I was creating ftp accounts under my main domain account via Cpanel on my VPS. The accounts are for my freelance web designers. Each ftp account had their home directory in the public_html/<ftpuser>/ folder so I could view the files live on the domain (in their own folders). The permissions seemed to be fine in FTP, the users could not modify files or travel outside of their directory.
I wanted to see if the users were able to run system commands with a perl script (uploaded by them) accessed via a browser and when I tested a script, YES, IT WAS ABLE to run system commands and modify files OUTSIDE of their directory. I was really suprised.
Is there any way to set it up to restrict the SCRIPT'S ACCESS to the ftp user directory only, when executed via a browser? I figured this would be a default security feature.