[Gllug] Re: Insecure practices at my ISP
Garry Heaton
garry at heaton6.freeserve.co.uk
Sat Apr 5 22:17:35 UTC 2003
>Thanks Garry for pointing out all these details about the Plusnet sites.
>I guess I must be one of the 1700 odd people whose Plusnet site is not
>as secure as it could be. I would be grateful if you could detail how to
>change the permissions on the two home directories
>http://www.<username>.plus.com/
>http://cgi.<username>.plus.com/
>I have no experience of using telnet.
>Regards,
>Mark Preston
Telnet access is only available for your home directory at
http://cgi.<username>.plus.com/. For permissions on your htodocs and other
directories use FTP, which should allow you to 'chmod'.
There's no mystery with telnet. Use the login details provided by PlusNet
and you will obtain a 'bash-2.04$' prompt.
The real problem here is group access. You have 1800 users with the same
'shellcgi' group permissions and with telnet access to the same home
directory where nearly everyone's directory is group-readable. My suggestion
is to simply deny group access to your home directory. I've also denied
access to my subdirectories but this may not be necessary. Any UNIX
permission with a zero in the middle will do. I used 'chmod 705' for
directories and executable scripts, 604 for any temporary HTML files and 600
for .bash_history and .mysql_history files.
Garry
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list