Re: [cobalt-users] telnet on raq3 allows users to view source of other sites

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

At 01:05 PM 2/19/00 +0100, you wrote:

> I created a user called test with telnet access
> this user test logs into the raq3 an can cd /home/sites/site14
> do an ls -la of the web directory etc ...
>
> is there any patch available for this ? as this presents a big security 
> hole, e.g.
> a user who is running php3 and connects to a mysql database, he got the 
> login & passwd
> of the mysql database stored in a file in the directory web ...

Telnet is telnet.  It allows you to log onto your linux box.  Your linux 
box allows you to read files, or not, based on security set up for each file.

For example, let's look at this directory entry (I've entered column 
numbers on a separate line below the directory line)

-rwxr-xr-x   1 c1000003 site5      546017 Dec  7 10:53 fpcount.exe
1234567890

Warning: the following explanation is quite oversimplified.

Column one shows a "d" if the file is a directory, a "-" if it's not.

Columns 2 - 4 show rights for the owner of the file.
Columns 5 - 7 show rights for members of group that owns the file.
Columns 8 - 0 show rights for the rest of the world.

So, for example, for this file, the owner of the file (c1000003) can 
(r)ead, (w)rite, and e(x)ecute the file.  The members of the group (site5) 
can (r)ead and e(x)ecute the file, and anyone else who can log onto the 
system can (r)ead and e(x)ecute the file.

Sure, you can change the permissions, using the "chmod" command, or change 
the owner or group, with the "chown" or "chgrp" command.  Of course you'd 
better know what you're doing if you do so, or else you'll break your 
system and/or the Cobalt web-based gui.

Why do you think I keep saying you shouldn't give telnet access <wry grin>?

Why do you think consultants make the big bucks <wry grin, again>?

Jeff

--
Jeff Lasman <jblists@xxxxxxxxxxxxx>