Hello, I recently was able to find a web-hosting company that runs FreeBSD. The service, I signed up for, allows me to have a SSH access including series of other services, such as CGI-BIN, Tomcat. On the same machine that my domain is hosted, there are many other accounts; it's not a virtual hosting, where I have a root access to my machine.
On the first day, I discovered that I had to make my files publicly available so that Apache could pick up my scripts and run them, which I definitely thought it was not good idea. The only security measures this company took was that you could not 'ls' up to other people's account, but I know that if you know the directory structure you can open anyone's script and look into the content which could reveal a password and the logic of their code. On top of that, locate-database has all the directory structure, which is available to anybody. So, a couple of things I tried to do, which weren't successful. I took away permission from others by chmod 740. And also, to grant apache only, I tried to chown to nobody group (apache is running under this group) which I could not do because I was not part of nobody group. I tried to put nobody user under my group, I was not able to. The only solution I see is ask their admin to put nobody user to my group. Or to have some sort of ACL, so I can explicitly grant permission to nobody user. Please help. Is there any tool that allows me to overcome this obstacle? I will not reveal any information about this company, for obvious reasons, except that they're running: "FreeBSD 4.7-RELEASE". Eventually, I am planning to tell them to fix their security problem, but I need to make a research before I do this, which I'm doing by asking your expertise. Thank you, DT. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"