allow you to create separate user accounts for each site. This solves the issues discussed in this article, but it will never be as secure as running all your sites on servers you don’t share with anyone.
Alternatively, you could sign up for multiple shared hosting accounts… That might be a good fit if you have two or three sites and are otherwise happy with the performance of your host. As soon as you have a couple more, you’ll want to condense them into a resller account (or better yet, a VPS).
Whatever you choose to do, if you’re currently making use of addon domains, please stop.