Re: [cobalt-developers] Re: CGI Wrap Errors

[Will DeHaan <will@xxxxxxxxxx>]

John Parris wrote:
> 
> Since we're all ranting on security issues, I have a question/issue.
> 
> The way home directory security is configured by default on the RAQ2 is a
> serious joke. Anyone that has telnet access can see files in just about any
> other web directory located in /home/sites/.

Ok, so how is this a joke?  How else do you serve web data with an
unpriveleged web server?  Public web data is public to shell users too.

I think I'm grossly missing your point here..

> I read on this list that
> changing the default security permissions on the directories disables quota
> management. It also can cause problems with getting a bash prompt on telnet.

Dropping the public executability will break shell and web browsing. 
Changing group or user ownership of files will make the site and user
quotas ineffective.  Some basic unix here folks..  User quotas are based
by UID, Site quotas are based by GID.

> Now, I know for a fact I've already had one user nosing around in other web
> site directories.

On the web or in a shell?  What does it matter?  If a user wants to keep
sensitive data web accessible, they shouldn't store that data in a web
accessible location!  CGI-wrap will enable them to store such things in
more restrictive locations such as a subdirectory from the site or user
home directory.

> My question is, is there a way to change all these
> permissions, and make it a default setting for new sites, where other users
> with telnet cannot go snooping around reading other users' files?
> 
> Thanks
> John Parris

You probably want chroot'd telnet access and don't want to mess with
file permissions.  Has anyone got this working on the RaQs?  It can be
done with a big slew of hard links or with a ~22MB/site penalty for
copied files, in addition to changing users shell.


	-- Will