[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security



"exploiting" the webserver will give you the same "shell" rights as the 
process for running the webserver does.
So changing the permission of /bin/bash is trivial.

Security for webservers starts by jailing the webserver.  That's a 
no-brainer.

Tim Rainier
Information Services, Kalsec, INC
trainier@xxxxxxxxxx



Markus Gaugusch <markus@xxxxxxxxxxx> 
11/08/2005 04:41 PM

To
SuSE-Security <suse-security@xxxxxxxx>
cc

Subject
[suse-security] Web Server Security






Hi,
Does anyone think, that it makes sense to let have /bin/bash the following 

permissions?
-rwx---r-x  1 root www 490716 Sep  9 18:12 /bin/bash

With that setting, anyone exploiting the webserver could not execute 
/bin/bash (if course the same permissions could also be applied to /bin).

Has anyone ever tried this? Does it break things? 
Did I find something cool? ;-)

Markus

-- 
__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here