From owner-freebsd-hackers Wed Jan 17 12:58:20 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from smtp.nettoll.com (matrix.nettoll.net [212.155.143.61]) by hub.freebsd.org (Postfix) with ESMTP id 07AE137B6C1 for ; Wed, 17 Jan 2001 12:57:53 -0800 (PST) Received: by smtp.nettoll.com; Wed, 17 Jan 2001 21:52:34 +0100 (MET) Message-Id: <4.3.0.20010117215944.04b10ae0@pop.free.fr> X-Sender: usebsd@pop.free.fr X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 17 Jan 2001 22:07:10 +0100 To: "Aleksandr A.Babaylov" , roam@orbitel.bg (Peter Pentchev) From: mouss Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Cc: walter@binity.com, wayne@staff.msen.com, hackers@FreeBSD.ORG In-Reply-To: <200101171513.SAA07666@aaz.links.ru> References: <20010117103330.L364@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I really don't see why one should prohibit listening on a port! if you don't want users other than root doing anytig, remove all accounts but root. but then all your programs will run as root. so you are finally in a worst state of affairs. ok, the guy could write to /tmp. but heh, he could connect on your webserv and "run" a cgi script! you're not going to disable connnections to your web server or disable your cgis? ok the guy could run inetd. but if they can write a file, they could run "rm -rf /". yes, that fails, but running inetd also failed, no? so what's the problem? they can also run "pwd". as long as it doesn't hurt, let'em do whatever they want... the real problem here is that they did something they were not supposed to do, use the cgi script to write a specific inetd.conf file. so, fix the cgi script. yes, it's a hard job to audit all cgis, but heh, there's probably one that allows him to delete the whole httpd files, given that the cgis are executed with the credentials of the server, and that the files are (generally) owned by the server. cheers, mouss To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message