[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] In Telnet, Able to view other site's files
- Subject: Re: [cobalt-users] In Telnet, Able to view other site's files
- From: "Ed Booher, Jr" <ebooher@xxxxxxxxxxx>
- Date: Thu Oct 19 11:40:01 2000
- Organization: One Call Internet
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Well,
Not to put too fine a point on it, but, open that site in a web
browser, now do a "Show Source" Aha! There is the same HTML
code you are talking about. The nature of the beast that is HTML
is "open to all" because if it weren't, the browser wouldn't be
able to get to it either. If you change modes (CHMOD) on a file
to 700, that will give Owner (Read/Write/Execute) permission to
that file but Group and World will have *no* permission, so no
one but the Owner will be able to do anything to the file, not
even vi. Try it on a file, I'm sure you'll like it. However, if
you chmod 700 an HTML file, no one will be able to view it in a
browser, not even the Owner, because when a browser connects
(most usually to port 80) it connects as an Anonymous User (this
anonymous user is usually the name of the core browser code, ie
in a log file you usually see a lot of "Mozilla's" running about)
For our good buddy Mozilla to be able to look at your web site,
or be able to use that form with that really cool Perl that
you've written, the file has to be in a format that he can read.
Typically chmod 755 which means Read/Write/Execute (RWX or 421)
for Owner, (RX) Group and (RX) World. (Some crafty
administrators can set up a Perl or CGI document as chmod 744 and
get it to work) The point is, the code has to be executed, hence
the X (or the crafty interpretation by some admin's) other wise
we get that oh so wonderful "CGIWrap Execution Error: Script
Execution Failed."
"CGIWrap encountered an error while attempting to execute this
script: Error Message: Permission denied. Error Number: 13.
This message usually indicates there is a problem with the script
itself. Often this indicates either that the #! line of the
script is incorrect, or the script was uploaded in binary mode
instead of ascii mode. Check to make sure that the script does
not have control-M's at the end of every line. That will prevent
it from executing. An easy fix that takes care of this most of
the time is to put '#!/.../perl --' instead of '#!/.../perl' on
the first line of the script. If you are not the owner of this
script, please forward this error and the URL that caused it to
the script owner. That is often the component in the URL right
after /cgiwrap/. "
Basically what I'm saying is, this is a perfectly natural thing,
being able to VI HTML code via a Telnet session. If you, or a
customer, have a specific file that they want no one to have
access to but themselves, chmod that file to 700, or 760 (RWX)
(RW) (None). Do an ls -al from the command line via telnet and
you'll see those letters to which I keep referring. In fact the
normal UNIX directory list will show you the following.
---------- Where each of these dashes have a letter ..
drwxrwxrwx And will always be in this order.
The first letter will be - (for regular file) d (for directory)
or l (for link, either hard or symbolic). The next three letters
indicate the mode (or permissions) for that file for it's owner.
The second set of three letters will indicate the mode for that
file for the group it belongs to. The third and last set of
letters belong to the mode for the World. Now I know in some of
the directories, especially the /var/spool/mail directory you
might be asking .... well what are all these "s"'es? Don't ask,
don't worry about it, that is a completely different level of
chmod that you'll just have to read the MAN page to figure out.
:) I'll give you a quick and dirty octal (numbered) mode here.
-rwxrwxrwx - Mode 777 Open to everyone, no matter how much of a
hacker they are.
-rwxrw-r-- - Mode 764
-rw-rw---- - Mode 660 (You don't really need execute unless it's
a script)
-r--r----- - Mode 440
-r-------- - Mode 400 (Only Root himself can change this file)
With 400, it will notify you that you are changing a READ-ONLY
FILE several times, but if you are SuperUser, UNIX will assume
you know what you are doing and will eventually let you write the
file out anyway, even if you don't have the Write mode set on the
file.
Hope this has been helpful,
Ed Booher
Network Engineer
One Call Internet
http://www.onecall.net/
"If Linux is an 18-wheeler semi, capable of pulling multi-ton
loads cross-country, BeOS is a slick Porsche 911 Turbo."
- Franco Vitaliano / OPEN Magazine -
[Disclaimer - Any and all views, opinions, outlooks,
philosophies, words of wisdom, words of brash stupidity, and
principles outlined in this post are the belief of the Reverend
Eddie W. Booher, Jr. and are not necessarily synonymous with the
views of his employer or religion.]
WebSite Creations wrote:
>
> I am wondering, is there a way to protect directories from being viewed by a
> normal user in a telnet session?
>
> Example, on a RaQ4, and 3 and 2 I presume, you can telnet in as a normal
> user, NOT ROOT, and do the following;
>
> vi /home/sites/site#/web/index.html
>
> which will show the code for that file. And it doesn't have to be YOUR
> account. You can view ANY account.
>
> Note, the file is read only if it is not your account. However, the fact
> that anyone can view other's html , and cgi code is frightening.
>
> Yes, I know the argument about telnet being a bad idea, but it is necessary
> for some customers.
>
> Any ideas to lock out user directories from non-authorized users in a telnet
> session?
>
> Thanks,
> Bill
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users