Hi William, > Is it correct to assume that when I grant a client/virtual site telnet > access, that he can see each and every file on the server? > So in other words, if I gave shell access to client A, and client B has an > online shop and stores order info in flat text files, client A would be > able to see client B's order info. Right?
That's unfortunately correct. Someone logged in by Telnet won't be able to see all files (depending on directory and file permissions), but worse enough he can see way too much. For example (as you pointed out) the web directories of other users. What's even worse: The Cobalt RaQs have a couple of locally exploitable vulnerabilities of which a local user with shell access might be able to take advantage. It's by no means trivial to do so, but most of us prefer to play it rather safe than sorry and don't offer shell access at all. Additionally: Telnet is fully unencrypted and anyone could eavesdrop on the entire session. From the very start (username and password are transmitted in plain text) to the very end. Therefore, if shell access has to be granted for whatever reason, then usage of OpenSSH (see www.pkgmaster.com for a package) is recommended. Furthermore: If PHP or CGI-Scripts are allowed, then a malicious user could easily set up a script which allows him to browse your filesystem - including all files and folders to which the user himself (or the user under which HTTPd runs at that time) have read access to. So even without shell access it's not recommended to put or keep sensitive data like billing information or even (sic!!) credit card data on a server - regardless in what form. Especally not in flat file textformat. ;o) -- Mit freundlichen Gr��en / With best regards Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
