Re: Security Question, re directory permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm genuinely interested to know with whom you're hosting...

-- 
itoctopus - http://www.itoctopus.com
"Tijnema" <tijnema@xxxxxxxxx> wrote in message 
news:d8269d910705181734g8478851mb53d12a3460e9a6d@xxxxxxxxxxxxxxxxx
> On 5/19/07, Al <news@xxxxxxxxxxxxx> wrote:
>> How can anyone, other than the staff, get into my site?  Far as I know, 
>> other users can't get out of their own domain
>> space and into mine.
>
> That's quite easy, especially when you have SSH access.
> Of course, it will only work with specific settings, and that might be
> blocked on some hosts, but it works for me.
> On my host, accounts for domains are just in /home
> so let's say i have 2 accounts, account a & b.
> their directorys are resp. /home/a & /home/b.
> When i create a diretory with account a at /home/a/dir, and i chmod it
> 757, i can write a file there from account b.
>
> Tijnema
>>
>> Tijnema wrote:
>> > On 5/19/07, Al <news@xxxxxxxxxxxxx> wrote:
>> >> But, SSH and telnet, etc. require authentication login-in and all the
>> >> executables you mentioned [and others] require
>> >> someone who has access to upload a harmful file to start with.  Right?
>> >> Once they are in there, they can do anything they
>> >> please anyhow.
>> >>
>> >> Al.........
>> >
>> > Well, you were talking about a shared linux host, so other people,
>> > from a different account, could just upload files, and if you have a
>> > directory with 757, that user could write to it.
>> >
>> > Tijnema
>> >>
>> >> Tijnema ! wrote:
>> >> > On 5/18/07, Al <news@xxxxxxxxxxxxx> wrote:
>> >> >> How can they write or edit files there without having ftp access or
>> >> >> the site's file manager?
>> >> >
>> >> > SSH access? Telnet maybe? PHP script? CGI script? ASP script?
>> >> >
>> >> > There are a lot of possible ways someone can write there.
>> >> >
>> >> > Tijnema
>> >> >>
>> >> >> Tijnema ! wrote:
>> >> >> > On 5/18/07, Al <news@xxxxxxxxxxxxx> wrote:
>> >> >> >> I'm on a shared Linux host and have been wondering about
>> >> security and
>> >> >> >> directory "other" ["world"] permissions.
>> >> >> >>
>> >> >> >> The defaults are 755. The 'others' [world] can read them only.
>> >> >> >>
>> >> >> >> Is there a security hole if a dir on the doc root if a directory
>> >> has
>> >> >> >> permissions 757?
>> >> >> >>
>> >> >> >> If there is a security problem, what is it?
>> >> >> >>
>> >> >> >> Thanks...
>> >> >> >>
>> >> >> >
>> >> >> > If you have a directory with 757 permissions, "world" can create 
>> >> >> > new
>> >> >> > files there.
>> >> >> >
>> >> >> > And if you give files 757 (or 646) permissions, then "world" can
>> >> edit
>> >> >> > that file.
>> >> >> >
>> >> >> > So if you have a doc dir, you probably don't want extra files 
>> >> >> > there.
>> >> >> > It's not really a security problem, but if somebody notices it, 
>> >> >> > he
>> >> >> > might write files there.
>> >> >> >
>> >> >> > Tijnema
>> >> >>
>> >> >> --
>> >> >> PHP General Mailing List (http://www.php.net/)
>> >> >> To unsubscribe, visit: http://www.php.net/unsub.php
>> >> >>
>> >> >>
>> >>
>> >> --
>> >> PHP General Mailing List (http://www.php.net/)
>> >> To unsubscribe, visit: http://www.php.net/unsub.php
>> >>
>> >>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux