RE: [cobalt-security] Re: cobalt-security digest, Vol 1 #797 - 1 msg

["Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>]

Lots of people wrote, and discussed:
>    1. Telnet/SSH simple user permissions (Dave Anders)

This is a simple function of shell users on Cobalt servers[0] not being in a chroot jail. Many hosting systems (whether vendor/system-specific, freely downloadable, or pay-per-user like Ensim or Plesk for example) choose to (or not to) use chroot jails for their own specific ends.

Basically if you're chrooted, you only have access to whatever the chroot is setup to let you see in your environment. If you're not, you can wander wherever you have permissions to. If that's on a webserver, then the webserver process itself has to be able to see all the relevant files in all relevant directories. In most cases that means you can, too.

Yes, it's a potential security problem. However I think that's the least of your worries, since the files are (almost without exception) visible via a web browser anyway! So your clients can see each others' web pages on the server? Big deal! They can see them through the website anyway!![1]
Having shell users is, in itself, a security problem. Someone with shell access has just removed the first hurdle to Getting Root - they're not remote any more.

The upshot is: don't give shell access to people you don't trust, or make sure you regularly analyse their shell histories for what they appear to be doing[2].

[0]Not sure about the newer XTRs and 550s, mind you, I haven't fully tested one yet.
[1]In most cases. Some files will still be invisible.
[2]'appear to be doing' since it's relatively easy to obfuscate what you really are doing :)

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC