I tried this out, with two of my user names on the same server. Using UserA I was able to access the logs and index file of UserB (using nano to view the files)
However, I was not able to get a directory list using “ls” and I was denied access to the index file to make changes. I was able to use tab completion for directories and files, but with out knowing the domains a user controling it’s not easy to get access to files.
I can not actually move into the directories (using “cd foo”)
but have to access them within UserA’s directory.
It seems to me this is something of a security threat, but rather low priorty - assuming that only other users on my machine can view files. But if someone comprimises one doamin on a server, does that mean that they/it can also get at my domains - taking out an entire server?
here’s a good example of security threat:
I happen to know that UserA has doman.com with an movable type install in a directory called MT3. using nano I was able to view mt.cfg and mt-db-pass.cgi. Now I have all the information I could need or want about this database and domain.
Does something need to be changed on our servers, or is this a non issue because of the needed prior information about user directories?
-Matttail