From owner-freebsd-hackers  Thu Jan 18 11:21:24 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from sdmail0.sd.bmarts.com (sdmail0.sd.bmarts.com [192.215.234.86])
	by hub.freebsd.org (Postfix) with SMTP id 6E1F637B400
	for <hackers@FreeBSD.ORG>; Thu, 18 Jan 2001 11:21:07 -0800 (PST)
Received: (qmail 1820 invoked by uid 1078); 18 Jan 2001 19:21:15 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 18 Jan 2001 19:21:15 -0000
Date: Thu, 18 Jan 2001 11:21:15 -0800 (PST)
From: Gordon Tetlow <gordont@bluemtn.net>
X-X-Sender:  <gordont@sdmail0.sd.bmarts.com>
To: "Michael R. Wayne" <wayne@staff.msen.com>
Cc: <hackers@FreeBSD.ORG>
Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)
In-Reply-To: <200101170335.WAA18537@manor.msen.com>
Message-ID: <Pine.BSF.4.31.0101181119530.27604-100000@sdmail0.sd.bmarts.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 16 Jan 2001, Michael R. Wayne wrote:

> Background:
>    We recently had a customer's web site suffer an attempted exploit
>    via one of their cgi scripts.  The attempted exploit involved
>    writing a file into /tmp, then invoking inetd with that file to
>    get a root shell on a non-standard port.  While the exploit
>    failed, they were able to write the file as user nobody and
>    invoke inetd.  There is not much we can do about that as long
>    as we permit customers to use their own cgi scripts, which is
>    a requirement with this type of account.

If you are using apache (who isn't?), I highly suggest you look into using
suexec. That way bad CGI programming is offloaded to the customer and not
to your system.

-gordon



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message