I am a new user of DreamHost’s shared plan “Crazy Domain Insane!”.
If I am wrong, please point it out.
I would like to write conclusions/questions at first.
Q1. Are our web access logs (which can include e-commerce
customers’ private information) exposed to other SSH users?
Q2. When we use the default settings,
are our web folders and files (which can include
implicit files like *.php which sometimes
include ID/Password) exposed to other SSH users?
Q3. If I am not wrong, what should I do to protect
my and my customers’ privacy and security?
I asked a support staff three times, but I could not get
expected answers or changes, so please help me, everyone.
Process1. With SSH access, users can find many USERNAMEs:
$ls -a /home
The directories of access logs are determined and owned
by root (DreamHost) like this:
These directories can not be changed for ourselves.
P2. SSH users can see which domain names each user registered, too.
Now SSH users have known the combination of USERNAME and DOMAINNAME.
P3. So they can see other users’ access logs now.
(The support staff wrote, "Logs are actually all public readable"
Wow! Is this a public comment from DH?)
P4. As a default, web directories are like this (but this can be changed):
If users do not change the default web directories’ name,
SSH users can look inside others’ files (not only html, but also php, js…).
So I think the default setting is dangerous.
I really want to use SSH because it is convenient,
but I want security and privacy, too. Thanks in advance,