bash velnerability
Slawa Olhovchenkov
slw at zxy.spb.ru
Fri Sep 26 12:55:47 UTC 2014
On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote:
> On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote:
> > 1. Do not ever link /bin/sh to bash. This is why it is such a big
> > problem on Linux, as system(3) will run bash by default from CGI.
>
> I would think that this would cause other, more fundamental,
> issues. FreeBSD's system don't expect /bin/sh to be bash,
> and I wouldn't be surprised if they break for whatever reason.
>
> > 2. Web/CGI users should have shell of /sbin/nologin.
> > 3. Don't write CGI in shell script / Stop using CGI :)
> > 4. httpd/CGId should never run as root, nor "apache". Sandbox each
> > application into its own user.
>
> And its own jail. Jails with ZFS are dirt cheap.
For goodness of jail with ZFS we need fixing unionfs and devfs.
More information about the freebsd-security
mailing list