Re: Limiting User Commands
> Stephen Le <zeroion@gmail.com> [2004-11-06 00:36]:
>
> On Sat, 6 Nov 2004 00:13:28 +0100, Osamu Aoki <osamu@debian.org>
> wrote:
> > > Is there an easy way to limit the commands a certain group of
> > > users can execute? I've looked at chroot, and it's too
> > > complicated for my needs and seems too easy to circumvent; users
> > > will be able to upload their own Perl scripts, so it seems that
> > > they'll be able to access commands outside their chroot by
> > > getting Apache w/ mod_perl to execute the script.
> >
> > Is is so?
>
> Indeed. A chroot would only apply to a user if they were logged into
> the system. Let's say I wanted to prevent users executing the
> command "bad_command". Well, if "bad_command" was not available to a
> user in their chroot, they wouldn't be able to execute it. However,
> a user might write a Perl script that contained the following line:
>
> system("bad_command");
>
> If they got Apache to execute the script, the "bad_command" would be
> run. This is the reason why I'm trying to approach this problem from
> a permissions standpoint. Of course, someone might suggest running
> an Apache daemon inside each user's chroot, but that's really
> impractical...
>
if apache is run in a chroot'ed environment, wouldn't this solve
exactly the problem? I run my "public" web-server that way together
with the suexec feature enabled such that a script is executed as the
owner of the directory/user, hence I feel pretty safe in that regard.
HTH.
wbr,
Lukas
--
Lukas Ruf | Wanna know anything about raw |
<http://www.lpr.ch> | IP? -> <http://www.rawip.org> |
eMail Style Guide: <http://www.rawip.org/style.html>|
Reply to: