Re: Keeping the webserver safe
* Joe <joe@jretrading.com> [2008-10-06 19:20:27 CEST]:
> How can there be any way? If you allow users to upload executable
> scripts, you might as well give them ssh access and be done with it. You
> must enforce file create permissions on the upload system (ftp or
> whatever) which do not include 'execute' for any user or group.
Please don't give such bad advices - creating files without execute
permissions doesn't mean that they can't get executed.
#v+
$> echo "echo hello world" > test.sh
$> chmod -x test.sh
$> /bin/sh test.sh
hello world
$> mkdir test
$> cd test
$> cp /bin/ls .
$> chmod -x ls
$> /lib/ld-2.7.so ./ls -a
. .. ls
$>
#v-
> Commercial web servers which offer scripting *do* normally also offer
> ssh access, but what the user has access to is only a virtual machine,
> not shared with anyone else. Chroot is nowhere near enough.
chroot is though far closer than advicing to forcing non-execute
permissions on the user files, and escaping from a chroot far more
challenging.
So long. :)
Rhonda
Reply to: