Date: Fri, 26 Sep 2014 16:38:03 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Chris Nehren <cnehren+freebsd-security@pobox.com> Cc: freebsd-security@freebsd.org Subject: Re: bash velnerability Message-ID: <20140926123803.GA30925@zxy.spb.ru> In-Reply-To: <20140925193555.GB28430@satori.lan> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan>
index | next in thread | previous in thread | raw e-mail
On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote: > On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > > 1. Do not ever link /bin/sh to bash. This is why it is such a big > > problem on Linux, as system(3) will run bash by default from CGI. > > I would think that this would cause other, more fundamental, > issues. FreeBSD's system don't expect /bin/sh to be bash, > and I wouldn't be surprised if they break for whatever reason. > > > 2. Web/CGI users should have shell of /sbin/nologin. > > 3. Don't write CGI in shell script / Stop using CGI :) > > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > > application into its own user. > > And its own jail. Jails with ZFS are dirt cheap. For goodness of jail with ZFS we need fixing unionfs and devfs.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140926123803.GA30925>