From owner-freebsd-security Thu Jul 31 11:30:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA24775 for security-outgoing; Thu, 31 Jul 1997 11:30:06 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA24769 for ; Thu, 31 Jul 1997 11:30:04 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id MAA19733 for security@FreeBSD.ORG; Thu, 31 Jul 1997 12:30:03 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA27936 for ; Thu, 31 Jul 1997 12:24:06 -0600 (MDT) Date: Thu, 31 Jul 1997 12:24:06 -0600 (MDT) From: Marc Slemko To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk (no, it isn't particularily FreeBSD related but at least it is security...) On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: > There IS one common hole I've seen apache and stronghold have, and that is More accurately, there is a common hole you have seen people have with their installations. > that some people like to leave their sessiond or httpd files owned by > 'nobody'. This allows somebody running CGI on that system to replace > those binaries with their own, hacked binaries (since the scripts are > usually owned as nobody), and the next time httpd starts, they can make it > write a root shell, or just about anything along those lines. Presuming you start the server as root and have it run as a different user, one other thing to note is to be sure that the directory your log files are in is not writable by anyone you don't trust with root. If someone can write to the directory with the logfile in (or any directory above it), they can almost certainly get root. The log files themself can be writable by whoever you want (although there is no reason for them to be, and it can let people tamper with them); the directory is the thing that is important.