preventing a user to start a process

Gustavo A. Baratto gbaratto at superb.net
Tue Jul 26 17:34:58 GMT 2005


Although jailing is a good thing, I don't think it will prevent unwanted 
processes to be spawned, if php allows it. And having writable directories 
mounted noexec doesn't help much either, because one can just run:
/usr/bin/sh /path/to/writable/dir/script.sh

Since most of the times script kiddies use /tmp or /var/tmp (which are 
usually noexec) to upload their scripts, the sh or perl binaries are located 
in file systems that allow execution.

So, you can either tell php not to spawn processes (safe_mode or 
disable_functions), or to have all file systems in contact with php mounted 
noexec (not just the writable directories). This will probably make your 
life hell. Or even disallow any kind of uploads in php (which is not very 
effective against code execution, as a bug in your code could allow 
execution like phpBB exploit a while ago).

If you cannot do any of these because you require the functionality, you can 
write a cron'ed script that checks for processes owned by www that are 
running for a certain period of time and are not the apache. You can either 
kill these processes or e-mail yourself, and then you take an action.

Cheers

----- Original Message ----- 
From: "Adam Jacob Muller" <adam at oxeo.com>
To: "Thomas Krause" <freebsd-isp at chef-ingenieur.de>
Cc: "David Hogan" <david at fundamentalit.com>; <freebsd-isp at freebsd.org>; 
"'Gustavo A. Baratto'" <gbaratto at superb.net>
Sent: Tuesday, July 26, 2005 9:59 AM
Subject: Re: preventing a user to start a process


> Pretty much the only "secure" option is to either
> A.    run in a chroot jail
> B.    run with any writable directories mounted noexec
> or if your really paranoid, do both
>
> Adam
>
>
> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote:
>
>>
>>
>> David Hogan schrieb:
>>
>>>> -----Original Message-----
>>>> From: owner-freebsd-isp at freebsd.org [mailto:owner-freebsd- 
>>>> isp at freebsd.org]
>>>> On Behalf Of Thomas Krause
>>>>
>>>
>>>
>>>> I've searched all php-files for the system()-funktion - it's not
>>>> possible for me do disable this function.
>>>>
>>> Can't you just use the 'disable_functions =' option in php.ini to 
>>> disable
>>> the php functions that can be used to spawn processes ?
>>> You could use it to disable at least the following functions:
>>> system()
>>> exec()
>>> passthru()
>>> popen()
>>> pcntl_exec()
>>> shell_exec()
>>>
>>
>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick,  so I 
>> need system().
>>
>> Regards,
>> Thomas.
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>>
> 



More information about the freebsd-isp mailing list