[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: cobalt-security digest, Vol 1 #797 - 1 msg
- Subject: RE: [cobalt-security] Re: cobalt-security digest, Vol 1 #797 - 1 msg
- From: Dave Anders <hostmaster@xxxxxxxxxxxxx>
- Date: Wed, 12 Jun 2002 05:41:38 -0400
- Organization: Deltaphon Multimedia GmbH
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Graeme,
slowly please ;-)
At the beginning no siteadmin or siteuser was able to "cd" into
each site directory. Permission denied what is the default
on Linux systems normally.
But now every siteadmin/siteuser is even able to enter into
/home/sites/home although ./home is owned by admin.
That's not normally and just a Telnet/SSH problem :-(
Websites against it can be protected by .htaccess
Then no web browser has access without the correct
username/password.
And exactly that's the real problem because .htaccess
is not working with SSH.
.htaccess protected files can be viewed and copied
by every user on the same system. That's not acceptable.
On the other hand it's not possible to disable SSH access
for a domain or user by the Cobalt GUI. Shall I enter
/bin/false manually ?
As we decided to purchase Cobalt server we expected a secure,
good working and easy to handle server system.
Now I have to do a lot of work manually and the Cobalt eMail
support looks no longer available.
-- Dave
> Lots of people wrote, and discussed:
> > 1. Telnet/SSH simple user permissions (Dave Anders)
>
> This is a simple function of shell users on Cobalt servers[0] not
being in a chroot jail. Many hosting systems (whether
vendor/system-specific, freely downloadable, or pay-per-user like
Ensim or Plesk for example) choose to (or not to) use chroot jails
for their own specific ends.
>
> Basically if you're chrooted, you only have access to whatever the
chroot is setup to let you see in your environment. If you're not,
you can wander wherever you have permissions to. If that's on a
webserver, then the webserver process itself has to be able to see
all the relevant files in all relevant directories. In most cases
that means you can, too.
>
> Yes, it's a potential security problem. However I think that's the
least of your worries, since the files are (almost without exception)
visible via a web browser anyway! So your clients can see each
others' web pages on the server? Big deal! They can see them through
the website anyway!![1]
> Having shell users is, in itself, a security problem. Someone with
shell access has just removed the first hurdle to Getting Root -
they're not remote any more.
>
> The upshot is: don't give shell access to people you don't trust,
or make sure you regularly analyse their shell histories for what
they appear to be doing[2].
>
> [0]Not sure about the newer XTRs and 550s, mind you, I haven't
fully tested one yet.
> [1]In most cases. Some files will still be invisible.
> [2]'appear to be doing' since it's relatively easy to obfuscate
what you really are doing :)
>
> Graeme
> --
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>