Changes in security in DH


#1

Has any one else notice that is no longer possible to list the content of /home of your servers?
At least thats happening to me in Fresca@DH.
Also I can no longer change the group of any of my users home folder.
I’ve email support, lets see what they say about it.

Oh, and there’s a new option when you create a new user:
“Enhanced Security”.


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#2

Nice!

The SSH thing bothered me because it was easy to pull stuff from other users accounts, if you knew what type of common CMS or script they were using.

I sent DH a letter quite awhile ago letting them know what was possible, hoping it would get tightened up. I hadn’t seen the complete process made public at that time… but I also wasn’t dumb enough to think I was the only one that could figure it out. :stuck_out_tongue:

I wonder how long it’s been this way? Have you tried to ls /home recently with success?


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#3

well after a LONGGGGG chat with support, I finally made all I need.
Plus I got lots of new intel on the new system, and I’m not going to put it here (public) on the forum for the same reason that you mention.
after several complaints and “freakout” of a few users that were able to list the other users, /home has been “tightened up”

from support:

[quote]Actually even in /home you wouldn’t show the permissions as they are all
just symlinks and no it wasn’t neccessary as obviously anyone with a
little bit of linux knowledge can see all the users from looking at
/etc/passwd but we had lots of people freaking out with sftp/shell that
they could see all the users (even if they couldn’t enter them) so we
decided to cut down on people that freak out for no good reason by
locking down home.[/quote]

BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#4

I was never actually bothered by seeing all the users so much, but more by the fact that you could get stuff out of their directories–like user names and passwords, even in PHP files.

I’ll just say that way could’ve easily been stopped at the user level by not using /home/user/domain.com, but rather something like /home/user/something-random-and-hard-to-guess/domain.com (assuming you can’t get the site to spit an error that reveals that path. :wink: )

I’d imagine fixing that was part of the process, but even if it’s not, blocking the list of users would mostly stop anyone that wanted to try it now.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#5

after my initial creation of domains on my home folder, I started using “special” folders to host them
But my biggest prob, is that already hosted domains will not move to the new path, if I change it on the dreamhost pannel.

is just me, or is this some kind of bug?


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#6

Do you mean that something actually goes wrong, or it just keeps pointing to the old location?

I just did a quick test and this works:

cp -r example.com asdf-example.com

Then, edited the domain in the CP and just changed the path, then saved the fully hosted settings.

It took affect in less than a minute.

Now, if you’re changing it to a directory that doesn’t already exist, I’m not sure if that would be the problem or not. I created it first and manually copied the site into it, then entered it in the CP.

Does that help?


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#7

I tried it backwords.
I changed the domain on dh pannel, and then tried to see the page.
the content was not moved, and I could still see the old dir.


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#8

That’s odd. When you go back to the panel, does it show the directory you changed it to, or the old one?

If it shows the old one, then that would almost seem like a safety-check that was detecting that the new entry didn’t exist.

You could always do it the way I said, then simply remove the old directory once you know it’s up and running.

For my test, I just put a comment in the index file so I knew it was loading from the new directory. You could either do that, or just add a new file in the new directory that isn’t in the old one.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#9

i’ll give it a new try, and let you know

ps. i changed the subject of this thread.


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code