Submitted by katir on Wed, 12/28/2011 - 22:08 Pro Licensee
I am working on hardening security. To my "dismay" today I logged in as user "himalayan" via sftp and discovered that i could "see" all the way to root and also read files....owned by root (because of course permission were for those files were "rw--r--r--"
But, in the FTP Restrictions panel I have set all the virtual servers to
active (check) | with the domain/virtual domain chosen | (__ All Except Server) is unchecked | and radio set to "Virtual server's home directory"
should this not restrict this user from seeing files all the way to root?
Status:
Active
Comments
Submitted by andreychek on Wed, 12/28/2011 - 22:13 Comment #1
Howdy -- those restrictions only apply to FTP users -- they don't effect SFTP users (which go over SSH, and aren't using ProFTP).
Those limits also don't affect web users, who could upload a PHP-based directory browser to access those same files.
With shared web hosting, there can be information leakage such as this... all users are able to see world readable files. The only way to completely prevent that would be to place domains in their own container, such as on a VPS (which Cloudmin can assist with).