Date: Tue, 26 Jul 2005 19:44:36 -0400 From: Adam Jacob Muller <adam@oxeo.com> To: Gustavo A. Baratto <gbaratto@superb.net> Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process Message-ID: <C3458B6A-487C-4DE2-A863-9EA95D289EED@oxeo.com> In-Reply-To: <018901c5922d$ad881f10$7201a8c0@guinness> References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com><008901c59208$0f05d000$7201a8c0@guinness> <42E6A0B2.1030308@chef-ingenieur.de> <018901c5922d$ad881f10$7201a8c0@guinness>
next in thread | previous in thread | raw e-mail | index | archive | help
<?
mkdir("/tmp/usr/local/bin",0777,true);
file_put_contents("/tmp/usr/local/bin/httpd",base64_decode
("somenastyexplotcodethathasbeenbase64encoded=="));
?>
Yes, I know this can be fixed. Just want to make sure you include
this in the final solution :-)
ps aux | grep nobody | awk '$11!="/usr/local/apache/bin/httpd"'
will probably work
Adam
On Jul 26, 2005, at 6:02 PM, Gustavo A. Baratto wrote:
> ps aux | grep www | grep -v /usr/local/bin/httpd
>
> The above returns all processes that user www is running, that are
> not apache itself.
>
> You can use some perl to split the lines to find out how long the
> processes have been running based on the STARTED column of the
> command above. If I had such code ready, I'd just send to you, but
> unfortunately I dont.
>
> Cheers.
>
> ----- Original Message ----- From: "Thomas Krause" <freebsd-
> isp@chef-ingenieur.de>
> To: <freebsd-isp@freebsd.org>
> Sent: Tuesday, July 26, 2005 1:44 PM
> Subject: Re: preventing a user to start a process
>
>
>
>>
>>
>> Gustavo A. Baratto schrieb:
>>
>>> Although jailing is a good thing, I don't think it will prevent
>>> unwanted processes to be spawned, if php allows it. And having
>>> writable directories mounted noexec doesn't help much either,
>>> because one can just run:
>>> /usr/bin/sh /path/to/writable/dir/script.sh
>>>
>>> Since most of the times script kiddies use /tmp or /var/tmp
>>> (which are usually noexec) to upload their scripts, the sh or
>>> perl binaries are located in file systems that allow execution.
>>>
>>> So, you can either tell php not to spawn processes (safe_mode or
>>> disable_functions), or to have all file systems in contact with
>>> php mounted noexec (not just the writable directories). This will
>>> probably make your life hell. Or even disallow any kind of
>>> uploads in php (which is not very effective against code
>>> execution, as a bug in your code could allow execution like phpBB
>>> exploit a while ago).
>>>
>>> If you cannot do any of these because you require the
>>> functionality, you can write a cron'ed script that checks for
>>> processes owned by www that are running for a certain period of
>>> time and are not the apache. You can either kill these processes
>>> or e-mail yourself, and then you take an action.
>>>
>>
>> I think, I should do so. But how to identify the process? The ircd
>> was renamed to "sh", to make it harder to find in the process list.
>> It should be possible with the PGID (from /var/run/httpd.pid) and
>> the UID. Does anyone know a usable (or recyclable) script for that
>> job?
>>
>> Regards,
>> Thomas.
>>
>>
>>
>>>
>>> Cheers
>>>
>>> ----- Original Message ----- From: "Adam Jacob Muller"
>>> <adam@oxeo.com>
>>> To: "Thomas Krause" <freebsd-isp@chef-ingenieur.de>
>>> Cc: "David Hogan" <david@fundamentalit.com>; <freebsd-
>>> isp@freebsd.org>; "'Gustavo A. Baratto'" <gbaratto@superb.net>
>>> Sent: Tuesday, July 26, 2005 9:59 AM
>>> Subject: Re: preventing a user to start a process
>>>
>>>
>>>
>>>> Pretty much the only "secure" option is to either
>>>> A. run in a chroot jail
>>>> B. run with any writable directories mounted noexec
>>>> or if your really paranoid, do both
>>>>
>>>> Adam
>>>>
>>>>
>>>> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>> David Hogan schrieb:
>>>>>
>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-
>>>>>>> isp@freebsd.org]
>>>>>>> On Behalf Of Thomas Krause
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I've searched all php-files for the system()-funktion - it's not
>>>>>>> possible for me do disable this function.
>>>>>>>
>>>>>>>
>>>>>> Can't you just use the 'disable_functions =' option in php.ini
>>>>>> to disable
>>>>>> the php functions that can be used to spawn processes ?
>>>>>> You could use it to disable at least the following functions:
>>>>>> system()
>>>>>> exec()
>>>>>> passthru()
>>>>>> popen()
>>>>>> pcntl_exec()
>>>>>> shell_exec()
>>>>>>
>>>>>>
>>>>>
>>>>> Unfortunately, that is not possible. E.g. typo3 calls
>>>>> Imagemagick, so I need system().
>>>>>
>>>>> Regards,
>>>>> Thomas.
>>>>> _______________________________________________
>>>>> freebsd-isp@freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>>>>> To unsubscribe, send any mail to "freebsd-isp-
>>>>> unsubscribe@freebsd.org"
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> freebsd-isp@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>>> To unsubscribe, send any mail to "freebsd-isp-
>>> unsubscribe@freebsd.org"
>>>
>> _______________________________________________
>> freebsd-isp@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-
>> unsubscribe@freebsd.org"
>>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C3458B6A-487C-4DE2-A863-9EA95D289EED>