Stupid web host
I've got an account on a Linux web host including shell access.
They decided to upgrade the server, a good thing - but the way they did it was horrible.
First - they switched from Gentoo to Debian. I don't mind that change - Debian is much better for production servers than Gentoo. However, Debian uses a different UID/GID for the Apache web server. Thus - my web apps that need write permission to a directory all failed, because they didn't alter the UID/GID of apache.
Then - I could not log in. Connection refused. That's odd - so I went and looked in my mail for the password when I first set up the account three years ago, the password I changed the day I got the account, and son a bitch - it worked.
I bitterly complained about that, and they told me "You must have changed your password in the shell, the supported way is through cpanel, when we set up the new server, we used the password from cpanel"
WHAT THE FREAKING FUCK ???
That means they are storing the passwords for their users in cpanel. That is the stupidest thing they can possibly do. You don't store shell account login passwords in a database that is accessible from web applications.
Ack!
While I guess it is possible they are storing a shadow compatible hash of the password, they probably aren't - it's probably the plain text password. At least my shell account is safe - I changed it in the shell again. I despise CPanel. Webmin is at least a little tolerable, but CPanel just bites.
That's the dumbest thing they could do though, that's just asking to be hacked. Even if they do store a shadow compatible hash, you still don't do it in a database accessible from a web application.
I'm guess going to have to just spend the money and pay for 1U of rack space and admin my own machine. Every freaking web host I've ever used has demonstrated quite clearly that their system administrators aren't even qualified to be junior admins.
It's sickening.
I've got an account on a Linux web host including shell access.
They decided to upgrade the server, a good thing - but the way they did it was horrible.
First - they switched from Gentoo to Debian. I don't mind that change - Debian is much better for production servers than Gentoo. However, Debian uses a different UID/GID for the Apache web server. Thus - my web apps that need write permission to a directory all failed, because they didn't alter the UID/GID of apache.
Then - I could not log in. Connection refused. That's odd - so I went and looked in my mail for the password when I first set up the account three years ago, the password I changed the day I got the account, and son a bitch - it worked.
I bitterly complained about that, and they told me "You must have changed your password in the shell, the supported way is through cpanel, when we set up the new server, we used the password from cpanel"
WHAT THE FREAKING FUCK ???
That means they are storing the passwords for their users in cpanel. That is the stupidest thing they can possibly do. You don't store shell account login passwords in a database that is accessible from web applications.
Ack!
While I guess it is possible they are storing a shadow compatible hash of the password, they probably aren't - it's probably the plain text password. At least my shell account is safe - I changed it in the shell again. I despise CPanel. Webmin is at least a little tolerable, but CPanel just bites.
That's the dumbest thing they could do though, that's just asking to be hacked. Even if they do store a shadow compatible hash, you still don't do it in a database accessible from a web application.
I'm guess going to have to just spend the money and pay for 1U of rack space and admin my own machine. Every freaking web host I've ever used has demonstrated quite clearly that their system administrators aren't even qualified to be junior admins.
It's sickening.