Systems administrators are usually paranoid about remote, anonymous black-hat hackers finding vulnerabilities in their security and then doing malicious acts. What is often disregarded is security against known systems users. Lack of security in this respect can be tolerated for intimate groups with some sort of trust system, but there is no excuse for this when regular users are effectively still anonymous.
I happened to come across a highly recommended and fairly expensive shared web host that missed a very obvious point for systems security: readable home directories.
With shared web hosts, upon completion of the registration process, each registrant is usually granted a systems user account with a home directory created using the tool adduser. In a number of UNIX-based distributions (eg., Debian, Ubuntu, Mac), user directories are created with the permissions 0755 by default. This means that the home directory of a user would be browseable by all the other users, and that readable contents of this would be readable by all too. That would be alarming, especially if users are not warned to keep from storing sensitive data beforehand.
I wrote a (support) ticket to the hosting company regarding this, and told them that home directory permissions should, at the very least, be 0751. But of course. I found a huge database dump of another user with whom I shared my web host, and I am sure as hell I could earn grands selling the IP addresses there, if any. The CEO of the company replied, saying that they were actually aware of the permissions but that there would be problems with Apache and other applications that the users might need if the permissions were changed. Silly excuse. I was also assured that they constantly monitored activity and warned users if they found the users were storing private data that were for everyone to see. What about the database dump I found? I suggested that they make use of user groups, and insisted that they still change the adduser configuration. Finally, he informed me that they were already finding ways to resolve the application requirement issues, and already changed the default setting for adduser.
If the default home directory permissions issue is relevant to you, you might want to take a look at /etc/adduser.conf:
# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0751Changing the default permissions would not update the permissions of already existing home directories.
If you are a web host manager and want to handle the applications being run, investigate user groups.
Tags: linux, ocs, security, web hosting