Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
WTF Godaddy SSh access to shared server exposes everyones username
9 points by peterchon on May 26, 2013 | hide | past | favorite | 15 comments
I just used my ssh bash access to my godaddy shared server. Upon inspection to ls -l of upper directory, it exposed all the shared user's username.

Please tell me I'm wrong.



Many sites rate usernames as public information, with SSH keys and passwords being private. Getting a list of users is not typically considered a security issue. If you chose (or were forced to choose) a username the was based on your real name, that could be a privacy issue (as well as a namespace collision problem), but not really a security issue.


Why don't you tell Godaddy about it, instead of posting here? At least write to the forum and ask the support guys if they know about this issue:

http://support.godaddy.com/groups/web-hosting/forum/


Because Godaddy usually ignores these type of concerns, unless its brought to light via other credible sources.


Even if it does, a username alone isn't a security breach. You would think they'd use ssh chroots or something, but there are no security issues with seeing a username


Not a breach in and of itself, but it does give an attacker something they didn't have before: a list of attackable login names.

Now they can start trying common passwords on logins that they know exist, rather than having to guess at that too.


I realize that it isn't a security breach, but I'm not so comfortable sharing my username with everyone else.


Nothing new and in fact it's an extremely common hack to do a recursive find over the upper directory to see if there are any directories with the global write bit set, then drop a php file to get access to their file system. In general, you should never put anything on a shared server that you don't want to world to see.


You are absolutely correct. You can also type `who` for a list of users who are currently logged in. You can even `cat /etc/passwd` for uids and home directories. That's how UNIX security works (not via obscurity). If your password's not strong enough to resist a bruteforce, change it and/or get a VPS (which, incidentally, commonly get pwned by Chinese botnets if you insist on using a weak password and don't switch to pubkey-only auth).


Adding to the other comments, I've encountered similar on shared hosts. The first time, when I encountered something similar through a PHP program, I reached out; I did get a response from support (who were responsive and did on their own escalate to a higher level), along the lines of, "We know. It's not ideal, but it's the best we can do within the current systems design."


Usually all you need to do is read /etc/passwd to get all the usernames on the system. Without access to /etc/passwd, commands like ls would be able to resolve UID -> username.


If you know how to do this, why don't you use pay $5/mo to DigitalOcean and get your own VPS... Shared hosting just implies that you are not really serious about security


I'm not a black hat or anything even close to that nature. I just happened to see it and it concerned me greatly. I am really starting to think about running a vps through linode or something.


This has been the case on every shared host I've used. Most of them even defaulted to your files being world-readable.


Isn't this normal on many shared hosts?


its shared hosting and so you're probably looking at /home.

its should be okay. Just make sure you have a strong password




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: