Re: [cobalt-users] telnet on raq3 allows users to view source of other sites

[Dennis <dkc@xxxxxxxxxxxxx>]

Steve-

But if you make the web directory only readable by the owner and group then
doesn't that disable a normal web browser from bringing up the web page in the
web directory?

    -Dennis

Steven Werby wrote:

> Luc Schiltz <becher@xxxxxx>
> > I created a user called test with telnet access
> > this user test logs into the raq3 an can cd /home/sites/site14
> > do an ls -la of the web directory etc ...
>
> This is how the Linux OS works.  It can be annoying, but you can prevent
> access to view directory contents by changing the permissions on the
> directory.  The contents of site14 should be owned by userofsite14:site14 so
> if test is not a member of site14, test can't view the contents of
> /home/sites/site14/web if web is not world-readable.  If you're a little
> green on the concept search the list archives or the web for "permissions"
> and "chmod".
>
> > is there any patch available for this ? as this presents a big security
> hole, e.g.
> > a user who is running php3 and connects to a mysql database, he got the
> login & passwd
> > of the mysql database stored in a file in the directory web ...
>
> If you're talking about the mysql databases named "mysql" which stores
> security and access tables for all mysql databases then you should take
> better care of the permissions of any files that you have that information
> in.  Make them readable only by you!  And if you are giving other users
> mysql access, create a specific user for them in the "mysql" database who
> only has access to specific databases from specific hosts and can only do
> things you are comfortable with.
>
> Steven {steven@xxxxxxxxxxxx}
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users