Re: Limiting User Commands

[Steve Kemp <skx@debian.org>]

On Fri, Nov 05, 2004 at 03:35:11PM -0800, Stephen Le wrote:

> See the example above. Users would still be able to upload their own
> Perl scripts and get Apache to execute them without restriction - the
> Perl script could call commands that I want to ban the users from
> executing.

  Lots of people have commented already, but I've not seen any
 discussion on why you might want to do this.  What kind of bad
 commands are you trying to prevent?

  Most of the dangerous commands like fdisk, etc, will be handled
 by the existing permissions setup.

  If you give people the ability to upload CGI scripts, like the
 perl example you mention, you've already lost - a malicious user
 could compile some C code statically and exectute that remotely.

  If you're operating a shared system and want to keep seperate
 web users isolated from each other using rbash, chroots or
 similar should be sufficient.  What exactly is it that these
 solutions do not give you which you need?

Steve
--