[Gllug] Insecure practices at my ISP
Garry Heaton
garry at heaton6.freeserve.co.uk
Thu Apr 3 22:56:57 UTC 2003
I recently signed-up for ADSL with PlustNet (www.plus.net) and my account
comes with 250Mb of webspace with MySQL, CGI and telnet access. So far, so good.
I just logged into my telnet account to find I can browse the whole shared
CGI directory and most of the Linux server's root directory. Almost all the
directories and files on the machine, save the really crucial ones
('/etc/shadow', for example), have 755 permissions. All the user accounts,
which contain a default empty 'cgi-bin' directory, are under
'/file/home1/<username>' and only one or two users have changed their
permissions.
My question is whether this is nothing out of the ordinary? I wouldn't have
thought so but this is the first ISP I've telnet-ed into. Is it usually the
responsibility of the user to change his directory permissions? Even so,
surely I shouldn't be able to browse the server's root directory?
PlusNet's MySQL version is also 3 years out of date (3.22.32) so doesn't
even support the MyISAM table format, which gained MySQL its repuation for
performance. Maybe the sysadmins at PlusNet just don't get it.
Garry Heaton
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list