WTF Godaddy SSh access to shared server exposes everyones username

9 points by peterchon ↗ HN
I just used my ssh bash access to my godaddy shared server. Upon inspection to ls -l of upper directory, it exposed all the shared user's username.

Please tell me I'm wrong.

15 comments

[ 24.3 ms ] story [ 159 ms ] thread
Even if it does, a username alone isn't a security breach. You would think they'd use ssh chroots or something, but there are no security issues with seeing a username
I realize that it isn't a security breach, but I'm not so comfortable sharing my username with everyone else.
Not a breach in and of itself, but it does give an attacker something they didn't have before: a list of attackable login names.

Now they can start trying common passwords on logins that they know exist, rather than having to guess at that too.

Many sites rate usernames as public information, with SSH keys and passwords being private. Getting a list of users is not typically considered a security issue. If you chose (or were forced to choose) a username the was based on your real name, that could be a privacy issue (as well as a namespace collision problem), but not really a security issue.
This has been the case on every shared host I've used. Most of them even defaulted to your files being world-readable.
Usually all you need to do is read /etc/passwd to get all the usernames on the system. Without access to /etc/passwd, commands like ls would be able to resolve UID -> username.
Isn't this normal on many shared hosts?
If you know how to do this, why don't you use pay $5/mo to DigitalOcean and get your own VPS... Shared hosting just implies that you are not really serious about security
I'm not a black hat or anything even close to that nature. I just happened to see it and it concerned me greatly. I am really starting to think about running a vps through linode or something.
its shared hosting and so you're probably looking at /home.

its should be okay. Just make sure you have a strong password

Nothing new and in fact it's an extremely common hack to do a recursive find over the upper directory to see if there are any directories with the global write bit set, then drop a php file to get access to their file system. In general, you should never put anything on a shared server that you don't want to world to see.
Adding to the other comments, I've encountered similar on shared hosts. The first time, when I encountered something similar through a PHP program, I reached out; I did get a response from support (who were responsive and did on their own escalate to a higher level), along the lines of, "We know. It's not ideal, but it's the best we can do within the current systems design."
You are absolutely correct. You can also type `who` for a list of users who are currently logged in. You can even `cat /etc/passwd` for uids and home directories. That's how UNIX security works (not via obscurity). If your password's not strong enough to resist a bruteforce, change it and/or get a VPS (which, incidentally, commonly get pwned by Chinese botnets if you insist on using a weak password and don't switch to pubkey-only auth).