[nSLUG] Shared server qualms

Dop Ganger nslug at fop.ns.ca
Fri Aug 16 18:50:21 ADT 2002


On Wed, 14 Aug 2002, Miles Thompson wrote:

> All of my experience with Linux has been on boxes where I've pretty well 
> had the only account. I'm now working on a shared system in Edmonton where 
> I'm  thinking about locating a client's web site. I have SSH access.
> 
> I can move up the directory tree and see all the other users directories, 
> the contents thereof, and individual files, such as today.html. Permissions 
> are such that I can't edit or copy them. (I checked.)
> 
> I can also list the contents of etc/passwd.
> 
> Call me naive, but is this normal, or should I bail on this arrangement 
> before going any further? It's a BSD system and the provider is NetKnow 
> Canada (www.nk.ca).

You should be chrooted... It's not exactly complex, and if a webhost can't
manage that then I'd be concerned about how secure the rest of the setup
is. There's a faint possibility that you're chrooted and what you're
seeing is dummy information, but I doubt it.

On our servers all accounts are chrooted, both NT and Linux; sftp is the
only way to transfer information in, and even then only from permitted IPs
(the latter is one of the useful things about highly bespoke work - one
can set many more conditions for access than a "generic" web hoster). The
way I usually set it up is to have a root directory that the user is
chrooted from, then 2 directories below that; one is for the web content,
and the other is for content that needs to be accessed by scripts but
should not be accessible via HTTP (eg, include scripts that have database
passwords in them and the like). Users are explicitly told on signing up
that they are not permitted to log into the system for shell access (it's
a web server, not an irc client/compiler box/MUA reader/development
box/etc).

Sometimes it's good to be a fascist network admin :-)

Cheers... Dop.




More information about the nSLUG mailing list