From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 19:36:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4088EA4B for ; Thu, 25 Sep 2014 19:36:03 +0000 (UTC) Received: from smtp.pobox.com (smtp.pobox.com [208.72.237.35]) by mx1.freebsd.org (Postfix) with ESMTP id 08CF935E for ; Thu, 25 Sep 2014 19:36:02 +0000 (UTC) Received: from smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 6EC323CFEA for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=DabokY/z+hfCrCOWP2kKi+e2i9o=; b=f+kbh8l mTB0jj1em270KIsN5y7KmSx60dYo1Z2fEvwHtyqJ0pXiwtbl2j+KrgcnqhnaRYml tG4N5b3WFaoICS64kuf++6ZuXbpyv/dw19mVdzlGa9uaq+2Q8nRmxKHPdl7wuyOF H6chI550cWloKXHDHoUqtFKSztMxRBMkQ9c0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=clEfx35ZVKZC+3rw/NeOImIa4NhkCwVaG 75OTghangykSkoE3Xg1L69OxOC3+CPNiL4bKm0G2K5YNdrIoTEBHUIiTb+tNbhok W/TL9g2T79kOKSDaUjhojbQ72a1q/2yI2x9C4maGFE4GLy6jzPZlavKeS1omtm0R 14HZwvxGBg= Received: from pb-smtp0. (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 6615D3CFE8 for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) Received: from localhost (unknown [50.90.2.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-smtp0.pobox.com (Postfix) with ESMTPSA id 0C0A83CFE7 for ; Thu, 25 Sep 2014 15:35:56 -0400 (EDT) Date: Thu, 25 Sep 2014 15:35:55 -0400 From: Chris Nehren To: freebsd-security@freebsd.org Subject: Re: bash velnerability Message-ID: <20140925193555.GB28430@satori.lan> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: <54244982.8010002@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Pobox-Relay-ID: 2B30BF24-44EB-11E4-B77C-D931C4D60FE0-49531120!pb-smtp0.pobox.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 19:36:03 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > 1. Do not ever link /bin/sh to bash. This is why it is such a big > problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. > 2. Web/CGI users should have shell of /sbin/nologin. > 3. Don't write CGI in shell script / Stop using CGI :) > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > application into its own user. And its own jail. Jails with ZFS are dirt cheap. --=20 Chris Nehren --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJdBAABAgBHBQJUJG6bQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQEcD4YkAzS895rBAA nB7Jx4Y91M1F5oy0H8ZPtdf8UNePdiRLPE7LODN5Op5xr/RJF14IbbXY89eMnFfG jqjqyUtVx3DAaDb/5atHIMBy1SGdMhIQNnIwUf10d7zrhIZS55Lef/38h/EeYl4J aJ3dQb4FFXJCr28kNYa7nfzBl/dBjCoU9s+Z7hy5GilNJ6aDL+JYZu90zsg+udrT 1VwLVPv6qgTz19NtI4pup3P3kAHOy7d3MMYBzoK/Grr9szNFrisfJNuIV2Y7yF3H q/GC4qrSm7bgs7PMOmF114rF8VNGjIEZsT8jKR1bKOnm+vAxcFg1xMvMIKOTI6VM NqyUqeu/FFras6P+zp3N6jVZUau8R/FfgY/Il7ZgoMftTXIUUj7wrxNUddhRijyj ruUyMmYm+GyZtebUr46tUqKhkRKcB/arB94JNYZA8tVuFwUqIhuy4rHGz0rLqS14 YI//GzMs/3jmr9woKcs8p6IkfBh2Vhj/8YpFkmO1fUa9eCTIiRU1rV4b2DTNfXT9 Xm3w4xsCphej1cFcKKquO/0JTouWd2gsjjzElEMfB3A8lwNAtHGeAAiIL45WSZiz CWs91ZZHE6OuSZhh4isDbGXa0YlHgB5mxyiOxZM4wIr3Pah7VTCIa9NA7WZwE5lq ZL7MGNV4/lxgIq4ZYTIwxY/8AtjDAs8hs8HaOgWqJTw= =MDHf -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--