From owner-freebsd-security  Wed Sep  1 16: 9:58 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.ods.org (fbsd2.ods.org [205.252.42.124])
	by hub.freebsd.org (Postfix) with SMTP id EC86514CD0
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Sep 1999 16:09:52 -0700 (PDT)
	(envelope-from geniusj@ods.org)
Received: (qmail 48525 invoked by uid 1000); 1 Sep 1999 19:12:03 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 1 Sep 1999 19:12:03 -0000
Date: Wed, 1 Sep 1999 15:12:03 -0400 (EDT)
From: Systems Administrator <geniusj@ods.org>
To: "L. Sassaman" <rabbi@quickie.net>
Cc: FreeBSD -- The Power to Serve <geniusj@free-bsd.org>,
	Jeff Wheat <jeff@cetlink.net>, freebsd-security@FreeBSD.ORG
Subject: Re: FW: Local DoS in FreeBSD
In-Reply-To: <Pine.LNX.4.10.9909011706500.13732-100000@thetis.deor.org>
Message-ID: <Pine.BSF.4.10.9909011511300.48475-100000@ods.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you have it set so that it does SUID for cgi and runs it as the user or
uses the users accounting limits, it won't work.. and yes, you should set
some sensible apache limits per user on that stuff, I know its possible.


------------------------------------------------------------------------------
Jason DiCioccio                              | geniusj@free-bsd.org
FreeBSD - The Power to Serve                 | http://www.freebsd.org
                                             | http://www.ods.org
------------------------------------------------------------------------------

On Wed, 1 Sep 1999, L. Sassaman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 1 Sep 1999, FreeBSD -- The Power to Serve wrote:
> 
> > If you have public access users, you should have login accounting in the
> > first place.. and yes, it does stop it :).. I verified this on a 3.2 box
> > with my login accounting setup..
> 
> Okay, tweak the login.conf and you stop users from issuing the attack from
> the shell. But what about someone who builds the program and uploads it
> into a cgi-bin? Are we just to stop allowing cgi's to be run if they
> require higher resource limits?
> 
> 
> 
> L. Sassaman                         
> 
> System Administrator                | "Even the most primitive society has
> Technology Consultant               |  an innate respect for the insane."   
> icq.. 10735603                      |
> pgp.. finger://ns.quickie.net/rabbi |                    --Mickey Rourke
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v0.9.10 (GNU/Linux)
> Comment: OpenPGP Encrypted Email Preferred.
> 
> iD8DBQE3zZXMPYrxsgmsCmoRAixFAKD5invyFWxll26tuJxuJ2u7UlNjNQCgiu1b
> EnM3D/O25Wl+26pXVuRYpWM=
> =Qeqw
> -----END PGP SIGNATURE-----
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message