Full read access to everything?


#1

After setting up a new shell account, i noticed that from home i can cd …/myaccount and have full read access to everything, including sql passwords saved in php files, “proprietary” php code, and so forth.

Is everything I have unrestricted read access to anyone on dreamhost with any shell account, or did this one inherit privilages since it’s on the same dreamhost account? I dont know how to chmod.

At any rate, the real issue: I want to give someone full access to 2 of my folders (which are 2 .org domains this person will be helping me with). Can I move all the hosting for these sites to his account, or give him write access to the folders in my account? If possible, can I set it up so they can only access these 2 folders, and not cd …/me and see everything?


What do you mean by “RL”? Hang on, lemme check wikipedia…


#2

The very first thing you should do is make sure Enhanced User Security is turned on:
http://wiki.dreamhost.com/Enhanced_User_Security

Typically, the default setting is for you to have full privileges, but Group and Others/Everybody has read access. You can go to your home directory and type ‘chmod -R o-rw’ to take away read/write access for "o"thers "R"ecursively (everywhere). Or do it only to the files you want by going to each directory and type ‘chmod o-rw FILENAME’.

As to your issue, it’s difficult, but not impossible, to give someone full access to two of your folders, but Enhanced User Security will kill that.
http://wiki.dreamhost.com/Unix_Groups
If this is your choice, you’ll have to disable Enhanced User Security, which may require help from Support.

Or you can Remap, if you don’t need access to two of those folders:
http://wiki.dreamhost.com/KB_/Account_Control_Panel/Domains::_Remap_Sub-Dir

-Scott


#3

Go to [color=#00CC00]Panel > Domains > Manage Domains[/color] and click [color=#0000CC]Edit[/color] next to the domain in question.

  • FTP user / CGI-runs-as user: Select the other user

  • Copy domain’s files to new user? Checked

  • Click [color=#0000CC]Change fully hosted settings now![/color]

Repeat at any time to move the domain back to your user.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#4

chmod -R o-rw blocks ALL read access to everything, including http and web browsers, which makes the page totally inaccessable. I’m only concerned with blocking the actual contents of php files (which contain passwords that would allow someone to easily log in and wipe my databases) from direct access by other dreamhost users on the same server


What do you mean by “RL”? Hang on, lemme check wikipedia…


#5

chmod 0640 (if you want to retain group read) or 0600 for user lockdown.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#6

#7

i dont know what “retain group read” or “user lockdown” means. i just want to make it so that the contents of .php files (which hide passwords to web browsers) also hide contents to you guys.

just want to make sure all my passwords and database access are not visible to everyone who uses dreamhost.


What do you mean by “RL”? Hang on, lemme check wikipedia…


#8

The web server runs as you, so chmod -R o-rw won’t break it. In fact, you can even chmod -R go-rw and it will still work.

For just a file, type:
chmod o-rw FILE.php

-Scott


#9

hmm, ok, so i went to the home for the domain and did chmod o-rw * -R. all the words are there, but the images don’t display.

chmod o-rw domain.com -R, causes everything to return forbidden errors.

i set everything back (just guessed it was chmod o+rw * -R, which seems to have worked), and did chmod o+rw *.php -R. not sure if it did anything…


What do you mean by “RL”? Hang on, lemme check wikipedia…


#10

0640 (or 0600) will prevent everyone but your group (or user) from reading any content.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#11

Interesting. I’ve never tried the Read Only for images, and now see that it does break. (Takes note). I wonder why that is.

-Scott


#12

First of all, he wasn’t changing “read only” permissions. He was setting “other/public - no read, no write.”

Second, DreamHost runs Apache under the user ‘dhapache’ and thus if there is no other/public permission to read a file, Apache can’t serve it as content.

You might have confused the fact that DreamHost uses suexec to run CGI programs as the customer user, in which case a CGI program can certainly open an image file that can only be read by the owner and output it as content for Apache to serve to the visitor. CGI programs can be “other/public - no read” and must be “other/public - execute, no write” by the way.

:cool: openvein.org -//-


#13

I wasn’t very thorough with my “read only” description. I was going with the “owner read only” thought. And further experimentation shows that non-parsed files, such as .html and images require read by dhapache, which means Others must be able to read that file.

So use “chmod go-rw” for config files and anything else you don’t want others reading.

-Scott


#14

from the home folder, ran: chmod go-rw domain.org -R. this causes the entire website to return 403 forbidden errors. chmod go-rw *.php -R -v shows that it’s not going through subfolders.

let me clarify the concern here, because this may not even be necessary. i created a new shell account for development help, and the person I made it for noticed he can cd …/myusername and view the contents of my .php files, including sql passwords, etc.

this got me worrying, is this only because his shell account was created under my dreamhost account, or can any dreamhost user get access to contents of my .php files? in 4 years with dreamhost i’ve never had any problems as far as i know, but i would prefer that some bored/curious dreamhost user doesn’t cd …/myaccount, cat index.php and get my sql password, and drop 4 years of sql tables.


What do you mean by “RL”? Hang on, lemme check wikipedia…