cancel
Showing results for 
Search instead for 
Did you mean: 

Very weak security

N/A

Very weak security

I have just activated my CGI/php permissions and telneted into my account only to find the worst security setup I've ever encountered!

I am not going to go into details of how to do it, but watchout, anything you put in your home directory on the server is by default world readable, i.e. database passwords in php files etc.

Has anyone else noticed this, does anyone else care?

Has the Force 9 staff got any comment?

Robin
5 REPLIES
N/A

RE: Very weak security

Well i tested it and yeah i found someone elses' db password.

I posted a ticket and was told " the cgi server is a shared service and is only sold as a value add-on to the main account. There are ways for customer to secure their own space and it is at their discretion to do this. The service is only offered as is. ..."

So, they know about it but can't be arsed to set up some basic security as default. Nice.

N/A

RE: Very weak security

:eek:
Well I've recently activated my CGI access, (although I've not yet out anything on the CGI server yet - ** AND WON'T ** until I fully understand how to set the security).

I took a wander around the CGI server yesterday, after telnetting in to it. I was VERY concerned with the amount of access I seemed to have to other customers' directories. I would hope that any ISP offering any form of hosting service would provide at least minimal security and a better guide to securing a web site than just talking about '.htaccess' (only in the general FAQ).

I would like to seem better access control implemented, perhaps through a portal applet (under 'Website settings' perhaps?), that would have the ability to set different access levels for different customer specified accounts - perhaps utilising the mailbox users created?

I think this should be used across all the hosting servers - i.e. web space, CGI, DB etc.

Regards

Neil
N/A

Very weak security

Recommend going for the following permissions:

user: rwx
group:---
other:r-x

or in other words a "chmod 705"

Okay not ideal, but it should stop most of the legit users of the server (who are in the group "shellcgi") from checking out your db password.

If you do a "find ~ -exec chmod 705 {} \;" (without the quotes) this will recursively do your home directly.

Hope this helps

Stefan Cheesy
N/A

Very weak security

Quote
If you do a "find ~ -exec chmod 705 {} \;" (without the quotes) this will recursively do your home directly.


Or why not just do:

chmod -R g-rwx *

to recursively remove the group permissions, leaving the owner's and world's permissions unchanged?
N/A

Very weak security

Quote
Quote
If you do a "find ~ -exec chmod 705 {} \;" (without the quotes) this will recursively do your home directly.


Or why not just do:

chmod -R g-rwx *

to recursively remove the group permissions, leaving the owner's and world's permissions unchanged?


more or less what I was thinking, except I'd of gone for

chmod -R 705 *