[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SSH/Shell Access Concern

Subject: Re: [cobalt-users] SSH/Shell Access Concern
From: flash22@xxxxxxx
Date: Wed Feb 21 00:47:29 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Mon, 12 Feb 2001, W.E.B.S Ltd - awebcompany.net (J Williams) wrote:

> I'm a newbie to servers and learning the hard way
 it seems. I have a book which is helping
 but has brought about this query.
> 
> With a virtual site administrator enabled with shell
 access, it seems that using SSH the user can
 log onto his domain, and gain root
> access by simply typing cd ../../

Yes, which is why you don't give shell accounts to people you don't trust
-/

Allthough they can browse and read files, they can't modify them or change
them, because they dont' own them, it is possible for other users to
proetct their files better, but by default most files created by users are
readable by everyone else....

Note that there are seriously good reasons NOT to give people shell access
if you have for example sensative data stored on the machine, or at a
minimum, you have to be very carefull about managing it....

Keep in mind that any file in the web server space is for all practical
purposes readable by anyone with a web browser, so making those file sin
accessable to inside users woudn't serve any purpose anyhow...

> 
> I've tried it with various user passwords
 and anyone with shell enabled can get
 everywhere within the system. I can get into any
> other virtual site, the home directory and root level!

Yup, if you think about it, you have to be able to read every directory
from the root directory down or you wouldn't be able to access your own
files either, you have to start at / to get to /home/joe ...

> 
> Maybe I'm wrong but this seems very dangerous!

It is ;)

 Should site administrators with shell access be able to do this?

Probably not, but that's the way it works, and it's common, tho not
universal on unix servers ....

> 
> The following patches are installed on my RAQ4i and
 I cant see a patch that stops this.. Please give me some advise.

OK, advice, don't list your installed security patches to a public
mailing list , someone might notice yu are missing one somewhere ;)

> begin 666 Justin Williams.vcf
> M0D5'24XZ5D-!4D0-"E9%4E-)3TXZ,BXQ#0I..E=I;&QI86US.TIU<W1I;CL[

Try to loose the silly card thing, 
it makes an AWFULL mess in the archives :)

(And some of us can't see it anyhow ;)

gsh

References:
- [cobalt-users] SSH/Shell Access Concern
  - From: W.E.B.S Ltd - awebcompany.net \(J Williams\)

Prev by Date: Re: [cobalt-users] port 57
Next by Date: Re: [cobalt-users] pmfirewall and port 81
Previous by thread: [cobalt-users] SSH/Shell Access Concern
Next by thread: Re: [cobalt-users] SSH/Shell Access Concern

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index