Shared host and SSH


#1

I’m shopping for a new web host and wanted to know if it’s possible on Dreamhost for another user on the same server to SSH over to my webroot and browse my website. I was shocked to find that this was not only possible on my current host but required no special knowledge. I only found out by mistake while investigating a hacked website and using too many “…/” going back up the directory structure.
Are there any other security gotchas that I should know about?

Cheers,
Mark


#2

I’m able to cd to their directory, but unable to view their listings.

If it was a hacked site, the directory permissions might have been specifically changed, but I would assume most hosts would prevent people from being able to look into other people’s directoies.


#3

[quote]Are there any other security gotchas that I should know about?

[/quote]

Answers to that would be a cracker’s target list. :slight_smile:

If you search wiki.dreamhost.com for security-related information, you’ll see security is a priority.

Here’s the list of security vulnerabilities I’ve found so far:

yeah, right. :wink:

They recently hired more support help.
DreamHost Customers wiki And Forum


#4

Ok, you both make good points. I’m not really looking to know what specific vulnerabilities exist but I suppose I’m interested to know if you have concerns about other users that you share systems with.

-Cheers and thanks for your feedback


#5

Remember that you are the “owner” of your “group” and as a result (and by default) all users you create are ALSO in that group.

You have to use custom group configuration to change this.

Although DH will protect you from other hosting users, it won’t protect you from yourself.

Wholly


#6

[quote]concerns about other users that you share systems with.

[/quote]

Only when system load goes up too high, which isn’t too often, and has many other possible causes.

[quote]Although DH will protect you from other hosting users, it won’t protect you from yourself.

[/quote]

Oh no, there goes another illusion. :slight_smile:

They recently hired more support help.
DreamHost Customers wiki And Forum


#7

There is a “gem” to remember; ne’er a tuer word was spoken! :wink:

–rlparker


#8

… but that’s where the POWER comes from.

Being able to wipe all your sites off the net in a matter of seconds is the ultimate adrenaline rush.

The good news is that I’ve got a niche audience. Gay Nazi Ponies!

Wholly


#9

“Remember that you are the “owner” of your “group” and as a result (and by default) all users you create are ALSO in that group.”

This is NOT the case with my current provider where all clients as well as the apache user are in the same group. It leaves me exposed to snoopers.

-M


#10

wholly
"The good news is that I’ve got a niche audience. Gay Nazi Ponies!"

Where’s the URL?


#11

The problem is inherently that the Apache processes are all run under the same UID, and thus you cannot secure your web content from other users on the system - any files you offer on your web server are required to have global read permissions.

This means you essentially cannot have private content on your website, because anyone with shell (ssh) access on the server can eventually find the raw files in your directories, and copy them if they want, without going through your web server.

I’ve brought this to their attention before, but so far they don’t seem to be interested in changing this issue. This is a major design issue from a hosting standpoint, so it’s not something they could change on a whim, but you’d get better insulation of websites from each other if the Apache processes were run under the GID of the websites they were serving.


#12

From all the replies (ok, well most of them) I’ve managed to glean enough info to understand that the setup on my current webhost is not unique. I’ve come to understand that on shared Linux hosting, you can browse to the folders for each of your peers on the same server. It is up to the user to ensure that the directory permissions are appropriately set. This includes setting permissions on such staples as httpdocs, statistics, bin, et al. In my case the default permission on all of these folders was 755 (which includes public read & execute). Apparently my webhost didn’t think this was an issue and spent 3 days blaming me for putting my site on Mambo. They even suggested I try re-implementing the entire website without using Mambo. Sure, I have nothing better to do with my time!

Thank you all for your help. I guess my only remaining issue with my webhost is that they’re a bunch of jacka$$es. I’ve not yet decided if that’s worth the pain of switching to dreamhost.

-Mark


#13

At DreamHost, the user’s home directory is set to 751 by default, and cannot be changed by the user. As already mentioned, this prevents “others” from listing files and directories in your home area and stops all except the most “determined”. You create your own “bin” if you want one, so it can be named anything you want, to make guessing harder.

[quote]they’re a bunch of jacka$$es.

[/quote]

Ours are mostly customers; I should know. :slight_smile:


They recently hired more support help.
Tip me (and DreamHost gets 5%+$0.30)