[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security



Markus Gaugusch wrote:
> Does anyone think, that it makes sense to let have /bin/bash the following 
> permissions?
> -rwx---r-x  1 root www 490716 Sep  9 18:12 /bin/bash
> 
> With that setting, anyone exploiting the webserver could not execute 
> /bin/bash (if course the same permissions could also be applied to /bin).
> 
> Has anyone ever tried this? Does it break things? 
> Did I find something cool? ;-)

I like it :-) It's not a real protection though. Especially not
against an attacker that spends time to break into your system. It
might help as quick workaround in situations where a hole is not
fixed yet against script kiddies or worms that cannot adapt to such
surprises. You probably want to apply it to other shells and
interpreters like perl or csh as well. Of course cgi scripts that
rely on them would stop working. You can also use ACLs instead of
the group: setfacl -m u:wwwrun:--- /bin/bash

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here