[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: publish a user & passwd: $1000 hack reward!

Yes. Normal users ( such as the www-data user that will execute the
cgi script ) can open ports above 1024 and run whatever they want.

You could do neat tricks like giving each user their own apache 
daemon and documentroot and everything, and using an apache or
squid proxy to let the outside get to them. Apache would run
as their user, and you could chroot the process.

There are undoubtedly smarter ways to isolate people ( that
take less space than a chroot jail ) but this would mean
that if someone ran ssh or got broken into, only their chroot
environment/apache conf/etc could be modified and noone elses 
on the system could be affected ).

On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
> >If you allow execution of
> >CGI programs from public_html, then users will be able to execute code
> >(probably under their UID).  Then you have to secure your machine against
> >local exploits.  Obviously, you should do this anyway, but if crackers can
> >run arbitrary code (as a non-priviledged user), then you will have to act
> >really fast to stop yourself from getting cracked whenever a new local
> >exploit is discovered.
> >
> >  Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to.  Allowing arbitrary CGI is equivalent to
> >giving public shell access.
> I have several cgi-scripts on the site. One is a data base program open to 
> public searching of information. is any cgi- script at risk if is in the 
> cgi-bin?
> Steve
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: