Posted by: sliesel
Posted on: 2007-01-28 12:15:00
i just have a quick curious question. i set up a subdomain for a friend of mines with her own user name and all that jazz but i'm worried.
if something ever happens and someone hacks into her site, will they be able to get to my domain and other subdomains or will it just be confined to her own sub?
all user names and pws are completely different.
Posted by: ardco
Posted on: 2007-01-28 12:34:00
Don't worry, it's Ninja safe.
http://wiki.dreamhost.com/index.php/116_Common_Questions
94 and 41
Posted by: sliesel
Posted on: 2007-01-28 12:37:00
phew! okay, thank you so so much! i feel so relieved now.
Posted by: ardco
Posted on: 2007-01-28 12:58:00
Glad I could help.
Posted by: moua
Posted on: 2007-01-28 13:27:00
If ALL database directory & user are different,
it's like if your are in dreamhost, and your friend in another host.
Don't forget that DH servers are protected by ninjas, but your scripts may have security hole.
Posted by: ardco
Posted on: 2007-01-28 13:36:00
In reply to:it's like if your are in dreamhost, and your friend in another host.
Well, not quite. Users on the same shared server have some access to other users' files.
Posted by: wholly
Posted on: 2007-01-28 13:54:00
But they are protected by Ninjas, right?
(I just can't type that question without laughing after seeing the "Don't do crack" picture on the blog.)
Wholly
Posted by: ardco
Posted on: 2007-01-28 14:11:00
In reply to:But they are protected by Ninjas, right?
Yes. Some kind of Ninjas, who live in trash dumpsters and go to parties. A real security assault team that can "crack" the whip when necessary. 
Posted by: deansfurniture5
Posted on: 2007-01-28 14:39:00
Hm.
I believe that, when you create a new user, it's created under the same group. Therefore, if you change the dir to /home/[username]/, as long as it's the same group, I think you'll be able to edit those files. So, it's possible a hacker could pull it off, but they would have to know your username too.
-Kyle
Posted by: scjessey
Posted on: 2007-01-28 14:43:00
In reply to:I think you'll be able to edit those files.
Even if it were true, that would be limited to files that are world-writable. Otherwise we wouldn't need passwords, would we?
Posted by: ardco
Posted on: 2007-01-28 14:47:00
In reply to:Even if it were true, that would be limited to files that are world-writable. Otherwise we wouldn't need passwords, would we?
It's all about sharing. And it's time (for you) to review permissions...
Posted by: rlparker
Posted on: 2007-01-28 14:47:00
In reply to:So, it's possible a hacker could pull it off, but they would have to know your username too.
It's easy enough to find user names..just cd up the tree 
--rlparker
Posted by: ardco
Posted on: 2007-01-28 14:50:00
In reply to:It's easy enough to find user names
Hey, man, don't ask, don't tell.
Posted by: scjessey
Posted on: 2007-01-28 14:51:00
In reply to:It's all about sharing. And it's time (for you) to review permissions...
Well that's a really helpful answer, Bob. Wouldn't it have been easier just to answer my question directly, instead of the cryptic riddle?
Posted by: ardco
Posted on: 2007-01-28 14:55:00
Not for me, seiler.
Posted by: ardco
Posted on: 2007-01-28 14:58:00
ps. It's all in the wiki. 
Posted by: scjessey
Posted on: 2007-01-28 15:02:00
In reply to:Not for me, seiler.
You have me confused with someone else. I'm scjessey.
Posted by: ardco
Posted on: 2007-01-28 15:04:00
In reply to:me confused with
Don't feel bad, Bill. 
Posted by: deansfurniture5
Posted on: 2007-01-28 15:05:00
Here's the wiki entry:
http://wiki.dreamhost.com/index.php/Unix_Groups#DreamHost_Security_Defaults
I'll copy-and-paste it here:
When you add a user, it is automatically added to your default pg###### group. Another thing to note is that by default, all of your files are of the same default pg###### group unless you changed it yourself.
Posted by: scjessey
Posted on: 2007-01-28 15:08:00
In reply to:have (read) access to all of your files
So I was partly right then? You would still need a password to actually edit the files, correct?
Posted by: deansfurniture5
Posted on: 2007-01-28 15:13:00
Yes. unless the file is chmoded to allow group members to write. (wiki entry on CHMOD)
Posted by: sliesel
Posted on: 2007-01-28 17:12:00
thank you guys soo soo much! so just chmod all the things i want to keep to myself and away from anyone in my group so that they can't be read, written or executed in. thanks!
Posted by: rlparker
Posted on: 2007-01-28 17:46:00
In reply to:Hey, man, don't ask, don't tell.
...that system never works 
. If there is one thing I have learned in working a a security professional for 25 years it is the "security by obscurity" offers no degree of security at all!
--rlparker
Posted by: ardco
Posted on: 2007-01-28 18:25:00
In reply to:"security by obscurity" offers no degree of security at all!
So, let's start a top ten list of weakest aspects of DH shared servers... and put it on the wiki, unless it's already there.
Posted by: wholly
Posted on: 2007-01-28 19:45:00
Top Two:
1. Connected to a network
2. Shared
(OK, you might be able to fight that "shared" isn't #2 but it certainly doesn't help. Too many cooks spoil the broth.)
Wholly
Posted by: Toord
Posted on: 2007-01-31 11:55:00
That's no longer true. It used to be the case that users in the same server could *see* other users' files but not read/write them. Now, at least in the boxen I'm hosted on you cannot ls the contents of any directory that is not owned by the user.