I am a new user of DreamHost’s shared plan “Crazy Domain Insane!”.
If I am wrong, please point it out.
I would like to write conclusions/questions at first.
Q1. Are our web access logs (which can include e-commerce
customers’ private information) exposed to other SSH users?
Q2. When we use the default settings,
are our web folders and files (which can include
implicit files like *.php which sometimes
include ID/Password) exposed to other SSH users?
Q3. If I am not wrong, what should I do to protect
my and my customers’ privacy and security?
I asked a support staff three times, but I could not get
expected answers or changes, so please help me, everyone.
In Detail
Process1. With SSH access, users can find many USERNAMEs:
$ls -a /home
The directories of access logs are determined and owned
by root (DreamHost) like this:
/home/USERNAME/logs/DOMAINNAME/http/
These directories can not be changed for ourselves.
P2. SSH users can see which domain names each user registered, too.
$ls /home/USERNAME/logs/
Now SSH users have known the combination of USERNAME and DOMAINNAME.
P3. So they can see other users’ access logs now.
$ls /home/USERNAME/logs/DOMAINNAME/http/
(The support staff wrote, "Logs are actually all public readable"
Wow! Is this a public comment from DH?)
P4. As a default, web directories are like this (but this can be changed):
/home/USERNAME/DOMAINNAME/
If users do not change the default web directories’ name,
SSH users can look inside others’ files (not only html, but also php, js…).
So I think the default setting is dangerous.
I really want to use SSH because it is convenient,
but I want security and privacy, too. Thanks in advance,
–
dhnewuser