From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:05:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9744E16A420 for ; Thu, 11 Aug 2005 15:05:48 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pastinakel.tue.nl (pastinakel.tue.nl [131.155.2.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C44BD43D53 for ; Thu, 11 Aug 2005 15:05:47 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by pastinakel.tue.nl (Postfix) with ESMTP id EF19514BB8C; Thu, 11 Aug 2005 17:05:46 +0200 (CEST) Received: from pastinakel.tue.nl ([127.0.0.1]) by localhost (pastinakel.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25951-01-4; Thu, 11 Aug 2005 17:05:24 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by pastinakel.tue.nl (Postfix) with ESMTP id BB2D514BC66; Thu, 11 Aug 2005 17:04:34 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j7BF4YYP029807; Thu, 11 Aug 2005 17:04:34 +0200 (CEST) (envelope-from stijn) Date: Thu, 11 Aug 2005 17:04:34 +0200 From: Stijn Hoop To: jimmy@inet-solutions.be Message-ID: <20050811150434.GD26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4SFOXa2GPu3tIq4H" Content-Disposition: inline In-Reply-To: <1123772050.42fb669291ae3@webmail.boxke.be> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: freebsd-security@freebsd.org, Ken Hawkins Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:05:48 -0000 --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be wrote: > If the box in question was local secure, you don't have to worry that muc= h. Correct of course, but seeing as the OP admitted to not knowing a lot about the administration of this machine, I don't think local security was very high. > If it's a long time since you've updated your base, are sloppy with passw= ords > on the box in question, haven't updated your daemons/setuid packages in w= eeks, > then the box should be concidered a total loss. >=20 > Just think in terms as "what are the possible things I could do if my UID= were > 'www'" There might be some less obvious things, especially if the base OS is as far behind as the phpBB installation. > I for example have webservers running in chroot, on a partition that is > nosuid, and starred out password for the user 'www'. The thing you > describing happens sometimes because users do not update there phpbb's > either. I'm not affraid since the kiddo would have the same access than a > customer, which I cannot trust either. If you don't know the box IS secur= e, > it isn't, there is a lot of work involved in keeping things like this > "under controle". Totally true, and good advice for setting up access for customers / etc. --Stijn --=20 Coughlin's law: never show surprise, never lose your cool. -- Cocktail --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC+2kCY3r/tLQmfWcRAm9bAJ92lyAyGDaWGibKPe8531yU9diGQwCgoODr BFjCs9emTPDA1ElqugjLPYQ= =1c74 -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H--