[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping the webserver safe

* Joe <joe@jretrading.com> [2008-10-06 19:20:27 CEST]:
> How can there be any way? If you allow users to upload executable 
> scripts, you might as well give them ssh access and be done with it. You 
> must enforce file create permissions on the upload system (ftp or 
> whatever) which do not include 'execute' for any user or group.

 Please don't give such bad advices - creating files without execute
permissions doesn't mean that they can't get executed.

$> echo "echo hello world" > test.sh
$> chmod -x test.sh
$> /bin/sh test.sh
hello world
$> mkdir test
$> cd test
$> cp /bin/ls .
$> chmod -x ls
$> /lib/ld-2.7.so ./ls -a
.  ..  ls

> Commercial web servers which offer scripting *do* normally also offer 
> ssh access, but what the user has access to is only a virtual machine, 
> not shared with anyone else. Chroot is nowhere near enough.

 chroot is though far closer than advicing to forcing non-execute
permissions on the user files, and escaping from a chroot far more

 So long. :)

Reply to: