Ensim Security at DixieSys?
I am happy with my provider. Let that be said at the outset. However, I am not happy with the information being provided on this one issue.
I am a bit flummoxed by a recent turn, and am seeking clarification.
Problem:
After switching physical servers at my provider, I noticed that assigned FTP users (I will use ~user to indicate such) could traverse any directory on the entire root of the domain.
I was certainly immediately worried, as this was not the condition on the server I had moved from. However, the deletion of my domain from the original machine had already been deleted, so I could not re-verify.
As a means to confirm this behaviour with other domain masters on other servers, several domain masters tested their ability to add a ~user, log in via FTP, and attempt to access other ~user directories as well as the root 'admin' directory. They reported that they could NOT -- this is the expected behaviour according to the Ensim knowledge base.
Now convinced that I was experiencing a mis-configuration of some sort, I submitted a trouble ticket at my provider, and the reply I got was this:
>> This is a "feature" of Ensim, and not something we can change. ~users have full access to all levels of the domain's directory structure.
What I then found equally baffling is that, as the 'admin' and 'master' account on the domain, I can NOT enter a ~user directory via FTP.
The two realities do not "mesh" for me. And, so, again, I turned to the Ensim knowledge base.
I have found numerous reference to the effect of: Default Ensim install jails ~users to their own directory only. ~users are not able to traverse the entire tree unless you adjust your settings to allow such behaviour.
It seems to me to be a serious security threat that added ~users have access to:
all passwords which may be stored in .php files
.htaccess files
passwords to SQL db's which may be stored in .php files (quite common, as you know).
My provider continues to tell me -- via different all-volunteer tech support -- that this is the "default and expected" behaviour of Ensim, yet they will not (or have not) addressed the confirmed fact that users on other servers with the supposed "same" install of tools do NOT experience this insane security risk.
Can someone point me to any experience, any published articles, any convincing and authoritative discussion of either (or all):
a) How to properly instruct my provider to install Ensim according to what the knowledge base says
b) Reasons why this is serious security flaw
c) How this could be justified as "okay" if it is, afterall, the default behaviour of Ensim (which I just can not imagine they would have a product that, by default, allows any random FTP user full access to the admin's directory, but does not allow the admin access to the ~user directory.)
If I am reading the knowledge base wrong, then I would take the complaint to Ensim. But after shared discussion, after confirming that the behaviour on "my" server is NOT the same as the behaviour on the server for other domains at my same hosting provider, and after the kBase review, I am still unable to get a clear reply from the volunteers who handle the tech support at dixie.
Your experience, wisdom and recommendations are most appreciated.
Thank you.
