Re: [cobalt-users] telnet on raq3 allows users to view source of other sites

["Steven Werby" <steven@xxxxxxxxxxxx>]

Luc Schiltz <becher@xxxxxx>
> I created a user called test with telnet access
> this user test logs into the raq3 an can cd /home/sites/site14
> do an ls -la of the web directory etc ...

This is how the Linux OS works.  It can be annoying, but you can prevent
access to view directory contents by changing the permissions on the
directory.  The contents of site14 should be owned by userofsite14:site14 so
if test is not a member of site14, test can't view the contents of
/home/sites/site14/web if web is not world-readable.  If you're a little
green on the concept search the list archives or the web for "permissions"
and "chmod".

> is there any patch available for this ? as this presents a big security
hole, e.g.
> a user who is running php3 and connects to a mysql database, he got the
login & passwd
> of the mysql database stored in a file in the directory web ...

If you're talking about the mysql databases named "mysql" which stores
security and access tables for all mysql databases then you should take
better care of the permissions of any files that you have that information
in.  Make them readable only by you!  And if you are giving other users
mysql access, create a specific user for them in the "mysql" database who
only has access to specific databases from specific hosts and can only do
things you are comfortable with.

Steven {steven@xxxxxxxxxxxx}