Writing in news:alt.www.webmaster
From the safety of the The Good Stuff Company of the UK cafeteria
Mark Goodge <usenet.TakeThisOut@listmail.good-stuff.co.uk> said:
> On Fri, 23 Dec 2005 23:08:47 +0100, Jim put finger to keyboard and
> typed:
>
>>> If you need to ask, perhaps you should be asking yourself if you
>>> should even be considering doing this?
>>
>> All the tutorials I've read don't seem to have a problem with a chmod of
>> "others" to write. But I would like to know what it really means.
>
> It means that anyone with access to the server can change the content
> of your files. In a shared hosting environment, that means other
> customers of your web host.
>
>> Can any
>> hacker change the content of a 666 file (or a 622 file) in a 755 website
>> directory? or do they still need ftp access to change the data file?
>
> They would need legitimate access, such as an account on the server.
Yes - this is a considerable worry.
> So, in practice, it's not a major risk as anyone who did alter your
> files could be thrown off by the hosting company.
after the damage is done.
> And, given that
> there's no simple alternative in a shared environment anyway (as the
> only way you can usually give access to the web server software to
> alter your files is to give access to everyone), it's a low-level risk
> that's commonly accepted in this kind of scenario.
No - I don't find this acceptable at all and is the primary reason we
don't offer open access shared hosting on our linux platform.
Having said that I'm no linux guru and I'm sure (well hope is more
accurate) the security model can be made to work in a satisfactory manner
- till then, we will only provide shared accounts on a Windows platform.
Now, I have no desire to start a religious war and will welcome any
constructive thoughts on the subject. In the new year I will be building
a test rig that only runs web site hosting, no db engine, no mail (except
that required to process contact forms) in an effort to focus attention on
the security aspects between user accounts. I'll probably base this on
Debian as it's the distro I'm familiar with. Having said that, site
developers (IME) tend not to care/ask about the o/s so maybe VMS would be
a better choice for an apache platform - or even (at the risk of upsetting
some) a Windows implementation. Both these alternatives appear to have a
much better security model for securing access between authorised accounts.
> The most important
> things to bear in mind are that you should never leave any sensitive
> data (such as passwords) in a file that can be modified by other
> people, and if the data contained in such files is important to the
> functionality of the site (such as a thread list in a forum) then you
> should take regular backups of it.
yes - this is integral to the mindset of admins but tends to be glossed
over by site developers who often seem to be blissfully unaware of the
issues.
--
William Tasso
Save the drama
for your Mama.
>> Stay informed about: chmod and security 
FAQ
Profile
Private Messages
Log in
