[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security



Hi Markus,

Rainer Duffner wrote:
> Ludwig Nussel wrote:
> 
>> Markus Gaugusch wrote:
>>  
>>
>>> Does anyone think, that it makes sense to let have /bin/bash the
>>> following permissions?
>>> -rwx---r-x  1 root www 490716 Sep  9 18:12 /bin/bash
>>>
>>> With that setting, anyone exploiting the webserver could not execute
>>> /bin/bash (if course the same permissions could also be applied to
>>> /bin).
>>>
>>> Has anyone ever tried this? Does it break things? Did I find
>>> something cool? ;-)
>>>   
>>

"real cool" people do not use Blacklisting, but whitelisting.
So do
groupadd bashusers
chown root:bashusers /bin/bash
chmod 510 /bin/bash
and add any allowed Bash user to the group.

Or even better, as already mentioned, cache the Webserver into
at least a chroot environment.
So you do not need to bother about wget&co.

Dirk  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
TRIA IT-consulting GmbH 
Joseph-Wild-Straße 20 
81829 München 
Germany 
Tel: +49 (89) 92907-0 
Fax: +49 (89) 92907-100  
http://www.tria.de 
 
--------------------------------------------------------
 
 working hard | for your success 
 
--------------------------------------------------------
 
Registergericht München 
HRB 113466 
 
USt.-IdNr. DE 180017238 
Steuer-Nr. 802/40600 
 
Geschäftsführer: 
Richard Hofbauer 
kaufm. Geschäftsleitung: 
Rosa Igl 
 
--------------------------------------------------------
 
 Nachricht von: 
Dirk.Schreiner@xxxxxxx 
 
Nachricht an: 
rainer@xxxxxxxxxxxxxxx, ludwig.nussel@xxxxxxx, suse-security@xxxxxxxx 
 
# Dateianhänge: 0 
Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. 
Vielen Dank  
The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. 
Thank you 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here