[3083] in bugtraq
Re: procmail
daemon@ATHENA.MIT.EDU (Neil Soveran-Charley)
Wed Aug 7 21:07:18 1996
Date: Thu, 8 Aug 1996 01:05:27 +0100
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Neil Soveran-Charley <athan@mersinet.co.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SOL.3.91.960807121458.14267C-100000@xmission.xmission.com>
from "Jason S Kohles" at Aug 7, 96 12:16:37 pm
> On Tue, 6 Aug 1996, Dennis Simpson wrote:
>
> > If you give them shell access to put up web pages, worrying about their
> > being able to start an xterm this way versus another seems nonsensical
> > to me. I don't actually see why "shell access" is necessary for putting
> > up web pages. Why not let them ftp to their web page directories, but
> > restrict their home directories (if they have one)?
> >
> How about this: we dont give users shell access to our web servers, however,
> in order for their pages to be served, user home directories are NFS mounted
> to the web server from a machine where they do have shell access.
Yeah, that's an option. But... in our case we don't want them having
any SHELL access at all, the access is purely for maintaining web pages.
Another solution might be using read-protected directories in anonymous
ftp for upload and a script to move pages into place run from crontab.
Someone else mentioned most FTPd's needing the shell in /etc/shells to
allow the login. The latest unofficial wu-ftpd has a feature to allow
certain shells NOT listed in /etc/shells to still give an ftp login:
ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-11.tar.Z
NOTE: This directory is protected. Attempts to use a directory listing
command will fail.
(from the announce file for that).
Together with sendmail not allowing pipe forwards this would seal the
'.forward. hole, or see my bit about using a different directory for
forward files. This wu-ftpd also has a whole truck-full of fixes over
the official one, lots of them security fixes.
-Neil
--
**************************************************************
* Neil Soveran-Charley, SysAdmin, Mersinet Internet Services *
* Email: athan@mersinet.co.uk * "What? No quote?" *
**************************************************************
