RE: [cobalt-users] MAJOR BUG, Browse any directory view any file

["Erica Douglass" <erica@xxxxxxxxxx>]

-----Original Message-----
has changing the permissions to this ever caused any issues on your
Cobalt?

- Ed
--------------------------

Absolutely not... and we've had it running for over a year that way.

The deal is that it doesn't change permissions for anything under
/home/sites, just the /home/sites directory itself. If you want to cd
/home/sites/www.simpli.biz/web as admin, you still can... you just have
to know that it's /home/sites/www.simpli.biz (i.e. you can't see a list
of the sites, and you can't tab-complete them as anyone but root.)

This closes up a major security hole with very little effort.

Erica Douglass
Lead Web Developer
Simpli, Inc.

----- Original Message ----- 
From: "Erica Douglass" <erica@xxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, May 29, 2003 8:36 AM
Subject: RE: [cobalt-users] MAJOR BUG, Browse any directory view any
file


> > The code that allows you to view any file / directory within / below
> home... [snip]
> 
> Here's an easy fix for this. I changed the permissions on /home/sites
to
> only allow everything for root. This way my hosted customers won't be
> able to see the other sites on the server. Of course, the admin user
> can't tab-complete them, but that's a minor inconvenience.
> 
> Here is what my permissions for /home/sites look like:
> drwx--x--x    3 root     root         4096 May 24 07:21 sites
> 
> The command to change this permission is (while running as root):
> 
> cd /home
> chmod 711 sites
> 
> Just run the above commands and you won't have that issue any more.
This
> is now standard operating procedure on all Cobalts I maintain. If you
> let customers have shell access on your Cobalts, this is a MUST-HAVE!!
> 
> HTH,
> Erica Douglass
> Lead Web Developer
> Simpli, Inc.