[3704] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Dec 4 20:43:55 1996
To: bzdrnja@zems.fer.hr
Date: Wed, 4 Dec 1996 22:00:53 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199612040856.JAA24876@branka.zems.fer.hr> from "Bojan Zdrnja" at Dec 4, 96 09:56:07 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Bojan Zdrnja wrote:
>
> []>
> []>on the part of users: use "xhost(1)" to limit where your Xserver
> []>will accept connections. This has been discussed elsewhere, and
> []>is only as good of a solution as the sophistication of the user
> []>(or their sysadmin). Caveat User.
>
> This will prevent user from opening Xterm, but hole with nobody still exist.
> A user with access to your cgi-bin can write a simple script which will just
> copy /bin/sh to /tmp and will do a setuid on it. So, you'll have /tmp/sh
> which is setuid nobody giving him (and other users that access).
> Any suggestions for that ?
A user with access to your cgi-bin has no need of a sh with setuid - the user
can already do anything they want as nobody.
Don't give users access to your cgi-bin. Use a wrapper. Apache 1.2 has one
built in.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
