Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR CREATION: Building & Maintaining A Web Site > Web Design and Webmaster Issues
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 07-02-2000, 07:39 AM   #1
CYBERWORLD
Registered User
 
Join Date: Sep 1999
Posts: 231
Unhappy unix problem of web hosting. security problem.

Hello.. Recently I rented a web space from a new hosting company and discovered something interesting.

When I login my account by FTP, I can see my own files/directories (of course). To my surprise, when I change the location to the root directory or other directories which is NOT owned by me (probably owned by other user). I can see all the files and can even fetch them. These files include all the structure of the UNIX (like sendmail program)and others users files. As I think that it is a bug. I email to the help desk. And they replied with this reason:

This is definitely a question that is asked by our users quite frequently.
I am sure you'll be surprised to hear that the system actually works exactly how it was
designed to work. If you check, you'll see that in fact you do *not* have full access to other users' files. If you want to make one of your directories inaccessible to the limited reading priveleges available to all users, simply use CHMOD to change the permissions on that directory (or use our control panel security features when its completed). The logic behind this is simple -- we're a web hosting firm, not a data storage facility -- if you're uploading something to your account, it should be readable by the web server, and if you don't want it readable (such as password files or secure data), then you need to CHMOD it properly. This is the only correct way to properly secure your data, aside from storing it encrypted one-way. Simply limiting you to your directory has many loopholes among other complications. We don't like misleading users into a false sense of security, and thats precisely why we allow all-system browsing. We have one of the most secure and thought-out systems on the net today.

Sure we can limit you to your own directory, but do you REALLY want a hosting firm
to mislead you into a false sense of security? You decide.

Well.. all the webmasters, the UNIX experts!! What do you think?? Is it the fact that our files (including those cgi script and data) can be accessed by others so easily??

[This message has been edited by CYBERWORLD (edited 07-02-2000).]
CYBERWORLD is offline   Reply With Quote
Old 07-02-2000, 08:43 AM   #2
regier
Registered User
 
Join Date: Jul 2000
Location: Edmonton, Alberta, Canada
Posts: 279
Unhappy

I have decided to remove this post. I was not intending to flame thinkhost as they have some of the best service that I have seen and are a very reliable company. I recomend them to anyone looking for a good host. I was just trying to answer the above question and give my experiences.

[This message has been edited by regier (edited 07-02-2000).]
regier is offline   Reply With Quote
Old 07-02-2000, 09:48 AM   #3
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Cool

Good afternoon folks,

Okey doke, lets answer questions one step at a time -- I wish you would have
taken the time to contact us before you start flaming : - )

First the 711 permission -- I am well aware, and was well-aware of the this,
well before either of you came on as users -- I've been working in the industry
for a good oh five years, and my staff are some of the most knowledgeable people
around. Let me summarize this very simply:

a. We have a lot of e-commerce users
b. A lot of the e-commerce users have no clue about security
c. I want them to be keenly aware that 711 will NOT protect their files! If
another user on the system know the path to the file, the files are NOT
secured.

I am having our programming team make the 711 permission setting a part of our
control panel, so that users who want it, will choose it, but I will NOT offer it
by default. You want to be mislead into a false sense of security? Go to any other
competitor of ours, but I will NOT under any conditions mislead my clients.

What I want to see happen and what will happen is that 711 will become a part of
our control panel, and users will be able to select it the first time they log
in, probably right at the setup -- that is coming. However they will have to
agree to a warning that will clarify exactly what they're doing. I will not, under
any conditions mislead our users.

We do have one of the most secure set-ups anywhere -- you want IP-based filtering
for your account? Do you even know why your other host did that? They did it
to protect their own system, not you. If you don't realize that, I don't know
what to tell you. If I were you, I'd run from ANY web host that does filtering
like that because what that immediately screams to me is that their own web server
is not properly secured, and that they have to resort to outside filtering in order
to hide that. By the way, if you want IP-based filtering for your account, we
can set it up -- I just don't feel its necessary by default because many users
use dynamic IP's which would be pretty tough to track. Our pop3 servers are secure,
and if users use poor passwords, well, thats not really something I can do much
about, aside from making sure that NO single user can get beyond their basic account.

Please give us the benefit of the doubt -- see what others have said about us, and
try to understand that we are not just another incompetent 13-year-old-powered web
host out there -- we have knowledgeble, caring staff, and although I appreciate you
concern I wish you had come to us before flaming us.

Have a great day, and good luck! http://geekvillage.com/ubb/smile.gif

Sincerely,


Vladislav Davidzon <davidzon@thinkhost.com>
Senior Systems Administrator -- ThinkHost.Com Web Hosting Services
The smart choice for all your web hosting needs! (tm) http://www.thinkhost.com
davidzon is offline   Reply With Quote
Old 07-02-2000, 10:00 AM   #4
singloon

GeekGuide
 
singloon's Avatar
 
Join Date: Jan 2000
Location: Brisbane, Australia
Posts: 2,167
Unhappy

well i know virtually nothing about unix, just the instructions i follow on my hosts FAQ page...

i was able to restrict users to their own directory following the instructions set out at my host's FAQ

haven't a clue if it applies to your situation but thought i'd mention it http://geekvillage.com/ubb/biggrin.gif



------------------
Evangelion in the 21st century
Eva2000.com
Australian Star Wars Prequels
ThePrequels.net
Anime2001 Network
Anime2001.com
Coming soon...
TheDesktopThemes.com Wallpapers
Animeboards Forums
singloon is offline   Reply With Quote
Old 07-02-2000, 10:13 AM   #5
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Cool

Hrm, I don't think that applies to us -- the FAQ is for either a reseller or a dedicated server.

