Re: [cobalt-users] telnet on raq3 allows users to view source of other sites

["Steven Werby" <steven@xxxxxxxxxxxx>]

Dennis <dkc@xxxxxxxxxxxxx> wrote:
> Steve-
>
> But if you make the web directory only readable by the owner and group
then
> doesn't that disable a normal web browser from bringing up the web page in
the
> web directory?

True, but now it's more secure, isn't it?  <wry grin>  I didn't explain
myself very well so I'll give it another shot.

The particular problem Luc was referring to involved a MySQL login being
stored in a web-viewable directory.  If it's a text file then anyone with a
browser can view its contents so shell access is a moot point.  At a
minimum, the smart thing to do would be to move the file to a directory that
is not web-viewable.

In order to make a file web-viewable, but make it more difficult for shell
users to snoop around put the webpage in a directory that is chmod 751 and
make the file world-readable.  You'll be able to see the page from the
browser, but a shell user will get permission denied when trying to ls the
directory.  However, if they know the filename they can view it.  I don't
give out shell access so I'm not an expert on the subject.  Maybe someone
has a better solution that doesn't involve burying the server in concrete.

Steven {steven@xxxxxxxxxxxx}