[lug] cgi shell

Peter Hutnick peter-lists at hutnick.com
Mon Feb 3 16:28:37 MST 2003


Peter Janett said:
> What you need to do is make sure your permissions are correct on your
> server, as the web server is public, and should be treated as a system
> user. So anything you don't want accessed via a script like this need to
> have permissions that protect it from user "nobody", or whatever user
> your web server is running as.

This might be a little overly-optimistic about your local security.  It is
REALLY hard to totally lock down a system so that you can let shell users
run amok.

Can you name /every/ suid binary on your system off the top of your head?

I'm not saying that local security isn't an important part of system
security, but you have to have pretty damn good local security to be able
to reasonably sleep at night if you are going to let any passerby have a
shell.

Instead of only counting on having airtight local security I'd suggest
also chrooting the webserver.

-Peter





More information about the LUG mailing list