Security: preventing account A from seeing account B - GoFuckYourself.com

camperjohn64 · 02-14-2012, 04:52 PM

I have a server that up until now only been used for my own accounts. I am going to allow a friend to host an account, and I am rsearching how to prevent account A from seeing account B. He is a good friend so I'm not worried for him, I'm just thinking if he lets a webmaster access his account...

Suggestions?

Apache issues? PHP issues? SSH issues? FTP?

baddog · 02-14-2012, 04:58 PM

Just set up an FTP account for him that goes to his home folder and nowhere higher.

raymor · 02-14-2012, 05:11 PM

Talk to your server admin about "chrooted FTP". Most FTP servers can be set where you see only your own files.

Other than that, assume he can use PHP to SEE your files (but then he can see most of them in a browser anyway.) Any sensitive information stored on the server should be properly encrypted or hashed.

To prevent someone with an account seeing your files through their PHP script requires a bit more complex setup than I want to detail here, and it creates very significant new security problems the way most people do it, so the "short version" would be dangerous. The key is to create two NEW users - you_apache and him_apache. Your scripts would be set to run as you_apache and his would be set to run as him_apache.

CYF · 02-14-2012, 05:12 PM

set him up in a chrooted ssh jail.
config so 'ps' etc will only show his own running processes

02-14-2012, 04:52 PM	#1
camperjohn64 Confirmed User Industry Role: Join Date: Feb 2005 Location: Los Angeles Posts: 1,531	Security: preventing account A from seeing account B I have a server that up until now only been used for my own accounts. I am going to allow a friend to host an account, and I am rsearching how to prevent account A from seeing account B. He is a good friend so I'm not worried for him, I'm just thinking if he lets a webmaster access his account... Suggestions? Apache issues? PHP issues? SSH issues? FTP? __________________ www.gimmiegirlproductions.com

02-14-2012, 05:11 PM	#3
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Talk to your server admin about "chrooted FTP". Most FTP servers can be set where you see only your own files. Other than that, assume he can use PHP to SEE your files (but then he can see most of them in a browser anyway.) Any sensitive information stored on the server should be properly encrypted or hashed. To prevent someone with an account seeing your files through their PHP script requires a bit more complex setup than I want to detail here, and it creates very significant new security problems the way most people do it, so the "short version" would be dangerous. The key is to create two NEW users - you_apache and him_apache. Your scripts would be set to run as you_apache and his would be set to run as him_apache. Last edited by raymor; 02-14-2012 at 05:14 PM..

02-14-2012, 05:12 PM	#4
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	set him up in a chrooted ssh jail. config so 'ps' etc will only show his own running processes __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

02-14-2012, 04:58 PM	#2
baddog So Fucking Banned Industry Role: Join Date: Apr 2001 Location: the beach, SoCal Posts: 107,089	Just set up an FTP account for him that goes to his home folder and nowhere higher.