Date: Wed, 17 Jan 2001 22:07:10 +0100 From: mouss <usebsd@free.fr> To: "Aleksandr A.Babaylov" <babolo@links.ru>, roam@orbitel.bg (Peter Pentchev) Cc: walter@binity.com, wayne@staff.msen.com, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <4.3.0.20010117215944.04b10ae0@pop.free.fr> In-Reply-To: <200101171513.SAA07666@aaz.links.ru> References: <20010117103330.L364@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
I really don't see why one should prohibit listening on a port! if you don't want users other than root doing anytig, remove all accounts but root. but then all your programs will run as root. so you are finally in a worst state of affairs. ok, the guy could write to /tmp. but heh, he could connect on your webserv and "run" a cgi script! you're not going to disable connnections to your web server or disable your cgis? ok the guy could run inetd. but if they can write a file, they could run "rm -rf /". yes, that fails, but running inetd also failed, no? so what's the problem? they can also run "pwd". as long as it doesn't hurt, let'em do whatever they want... the real problem here is that they did something they were not supposed to do, use the cgi script to write a specific inetd.conf file. so, fix the cgi script. yes, it's a hard job to audit all cgis, but heh, there's probably one that allows him to delete the whole httpd files, given that the cgis are executed with the credentials of the server, and that the files are (generally) owned by the server. cheers, mouss To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.0.20010117215944.04b10ae0>