Have a great day, and good luck! http://geekvillage.com/ubb/smile.gif

Sincerely,


Vladislav Davidzon <davidzon@thinkhost.com>
Senior Systems Administrator -- ThinkHost.Com Web Hosting Services
The smart choice for all your web hosting needs! (tm) http://www.thinkhost.com

davidzon is offline   Reply With Quote
Old 07-02-2000, 04:33 PM   #6
CYBERWORLD
Registered User
 
Join Date: Sep 1999
Posts: 231
Unhappy

I understand that when different web sites are in the same server. A users can access another's file by some ways. (my friend of mine can write a cgi script to do so)

Anyway, I am not going to complain any more as you mentioned that we can change it in the control panel later. I just hope the contol panel will be available soon.

http://geekvillage.com/ubb/smile.gif http://geekvillage.com/ubb/smile.gif

[This message has been edited by CYBERWORLD (edited 07-02-2000).]
CYBERWORLD is offline   Reply With Quote
Old 07-03-2000, 06:18 AM   #7
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Unhappy

Control panel is coming in the next few weeks -- our policy is not to release anything to the users until its been thoroughly tested and gone through.

Also, the way its being designed, we're going to be able to add features on an on-going basis as users want them, so if things go by plan, this thing is going to be EXTREMELY powerful. The features its going to start off with will, of course, hands-down beat most any control panel in existence today though http://geekvillage.com/ubb/smile.gif

Hang in there http://geekvillage.com/ubb/smile.gif http://geekvillage.com/ubb/smile.gif http://geekvillage.com/ubb/smile.gif http://geekvillage.com/ubb/smile.gif http://geekvillage.com/ubb/smile.gif

Sincerely,


Vladislav Davidzon <davidzon@thinkhost.com>
Senior Systems Administrator -- ThinkHost.Com Web Hosting Services
The smart choice for all your web hosting needs! (tm) http://www.thinkhost.com
davidzon is offline   Reply With Quote
Old 07-03-2000, 11:00 PM   #8
regier
Registered User
 
Join Date: Jul 2000
Location: Edmonton, Alberta, Canada
Posts: 279
Unhappy

That's good to hear. I look forward to seing it.



------------------
<A HREF="http://www.1place4all.com
http://www.atmypage.com" TARGET=_blank>http://www.1place4all.com
http://www.atmypage.com</A>
regier is offline   Reply With Quote
Old 07-06-2000, 07:54 PM   #9
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Unhappy

Regier: thanks for your support!
davidzon is offline   Reply With Quote
Old 07-06-2000, 09:42 PM   #10
regier
Registered User
 
Join Date: Jul 2000
Location: Edmonton, Alberta, Canada
Posts: 279
Unhappy

Not a problem. I realize that you are a new company, and it takes a while to get everything set up the way you want it. It looks like you are heading in the right direction though. Any time I have questions, you respond with prompt and professional service which means a lot in a hosting company.

regier is offline   Reply With Quote
Old 07-08-2000, 01:15 PM   #11
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Cool

Update:

We have altered our security model to support our users' requests.

Please see http://www.sitepoint.com/forums/Foru...ML/000417.html for more information.

Permissions have been tightened up as much as possible, and we're looking at pretty much rewriting apache for our needs.

Sincerely,


Vladislav Davidzon &lt;davidzon@thinkhost.com&gt; :-)
Senior Network Administrator - ThinkHost Web Hosting Services
The smart choice for all your web hosting needs! (tm) http://www.thinkhost.com

davidzon is offline   Reply With Quote
Old 07-08-2000, 02:12 PM   #12
regier
Registered User
 
Join Date: Jul 2000
Location: Edmonton, Alberta, Canada
Posts: 279
Unhappy

Thanks for the update.


------------------
<A HREF="http://www.1place4all.com
http://www.atmypage.com" TARGET=_blank>http://www.1place4all.com
http://www.atmypage.com</A>
regier is offline   Reply With Quote
Old 07-08-2000, 04:27 PM   #13
davidzon
Registered User
 
Join Date: Nov 1999
Location: Staten Island, NY
Posts: 56
Unhappy

Regier,

You're welcome. I guess scaring our users our of their minds wasn't the best tactic to forcing people to encrypt their credit card data eh? http://geekvillage.com/ubb/smile.gif

We've changed course, as requested by users.

Sincerely,


Vladislav Davidzon &lt;davidzon@thinkhost.com&gt; :-)
Senior Network Administrator - ThinkHost Web Hosting Services
The smart choice for all your web hosting needs! (tm) http://www.thinkhost.com
davidzon is offline   Reply With Quote
Old 07-08-2000, 05:08 PM   #14
regier
Registered User
 
Join Date: Jul 2000
Location: Edmonton, Alberta, Canada
Posts: 279
Unhappy

[quote]Originally posted by davidzon:
[b]I guess scaring our users our of their minds wasn't the best tactic to forcing people to encrypt their credit card data eh? http://geekvillage.com/ubb/smile.gif

Probably better that they get scared in a harmless way like this instead of them being scared because a hacker now has all their data. I guess whatever does the trick http://geekvillage.com/ubb/smile.gif

------------------
<A HREF="http://www.1place4all.com
http://www.atmypage.com" TARGET=_blank>http://www.1place4all.com
http://www.atmypage.com</A>
regier is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
a question on web hosting gallery Web Design and Webmaster Issues 0 02-14-2000 01:13 AM
Digiweb - Button for Free Web Hosting KHN Web Design and Webmaster Issues 5 02-01-2000 11:01 PM
free web hosting without ads mtgm Web Design and Webmaster Issues 4 11-26-1999 04:03 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 06:26 AM.


GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.