[Gllug] Insecure practices at my ISP

Jason Clifford jason at ukpost.com
Fri Apr 4 08:04:30 UTC 2003 

On Thu, 3 Apr 2003, Garry Heaton wrote:

> I just logged into my telnet account to find I can browse the whole shared
> CGI directory and most of the Linux server's root directory. Almost all the
> directories and files on the machine, save the really crucial ones
> ('/etc/shadow', for example), have 755 permissions. All the user accounts,
> which contain a default empty 'cgi-bin' directory, are under
> '/file/home1/<username>' and only one or two users have changed their
> permissions.
> 
> My question is whether this is nothing out of the ordinary? I wouldn't have
> thought so but this is the first ISP I've telnet-ed into. Is it usually the
> responsibility of the user to change his directory permissions? Even so,
> surely I shouldn't be able to browse the server's root directory?

Unfortunately many ISPs are run by people who don't really understand 
basic security issues in system administration.

While I don't hold that it is necessary to chroot the entire environment I 
do believe that you should not be able to access any other users home 
directory or files by default - hence the ISPs I run have a default 
permission set of 705/604 with all users in a common group.

In addition to this I use a good FTP daemon (vsftpd) which implements 
chroot to home directories thus ensuring that users cannot see anything 
outside of their homedir.

I don't believe that a user ever needs shell access for a hosting account 
so I don't give it.

Of course that does not provide 100% security. There are well known risks 
that simply cannot be avoided in a shared hosting environment.

Have you contacted PlusNet to tell them of your concerns? They are a 
reputable company so they should be receptive.

> PlusNet's MySQL version is also 3 years out of date (3.22.32) so doesn't
> even support the MyISAM table format, which gained MySQL its repuation for
> performance. Maybe the sysadmins at PlusNet just don't get it.

I certainly would not want to be running MySQL that out of date. I suspect 
that they have a standard build for hosting servers that may only be 
updated for vital security fixes (well I hope they are!).

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/			Sign up now


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list