> Otherwise connect via sftp client. Users can upload, download and
> delete. Openssh configured to disable chown/chmod (we set default umask
> on our end) so we don't let users set their own permissions either (they
> showed an unfortunate tendency toward installing things with world write!)
That's kind of what I was expecting - but is it possible to break out
of passwd to a shell? What about a buffer overflow dropping you to a
shell? I don't know of any vulns in passwd at the moment, so perhaps
it's quite safe.
The file upload / download is more my area of interest. When your
customers log in, are they constrained to their own area of disk? While
disk space is not an issue for my application, a customer being able to
speculatively and curiously try and download files from /home/$string/ -
or get a directory listing of ../.. or similar is a trap.
How does your system deal with these kinds of issues? Or does it?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!