As an experiment I did a 'ps aux Or' on the server I am running my test
code on (to get the big memory users listed at the bottom -- i.e., to find
the muds) and looked for bin/circle, found 2 others running, cd'ed to
their /home/<user> directory (unreadable in all instances) and armed with
just enough knowledge to be dangerous did 'cd circle30bpl14' and 'cd mud'
and was able to get into the source directories of each, where the files
had the default permissions set and thus were readable. This presents a
good example to work from... do a 'man chmod' and set your directories,
ALL files, etc. to be readable/executable/writeable (ESPECIALLY writeable)
only by yourself. This of course doesn't stop root, but if you have to
worry about root you should probably be investigating other servers.
Side note, I also found out that my source was world readable, so I'm glad
someone reminded me of this simple yet dangerous security concern.
On Thu, 3 Dec 1998, Brian wrote:
> While I know you said not to e-mail you on how to "steal code", I do have
> another question which I'd like to find out (which probably has the same
> answer as how to "steal code").
>
> What did you do? Is it a loophole in the security of the system you're
> using? I ask because I would like to test the security of the system I'm
> on. If anyone can just swipe my code, anytime they want, then I need to do
> something about it.
>
> What tests can I make to see if I can find out if my site/account is secure
> from another account on the same system?
>
> Hopefully it's not as simple as just CD'ing thru the tree and entering
> others directories?
>
> - brian
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/15/00 PST