Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: soprom on August 29, 2010, 04:23:08 PM
-
I want to test for intrusion in a special situation where someone is not respecting smeserver conventions in creating a folder at the same level as files and html in a ibay.
What I want to achieve is to demonstrate that an intrusion is possible from the LAN for unauthentified users, or that it is not possible.
The case goes like this:
# as root, create a folder to host an hyperfile database
mkdir /home/e-smith/files/ibays/Primary/db
touch /home/e-smith/files/ibays/Primary/db/intrusion-test.txt
chmod -R 777 /home/e-smith/files/ibays/Primary/db/
Can an unauthentified user reach /home/e-smith/files/ibays/Primary/db/intrusion-test.txt in this cas ?
Thanks for any comment!
-
Users with accounts on the SME server who also have shell access would be able to access this file with '777' permissions.
Users with only smb or http access would not have access (I think) - because the ".../Primary" folder is not exposed as a share point for either protocol.
-
Thanks for your comment...
Indeed, I can reach the file with a user account.
-
Users with accounts on the SME server who also have shell access would be able to access this file with '777' permissions.
They could also do so via putty/Winscp/scp.
Don't create directories or files with permission 777.
-
Yes Charlie, but the one who installed the server did it and I need to 'proove' how hazardous it is. So my first step was to demonstrate that a user with no such permission could reach files that are supposedly protected.
But also I wonder if a non-user on the server could reach such a content.