Date: Thu, 28 Jul 2005 12:22:46 +0200 From: "mdff" <nospam@mgedv.net> To: <freebsd-isp@freebsd.org> Subject: RE: preventing a user to start a process Message-ID: <20050728102246.80B27186800@mgedv.at> In-Reply-To: <42E6A0B2.1030308@chef-ingenieur.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Although jailing is a good thing, I don't think it will
> prevent unwanted
> > processes to be spawned, if php allows it. And having writable
> > directories mounted noexec doesn't help much either,
> because one can
> > just run:
> > /usr/bin/sh /path/to/writable/dir/script.sh
> >
mount-man-page:
<snip>
noexec Do not allow execution of any binaries on the mounted
file system. This option is useful for a server that has
file systems containing binaries for architectures other
than its own.
<snap>
tried this as root:
# h_dir=/test; h_sh=/tmp/foo-test.sh
# mkdir $h_dir
# mdmfs -M -S -o noexec,async -s 16m md1 $h_dir && mount|grep $h_dir
/dev/md1 on /test (ufs, asynchronous, local, noexec)
# cp -p /bin/date $h_dir
# echo "#!/bin/sh" >$h_sh
# echo "\$SHELL -c $h_dir/date" >>$h_sh
# $h_sh
/test/date: Permission denied.
so i believe this is not really dangerous (chrooted of course)
but theres another issue, what if someone stores a malicious php-script
that opens sockets? you don't really need to write C-deamons, if you can
use php...
there should be at least a firewall blocking outgoing packets from ports
where no daemons are normally running. and restrictions on php's options
and possibilities, too...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050728102246.80B27186800>