Can the sqvm shit up stuff outside the root directory?

Started by EK.IceFlake, Jan 15, 2017, 12:28 PM

Previous topic - Next topic

EK.IceFlake

For example, I have a hosting panel that has its servers in such a way:
./svr-uid/svr/mpsvrrel64
Can, let's say, ./finch-server/svr/mpsvrrel64, running the squirrel plugin, read ./top-secret-stormeus-server/svr/main.nut?

Shadow

http://squirrel-lang.org/doc/sqstdlib3.pdf page 7.

The file object implements a stream on a operating system file. It's contructor imitate the behaviour of
the C runtime function fopen for eg.
local myfile = file("test.xxx","wb+");
creates a file with read/write access in the current directory.

...

I guess it's up to your management then. I'm not a linux-master but I guess it's about how you manage permissions.
QuotePS:is trash is ur home language??

jWeb

Yes it can. If the user who's running the server has at least read-only permissions to a file then he can access it. He can go and read configuration files from /etc/ directory and if any of those have passwords then he'll be able to view them. He'll be able to read any file where users other than the owner have privileges to read it.

The only way he won't be able to read them is if the folder where the files are residing is accessible only by the owner. And while that would work with other servers so he can't access files from the folder of another server. It won't work on system directories.

It all depends on the privileges of the user under which the server is running.

That's one of the quirks you have to deal with when hosting stuff.