Re: publish a user & passwd: $1000 hack reward!

To: Steve Rudd <srudd@bible.ca>
Cc: debian-security@lists.debian.org
Subject: Re: publish a user & passwd: $1000 hack reward!
From: Rob Helmer <robert@namodn.com>
Date: Fri, 23 Feb 2001 12:54:09 -0800
Message-id: <20010223125409.B6616@claire.namodn.com>
In-reply-to: <5.0.2.1.2.20010223120928.025f8050@bible.ca>; from srudd@bible.ca on Fri, Feb 23, 2001 at 12:12:39PM -0500
References: <5.0.2.1.2.20010223095104.025f7500@bible.ca> <20010223035153.USAR20503.mail.rdc1.ct.home.com@cx937045-b.lncln1.ri.home.com> <5.0.2.1.2.20010222133722.025020d0@bible.ca> <20010223035153.USAR20503.mail.rdc1.ct.home.com@cx937045-b.lncln1.ri.home.com> <20010223053347.F18058@plato.local.lan> <5.0.2.1.2.20010223095104.025f7500@bible.ca> <20010223130046.C28515@llama.nslug.ns.ca> <5.0.2.1.2.20010223120928.025f8050@bible.ca>

Yes. Normal users ( such as the www-data user that will execute the
cgi script ) can open ports above 1024 and run whatever they want.

You could do neat tricks like giving each user their own apache 
daemon and documentroot and everything, and using an apache or
squid proxy to let the outside get to them. Apache would run
as their user, and you could chroot the process.

There are undoubtedly smarter ways to isolate people ( that
take less space than a chroot jail ) but this would mean
that if someone ran ssh or got broken into, only their chroot
environment/apache conf/etc could be modified and noone elses 
on the system could be affected ).

On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
> 
> >If you allow execution of
> >CGI programs from public_html, then users will be able to execute code
> >(probably under their UID).  Then you have to secure your machine against
> >local exploits.  Obviously, you should do this anyway, but if crackers can
> >run arbitrary code (as a non-priviledged user), then you will have to act
> >really fast to stop yourself from getting cracked whenever a new local
> >exploit is discovered.
> >
> >  Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to.  Allowing arbitrary CGI is equivalent to
> >giving public shell access.
> 
> I have several cgi-scripts on the site. One is a data base program open to 
> public searching of information. is any cgi- script at risk if is in the 
> cgi-bin?
> 
> Steve
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

Follow-Ups:
- Dumb question
  - From: Matthew Sherborne <Matthews@softtech.co.nz>

References:
- publish a user & passwd: $1000 hack reward!
  - From: Steve Rudd <srudd@bible.ca>
- Re: Separate telnet/email & ssh users???
  - From: "Bob Bernstein" <bob@ruptured-duck.com>
- Separate telnet/email & ssh users???
  - From: Steve Rudd <srudd@bible.ca>
- Re: Separate telnet/email & ssh users???
  - From: Ethan Benson <erbenson@alaska.net>
- Re: publish a user & passwd: $1000 hack reward!
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: publish a user & passwd: $1000 hack reward!
  - From: Steve Rudd <srudd@bible.ca>

Prev by Date: [gossi@OWNED.LAB6.COM: Sudo version 1.6.3p6 now available (fwd)]
Next by Date: Re: publish a user & passwd: $1000 hack reward!
Previous by thread: Re: publish a user & passwd: $1000 hack reward!
Next by thread: Dumb question
Index(es):
- Date
- Thread