From owner-freebsd-questions@FreeBSD.ORG Sat Aug 2 20:59:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83C7437B401 for ; Sat, 2 Aug 2003 20:59:00 -0700 (PDT) Received: from fed1mtao08.cox.net (fed1mtao08.cox.net [68.6.19.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id D667F43F3F for ; Sat, 2 Aug 2003 20:58:59 -0700 (PDT) (envelope-from dt@arbuz.com) Received: from DT ([68.8.79.95]) by fed1mtao08.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20030803035851.OVFQ20038.fed1mtao08.cox.net@DT>; Sat, 2 Aug 2003 23:58:51 -0400 From: "dt" To: Date: Sat, 2 Aug 2003 20:56:05 -0700 Message-ID: <000301c35973$2a11b320$5f4f0844@DT> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Need Access Control List(ACL) or any kind of substitute for it X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 03:59:00 -0000 Hello, I recently was able to find a web-hosting company that runs FreeBSD. The service, I signed up for, allows me to have a SSH access including series of other services, such as CGI-BIN, Tomcat. On the same machine that my domain is hosted, there are many other accounts; it's not a virtual hosting, where I have a root access to my machine. On the first day, I discovered that I had to make my files publicly available so that Apache could pick up my scripts and run them, which I definitely thought it was not good idea. The only security measures this company took was that you could not 'ls' up to other people's account, but I know that if you know the directory structure you can open anyone's script and look into the content which could reveal a password and the logic of their code. On top of that, locate-database has all the directory structure, which is available to anybody. So, a couple of things I tried to do, which weren't successful. I took away permission from others by chmod 740. And also, to grant apache only, I tried to chown to nobody group (apache is running under this group) which I could not do because I was not part of nobody group. I tried to put nobody user under my group, I was not able to. The only solution I see is ask their admin to put nobody user to my group. Or to have some sort of ACL, so I can explicitly grant permission to nobody user. Please help. Is there any tool that allows me to overcome this obstacle? I will not reveal any information about this company, for obvious reasons, except that they're running: "FreeBSD 4.7-RELEASE". Eventually, I am planning to tell them to fix their security problem, but I need to make a research before I do this, which I'm doing by asking your expertise. Thank you, DT.