apache as a system shell ( Debian Wheezy Compromised - www-data user is sending 1000 emails an hour)
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
<raffaele.morelli@gmail.com> wrote:
> [...]
> I just want to add a (relevant) bit.
> Apache has tons of directives to secure a website and if you really need to
> upload in a dir you can tell apache to not execute php scripts in there or
> force file type to text or prevent POST request from untrusted ip, etc
> etc.... and you'are done.
It has occurred to me on several occasions that apache is essentially
another shell over the underlying OS calls -- like bash is a shell for
character/command-line-oriented terminal (sessions).
It has also occurred to me on several occasions that it implements its
own security model, and provides an alternate path into the system
resources (file system, etc.) that sometimes circumvents the native
security model.
And I note that I prefer the native Unix basic security model not to
be circumvented.
I have other thoughts on the subject, but my wife says we have to go
do the family new-year's stuff. Be interested in comments.
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: