From owner-freebsd-hackers  Fri Jan 19 14:35:35 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 5C33237B699
	for <hackers@FreeBSD.ORG>; Fri, 19 Jan 2001 14:35:17 -0800 (PST)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id XAA55264;
	Fri, 19 Jan 2001 23:35:11 +0100 (CET)
	(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Matt Dillon <dillon@earth.backplane.com>
Cc: mouss <usebsd@free.fr>, "Aleksandr A.Babaylov" <babolo@links.ru>,
	roam@orbitel.bg (Peter Pentchev), walter@binity.com,
	wayne@staff.msen.com, hackers@FreeBSD.ORG
Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)
References: <20010117103330.L364@ringworld.oblivion.bg> <4.3.0.20010117215944.04b10ae0@pop.free.fr> <200101192034.f0JKYFW97724@earth.backplane.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 19 Jan 2001 23:35:10 +0100
In-Reply-To: Matt Dillon's message of "Fri, 19 Jan 2001 12:34:15 -0800 (PST)"
Message-ID: <xzpzognrx0h.fsf@flood.ping.uio.no>
Lines: 12
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Matt Dillon <dillon@earth.backplane.com> writes:
>     The real problem here is the CGI script / server-side design allowing
>     the breakin in the first place. 

That's not a fixable problem when the customer is meant to provide his
own scripts. I've worked on such a scenario before; we managed to
chroot the scripts so we're reasonably confident that they can't do
much harm except to themselves.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message