Στις 3/7/2013 7:53 μμ, ο/η Chris Angelico έγραψε:
On Thu, Jul 4, 2013 at 2:47 AM, Νίκος <ni...@superhost.gr> wrote:
Στις 3/7/2013 6:44 μμ, ο/η Chris Angelico έγραψε:

On Thu, Jul 4, 2013 at 1:36 AM, ����� <ni...@superhost.gr> wrote:

I will *not* give away my root pass to anyone for any reason but i will
open
a norla user account for someone if i feel like trusting him and copy my
python file to his homr dir to take alook from within.


Well... well... baby steps. That's something at least. That's still a
huge level of access, though; with a non-root account on your server,
I would be able to - I think - read all your customers' code. You
would have to chroot the user you give, and if you're going to do
that, you may as well just give the code as a .py file. Really, you
need to have a MUCH stronger respect for shell access, even non-root.

ChrisA

I did not understand you.

How with a  normal user account named "chris" how will you be able to ready
my customers html files and even my python scripts?

I feel the urge to open you one just to see if you can do it or not.....but
i'm also scared....

What are the file permissions (file modes) on all your home
directories? Do you know what they mean?

root@nikos [~]# ls -al /home
total 88
drwx--x--x 22 root     root     4096 Jul  3 20:03 ./
drwxr-xr-x 22 root     root     4096 Jun 12 01:21 ../
drwx--x--x 14 akis     akis     4096 Apr  5 22:21 akis/
same with others just +x for group and others.

Does that mean you can easily i.e. 'cd /home/akis/' accessing their home directories?

Shall i 'chmod -x /home/dirs' ?

I'm happy to take you up on that offer if you need another lesson in
not giving out shell access. And don't forget, privilege escalation
attacks do exist.

Yes they do, but cPanel offers some protection against these kind of methods called "CPHulk" so it wont be easy!


--
What is now proved was at first only imagined!
--
http://mail.python.org/mailman/listinfo/python-list

Reply via email to