[Gllug] Re: Insecure practices at my ISP
Mark Preston
mark at markpreston.co.uk
Sat Apr 5 15:02:43 UTC 2003
Hi all,
Thanks Garry for pointing out all these details about the Plusnet sites.
I guess I must be one of the 1700 odd people whose Plusnet site is not
as secure as it could be. I would be grateful if you could detail how to
change the permissions on the two home directories
http://www.<username>.plus.com/
http://cgi.<username>.plus.com/
I have no experience of using telnet.
I have been experimenting with php on my http://cgi.<username>.plus.com/
site. The php pages have to remain outside the cgi-bin directory and I
am not sure I know what or how to adjust the permissions on the
directory they reside in, so as to make them as secure as possible
without affecting their usability. I have some pages in directories I
have created, but I think that I need to offer world read access to
enable some functions to work. What is the point of denying group read
access in such cases? There is a quiz set up and some permissions need
to be quite liberal to enable the pages to be monitored and scoring
entered into the database.
BTW I agree with Jason that you can write your own scripts - see
http://cgi.lisapreston.plus.com/quiz/firstscores.php
for one of my pages derived from one of my scripts.
You can also effectively get command line access to your database by
using the admin pages on the PlusNet site. Go to www.plus.com login and
then activate your MySQL administration. Once it is active go to website
settings click on the MySQL icon, login with your MySQL database
password and click on Query tables.
See
http://www.lisapreston.plus.com/quiz200302/quizfeb03/plusnet.jpg
for a screenshot example. BTW I have sorted out my gpg problem by
finding an old backup of my secring.gpg with the correct "gobbledegook".
No idea what would be required otherwise to rectify the problems.
Regards,
Mark Preston
On Fri, 4 Apr 2003, Garry Heaton wrote:
> In response to the question as to why give users telnet accounts, the
> accounts at PlusNet are also a gateway into the MySQL server and
without the
> command-line access you're limited to whatever features are built
into the
> average HTML-based MySQL admin interface.
No you are not. You can write your own scripts to manage your mysql
database.
My experience however is that most users are perfectly happy with
phpmyadmin to handle everything except dump and batch inserts. The only
problem with the latter is that for large databases they tend to suffer
HTTP timeouts.
Jason Clifford
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list