From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 20:44:40 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1326816A41F for ; Tue, 26 Jul 2005 20:44:40 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66A8643D45 for ; Tue, 26 Jul 2005 20:44:38 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 20316 invoked by uid 1003); 26 Jul 2005 20:44:34 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.9.74):. Processed in 0.259153 secs); 26 Jul 2005 20:44:34 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.9.74) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Jul 2005 20:44:34 -0000 Message-ID: <42E6A0B2.1030308@chef-ingenieur.de> Date: Tue, 26 Jul 2005 22:44:34 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com> <008901c59208$0f05d000$7201a8c0@guinness> In-Reply-To: <008901c59208$0f05d000$7201a8c0@guinness> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 20:44:40 -0000 Gustavo A. Baratto schrieb: > Although jailing is a good thing, I don't think it will prevent unwanted > processes to be spawned, if php allows it. And having writable > directories mounted noexec doesn't help much either, because one can > just run: > /usr/bin/sh /path/to/writable/dir/script.sh > > Since most of the times script kiddies use /tmp or /var/tmp (which are > usually noexec) to upload their scripts, the sh or perl binaries are > located in file systems that allow execution. > > So, you can either tell php not to spawn processes (safe_mode or > disable_functions), or to have all file systems in contact with php > mounted noexec (not just the writable directories). This will probably > make your life hell. Or even disallow any kind of uploads in php (which > is not very effective against code execution, as a bug in your code > could allow execution like phpBB exploit a while ago). > > If you cannot do any of these because you require the functionality, you > can write a cron'ed script that checks for processes owned by www that > are running for a certain period of time and are not the apache. You can > either kill these processes or e-mail yourself, and then you take an > action. I think, I should do so. But how to identify the process? The ircd was renamed to "sh", to make it harder to find in the process list. It should be possible with the PGID (from /var/run/httpd.pid) and the UID. Does anyone know a usable (or recyclable) script for that job? Regards, Thomas. > > Cheers > > ----- Original Message ----- From: "Adam Jacob Muller" > To: "Thomas Krause" > Cc: "David Hogan" ; ; > "'Gustavo A. Baratto'" > Sent: Tuesday, July 26, 2005 9:59 AM > Subject: Re: preventing a user to start a process > > >> Pretty much the only "secure" option is to either >> A. run in a chroot jail >> B. run with any writable directories mounted noexec >> or if your really paranoid, do both >> >> Adam >> >> >> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: >> >>> >>> >>> David Hogan schrieb: >>> >>>>> -----Original Message----- >>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>>> isp@freebsd.org] >>>>> On Behalf Of Thomas Krause >>>>> >>>> >>>> >>>>> I've searched all php-files for the system()-funktion - it's not >>>>> possible for me do disable this function. >>>>> >>>> Can't you just use the 'disable_functions =' option in php.ini to >>>> disable >>>> the php functions that can be used to spawn processes ? >>>> You could use it to disable at least the following functions: >>>> system() >>>> exec() >>>> passthru() >>>> popen() >>>> pcntl_exec() >>>> shell_exec() >>>> >>> >>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, >>> so I need system(). >>> >>> Regards, >>> Thomas. >>> _______________________________________________ >>> freebsd-isp@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >>> >> > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"