newbie with www user security problem
Stijn Hoop
stijn at win.tue.nl
Thu Aug 11 15:05:48 GMT 2005
On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy at inet-solutions.be wrote:
> If the box in question was local secure, you don't have to worry that much.
Correct of course, but seeing as the OP admitted to not knowing a lot about
the administration of this machine, I don't think local security was very
high.
> If it's a long time since you've updated your base, are sloppy with passwords
> on the box in question, haven't updated your daemons/setuid packages in weeks,
> then the box should be concidered a total loss.
>
> Just think in terms as "what are the possible things I could do if my UID were
> 'www'"
There might be some less obvious things, especially if the base OS is
as far behind as the phpBB installation.
> I for example have webservers running in chroot, on a partition that is
> nosuid, and starred out password for the user 'www'. The thing you
> describing happens sometimes because users do not update there phpbb's
> either. I'm not affraid since the kiddo would have the same access than a
> customer, which I cannot trust either. If you don't know the box IS secure,
> it isn't, there is a lot of work involved in keeping things like this
> "under controle".
Totally true, and good advice for setting up access for customers / etc.
--Stijn
--
Coughlin's law: never show surprise, never lose your cool.
-- Cocktail
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050811/dd5ad546/attachment.bin
More information about the freebsd-security
mailing list