
WTF Godaddy SSh access to shared server exposes everyones username - peterchon
I just used my ssh bash access to my godaddy shared server. Upon inspection to ls -l of upper directory, it exposed all the shared user's username.<p>Please tell me I'm wrong.
======
erlkonig
Many sites rate usernames as public information, with SSH keys and passwords
being private. Getting a list of users is not typically considered a security
issue. If you chose (or were forced to choose) a username the was based on
your real name, that could be a privacy issue (as well as a namespace
collision problem), but not really a security issue.

------
dmortin
Why don't you tell Godaddy about it, instead of posting here? At least write
to the forum and ask the support guys if they know about this issue:

<http://support.godaddy.com/groups/web-hosting/forum/>

~~~
peterchon
Because Godaddy usually ignores these type of concerns, unless its brought to
light via other credible sources.

------
SEJeff
Even if it does, a username alone isn't a security breach. You would think
they'd use ssh chroots or something, but there are no security issues with
seeing a username

~~~
ams6110
Not a breach in and of itself, but it does give an attacker something they
didn't have before: a list of attackable login names.

Now they can start trying common passwords on logins that they know exist,
rather than having to guess at that too.

------
zoidb
Nothing new and in fact it's an extremely common hack to do a recursive find
over the upper directory to see if there are any directories with the global
write bit set, then drop a php file to get access to their file system. In
general, you should never put anything on a shared server that you don't want
to world to see.

------
fractalcat
You are absolutely correct. You can also type `who` for a list of users who
are currently logged in. You can even `cat /etc/passwd` for uids and home
directories. That's how UNIX security works (not via obscurity). If your
password's not strong enough to resist a bruteforce, change it and/or get a
VPS (which, incidentally, commonly get pwned by Chinese botnets if you insist
on using a weak password and don't switch to pubkey-only auth).

------
pasbesoin
Adding to the other comments, I've encountered similar on shared hosts. The
first time, when I encountered something similar through a PHP program, I
reached out; I did get a response from support (who were responsive and did on
their own escalate to a higher level), along the lines of, "We know. It's not
ideal, but it's the best we can do within the current systems design."

------
2bluesc
Usually all you need to do is read /etc/passwd to get all the usernames on the
system. Without access to /etc/passwd, commands like ls would be able to
resolve UID -> username.

------
chrisgoman
If you know how to do this, why don't you use pay $5/mo to DigitalOcean and
get your own VPS... Shared hosting just implies that you are not really
serious about security

~~~
peterchon
I'm not a black hat or anything even close to that nature. I just happened to
see it and it concerned me greatly. I am really starting to think about
running a vps through linode or something.

------
plorkyeran
This has been the case on every shared host I've used. Most of them even
defaulted to your files being world-readable.

------
timmillwood
Isn't this normal on many shared hosts?

------
devb0x
its shared hosting and so you're probably looking at /home.

its should be okay. Just make sure you have a strong password

