Hello, 

I recently was able to find a web-hosting company that runs FreeBSD. The
service, I signed up for, allows me to have a SSH access including
series of other services, such as CGI-BIN, Tomcat. On the same machine
that my domain is hosted, there are many other accounts; it's not a
virtual hosting, where I have a root access to my machine. 

On the first day, I discovered that I had to make my files publicly
available so that Apache could pick up my scripts and run them, which I
definitely thought it was not good idea. The only security measures this
company took was that you could not 'ls' up to other people's account,
but I know that if you know the directory structure you can open
anyone's script and look into the content which could reveal a password
and the logic of their code. On top of that, locate-database has all the
directory structure, which is available to anybody. 

So, a couple of things I tried to do, which weren't successful. I took
away permission from others by chmod 740. And also, to grant apache
only, I tried to chown to nobody group (apache is running under this
group) which I could not do because I was not part of nobody group. I
tried to put nobody user under my group, I was not able to. The only
solution I see is ask their admin to put nobody user to my group. Or to
have some sort of ACL, so I can explicitly grant permission to nobody
user. 


Please help. Is there any tool that allows me to overcome this obstacle?
I will not reveal any information about this company, for obvious
reasons, except that they're running: "FreeBSD 4.7-RELEASE".
Eventually, I am planning to tell them to fix their security problem,
but I need to make a research before I do this, which I'm doing by
asking your expertise. 


Thank you,

DT.



_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to