[Gllug] Re: Insecure practices at my ISP

Mark Preston mark at markpreston.co.uk
Sat Apr 5 15:02:43 UTC 2003 

Hi all,
Thanks Garry for pointing out all these details about the Plusnet sites.
I guess I must be one of the 1700 odd people whose Plusnet site is not 
as secure as it could be. I would be grateful if you could detail how to 
change the permissions on the two home directories
http://www.<username>.plus.com/
http://cgi.<username>.plus.com/
I have no experience of using telnet.
I have been experimenting with php on my http://cgi.<username>.plus.com/
site. The php pages have to remain outside the cgi-bin directory and I 
am not sure I know what or how to adjust the permissions on the 
directory they reside in, so as to make them as secure as possible 
without affecting their usability. I have some pages in directories I 
have created, but I think that I need to offer world read access to 
enable some functions to work. What is the point of denying group read 
access in such cases? There is a quiz set up and some permissions need 
to be quite liberal to enable the pages to be monitored and scoring 
entered into the database.
BTW I agree with Jason that you can write your own scripts - see
http://cgi.lisapreston.plus.com/quiz/firstscores.php
for one of my pages derived from one of my scripts.
You can also effectively get command line access to your database by 
using the admin pages on the PlusNet site. Go to www.plus.com login and 
then activate your MySQL administration. Once it is active go to website 
settings click on the MySQL icon, login with your MySQL database 
password and click on Query tables.
See

http://www.lisapreston.plus.com/quiz200302/quizfeb03/plusnet.jpg

for a screenshot example. BTW I have sorted out my gpg problem by 
finding an old backup of my secring.gpg with the correct "gobbledegook". 
No idea what would be required otherwise to rectify the problems.
Regards,
Mark Preston

On Fri, 4 Apr 2003, Garry Heaton wrote:

 > In response to the question as to why give users telnet accounts, the
 > accounts at PlusNet are also a gateway into the MySQL server and 
without the
 > command-line access you're limited to whatever features are built 
into the
 > average HTML-based MySQL admin interface.

No you are not. You can write your own scripts to manage your mysql
database.

My experience however is that most users are perfectly happy with
phpmyadmin to handle everything except dump and batch inserts. The only
problem with the latter is that for large databases they tend to suffer
HTTP timeouts.

Jason Clifford


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list