preventing hacking from inside

Hi,

I have looked for this on the net over the nights but couldn't find an answer, though it sound so obvious.


In a linux box that is working as a web server hosting many sites. I descovered that a user can leave out his home directory and the read others files and obtain very important data like database passwords and then use it to destory thier data. The problem is that those files must be chmoded to 755 in order for them to function.

Is there any way or some modified shell that would prevent users logged in via ssh/telnet to read files that are located outside of thier main home directories ?!



thank u ..

One way, matbe not the best, is to put all the users into one group, maybe accounts, then make all files 705. There's probably a more secure way of doing this, though.

Run suEXEC so that the web server executes CGI's with the permission of the owner. This way the files can be 700 and they will still function in a web serving context.

Thank you guys for your contrbuitions


bricker

I am not sure this would be working if you are having some kind of hosting panels like WHM?CPanel or ensim coz they do alot pf work behind the scene.


Alex

This would solve the cgi problem but what about php which is more common those days?



AbuAnas

To stop ssh/telnet users from accessing others files, they need to be chroot'ed to their home directory.
Another way is to set the permissions on each home directory to 750, and change the group to the webservers group.

To stop PHP from one users directory from accessing anothers when run byu the server, you should be able to use the PHP config files - possibly in conjunctions with some SetEnvIf and Allow/Deny statements in the Apache Config.