[thelist] Able to get to other users on server folders
Darrell King
darrell at webctr.com
Wed May 16 12:42:32 CDT 2001
Try this command:
ls -l /
...I think your will find that the ones you can get into without being denied will have a permission set ending like one of these:
... r--
... rw-
... rwx
Indicating that they are world-readable or better.
If you had root access, nothing would be denied. Unless you belong to a very inportant user group, you are simply seeing file systems the sysadmin has made world readable for one reason or another. That means anyone who can access the file system can read them. This will usually be the case for directories that contain files all users share as a matter of course, and all directories intended to be accessed by the general public (such as HTML areas.)
The simple fact is that virtual servers as shared resources, and many people can access your files....at least to read them. The situation gets even more complicated with CGI scripts, as they have to be executable by the user owning the web server as well as the virtual server owner. It gets even worse when the CGI writes to disk, because then the disk file needs to be writable, at least for the duration of the write.
I try never to open the topic of security witrh a sysadmin of such a system unless I have the rest of the day to spare....:)
D
On Wed, 16 May 2001 13:29:05 -0400
"Gina K. Anderson" <gina at sitediva.com> wrote:
:|I don't think you have root access...you are just seeing file in
:|directories that are world readable.
:
:Well, I can see these folders:
:
:modules/
:root/
:sbin/
:stand/
:tmp/
:dev/
:etc/
:lkm/
:usr/
:
:and a bunch more files and stuff. That's as deep as I can get. I can't click on
:modules/ or root/ without a permission denied message. I can get into bin/,
:dev/, etc/, lkm/, lost+found/, sbin/, usr/, var/, home/, usr/src/sys/, and a
:bunch of others. I can download from at least a few of these. This is a Linux
:system.
:
:Gina
:
:
:---------------------------------------
:For unsubscribe and other options, including
:the Tip Harvester and archive of TheList go to:
:http://lists.evolt.org Workers of the Web, evolt !
:
--
The Web Center, Inc.
http://webctr.com
admin at webctr.com
1/877.349.3230 | 1/716.349.3230
CGI Programming | Web Development | Database Programming
More information about the thelist
mailing list