[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lock down system against shell accounts?

Thanks everyone for the info,

> However, perhaps you want to ask another question.
> What sort of stuff shouldn't they see?

Things like:
The Apache configuration and cgi directories (they can see who else I am
The DNS configuration files (as above)

> If it's other users' files for the main part then make every user's home
> dir mode 750 instead of 755, and give them all personal groups. Of just
> go the mode 700 chmod of the users' home dirs.

The home dirs are mode 701 to allow Apache access to the public_html
directory in each home dir.
This means nosy users, after knowing they have a public_html in their own
dirs, can guess that other users have a public_html dir and go directly to
it even though they can't see it.  Then they can have a look around other
peoples web's from the inside.

> There's usually little harm in letting people see the rest of the box.

I disagree.  Users should see what they are ALLOWED to see and no more.
Some of the configuration files have passwords etc and if someone
misconfigures directory permissions...

| Peter Kiem            | E-Mail    : <zordah zordah net> |
| Zordah IT             | Mobile    : +61 0414 724 766    |
|   IT Consultancy &    | WWW       : www.zordah.net      |
|   Internet Hosting    | ICQ       : "Zordah" 866661     |

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]