[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security

Hi Markus,

Rainer Duffner wrote:
> Ludwig Nussel wrote:
>> Markus Gaugusch wrote:
>>> Does anyone think, that it makes sense to let have /bin/bash the
>>> following permissions?
>>> -rwx---r-x  1 root www 490716 Sep  9 18:12 /bin/bash
>>> With that setting, anyone exploiting the webserver could not execute
>>> /bin/bash (if course the same permissions could also be applied to
>>> /bin).
>>> Has anyone ever tried this? Does it break things? Did I find
>>> something cool? ;-)

"real cool" people do not use Blacklisting, but whitelisting.
So do
groupadd bashusers
chown root:bashusers /bin/bash
chmod 510 /bin/bash
and add any allowed Bash user to the group.

Or even better, as already mentioned, cache the Webserver into
at least a chroot environment.
So you do not need to bother about wget&co.

TRIA IT-consulting GmbH 
Joseph-Wild-Straße 20 
81829 München 
Tel: +49 (89) 92907-0 
Fax: +49 (89) 92907-100  
 working hard | for your success 
Registergericht München 
HRB 113466 
USt.-IdNr. DE 180017238 
Steuer-Nr. 802/40600 
Richard Hofbauer 
kaufm. Geschäftsleitung: 
Rosa Igl 
 Nachricht von: 
Nachricht an: 
rainer@xxxxxxxxxxxxxxx, ludwig.nussel@xxxxxxx, suse-security@xxxxxxxx 
# Dateianhänge: 0 
Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. 
Vielen Dank  
The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. 
Thank you 

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here