Account security in jeopardy

On one of my hosts I found this easy to do account breach:

It's a shared account server and anyone who logs on to the shell basically has access to other user's accounts. Just go to the directory where each account's web folder is located and let's say presume there's phpmyadmin there. Cat the config.inc.php file and you get the username and password to their database. You really can't lock out the 'other' read permission because you it has to be read when it gets fetched from apache. But for some files, especially script files (PHP or pl), these files include some sensitive info like database passwords.

Is this a serious security issue?

 

 

 

 

Top