Accessing System Owners Files

Accessing System Owners ' Files

As a rule, the owners of a resource located on a hosting server protect their files well enough.

Most hosting companies offer access to their clients ' files using FTP. An FTP server on a hosting server is configured so that authentication and authorization are required. An authorized user can access only his or her home directory for reading and writing.

Clients cannot read and especially cannot change files outside their directories.

The root Web directory of a site is often a subdirectory of the site owner's home directory. This allows the user to have files and directories that are available only to him or her for reading and that are inaccessible using HTTP. A list of files in a user's home directory can be as shown in the next example.


 -bash-2.05b$ cd ~ -bash-2.05b$ ls -la total 2238 drwxr-xr-x  25 user     user     512 Aug 24 18:23 . drwxr-xr-x  20 root     wheel    512 Nov 18 14:28 .. -rw-------   1 user     user    7219 Dec 10 21:12 .bash history -rw-r--r--   1 user     user     771 Apr 27  2004 .cshrc -rw-r--r--   1 user     user     248 Apr 23  2004 .login -rw-r--r--   1 user     user     158 Apr 23  2004 .login_conf -rw-------   1 user     user     276 Apr 23  2004 .rhosts -rw-r--r--   1 user     user     975 Apr 27  2004 .shrc drwxr-xr-x   6 user     apache   512 May  1  2004 httpd drwxr-xr-x   3 user     user     512 Apr 23  2004 mail drwxrwxrwx  13 user     user     512 Apr 28  2004 share 

In general, this solution proves to be good.

In some cases, access for reading and writing (changing attributes) to files belonging to the user is insufficient for setting the system. For example, he or she might need access to certain server commands such as setting the cron daemon so that certain commands execute according to a certain schedule. For another example, the user might need to install specific software.

When this is required, access using the secure shell (SSH) protocol is arranged.

Giving users additional rights such as a right to execute any command can weaken both the security of the hosting server and the security of the sites it hosts .

Although server security is a concern of the hosting administrator, the security of a particular site is a concern of its owner. As a result, it is common that one of the hosting company's clients can read and sometimes execute files belonging to another user.

If this situation is likely in your hosting company, you should develop your system or site with the assumption that the code of your scripts can be disclosed.

A hosting server can be configured so that it is difficult for users to access files belonging to other users. This can be done by restricting options of the command line. Depending on a particular implementation, the host can use various methods to protect the users of a system from the users of other systems.

Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
Year: 2005
Pages: 77 © 2008-2017.
If you may any questions please contact us: