Date: Tue, 17 Aug 1999 14:59:55 -0400 (EDT) From: Barrett Richardson <barrett@phoenix.aye.net> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: Any work around for this FreeBSD bug/DoS ? Message-ID: <Pine.BSF.4.01.9908171435560.21777-100000@phoenix.aye.net> In-Reply-To: <4.1.19990816203409.05989960@granite.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 16 Aug 1999, Mike Tancsa wrote: > > Is there any work around or coming fix for the 'testsockbuf.c' originally > reported by Marc Olzheim <marcolz@ilse.nl> on Aug 9th ? Its only a matter > of time until some wannabe script kiddie uploads it to one of my servers > for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I > sent a message to the security officer last week but havent heard anything > since then. > > ---Mike > I've been using a mechanism that prevents the running the arbitrary executables on my systems. I require a flag bit to be set for an executable to be run -- so if script kiddie uploads or creates a binary executable it wont run, unless I approve it by setting the flag. At the moment I let shell scripts slide which will leave you vunerable to perl -- but that could be easily changed. When I set the flag for somebody, I also set the immutable flag so a user can't overwrite it with a binary of his choosing. I've relaxed the restriction for root to avoid administrative headaches. I've been mulling over the idea of making the behavior controllable via a sysctl mib on my systems, or adding it to one of the securelevels. Would be nicer if the securelevels were more fine grained like with a mask to turn on/off various things. What would be nice would be a bit to turn it on/off for users, a bit to turn it off/on for root and a bit to turn it off/on for shell scripts. The model with using the flag bit is imperfect, but can help out when you're in a pinch. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9908171435560.21777-100000>