#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Posts
    19
    Rep Power
    0

    Unhappy preventing hacking from inside


    Hi,

    I have looked for this on the net over the nights but couldn't find an answer, though it sound so obvious.


    In a linux box that is working as a web server hosting many sites. I descovered that a user can leave out his home directory and the read others files and obtain very important data like database passwords and then use it to destory thier data. The problem is that those files must be chmoded to 755 in order for them to function.

    Is there any way or some modified shell that would prevent users logged in via ssh/telnet to read files that are located outside of thier main home directories ?!



    thank u ..
  2. #2
  3. No Profile Picture
    Moderator =(8^(|)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Feb 2002
    Location
    Sacramento, CA
    Posts
    1,710
    Rep Power
    14
    One way, matbe not the best, is to put all the users into one group, maybe accounts, then make all files 705. There's probably a more secure way of doing this, though.
  4. #3
  5. Full Access
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jun 2000
    Location
    London, UK
    Posts
    2,019
    Rep Power
    16
    Run suEXEC so that the web server executes CGI's with the permission of the owner. This way the files can be 700 and they will still function in a web serving context.
    Alex
    (http://www.alex-greg.com)
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Posts
    19
    Rep Power
    0
    Thank you guys for your contrbuitions


    bricker

    I am not sure this would be working if you are having some kind of hosting panels like WHM?CPanel or ensim coz they do alot pf work behind the scene.


    Alex

    This would solve the cgi problem but what about php which is more common those days?



    AbuAnas
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2002
    Posts
    170
    Rep Power
    13
    To stop ssh/telnet users from accessing others files, they need to be chroot'ed to their home directory.
    Another way is to set the permissions on each home directory to 750, and change the group to the webservers group.

    To stop PHP from one users directory from accessing anothers when run byu the server, you should be able to use the PHP config files - possibly in conjunctions with some SetEnvIf and Allow/Deny statements in the Apache Config.
    Candyman. CandyMan. Candy ... Oh, Hi !

IMN logo majestic logo threadwatch logo seochat tools logo