FreeBSD Security Advisory FreeBSD-SA-15:22.openssh
Peter Pentchev
roam at ringlet.net
Thu Aug 27 13:27:16 UTC 2015
On Thu, Aug 27, 2015 at 03:19:04PM +0200, Borja Marcos wrote:
>
> On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote:
>
> > On 8/27/2015 3:24 AM, Dag-Erling Smørgrav wrote:
> > For the latter two, I am trying to understand in the context of a shared
> > hosting system. Could one user with sftp access to their own directory
> > use these bugs to gain access to another user's account ?
>
> Straghtforward Unix permissions aren't really suited to such an application. You need everything to be
> world readable by an unprivileged WWW server.
>
> In such a setup we were successful by using a combination of mac/biba for integrity, ugidfw for
> effective user separation, and removing all the setuid permissions from the system.
>
> Otherwise, a non-chrooted hosting user will have at least read only access to the neighbors.
Hmm, this doesn't necessarily need to be true. When I set up a shared
hosting system some years ago, we put all the users in a single primary
group, then all their home directories had u+rwx,g-a,o+x Unix access
permissions. It seemed to work for keeping them out of each other's
homes and for letting both the webserver and the SSH server peek inside.
Of course, this would still allow somebody to explicitly modify the
access permissions of her own home directory, but, first off, I don't
think there ever was such a case, and we also had a periodic check for
this as well as some other silly things that people always manage to do
(and, yes, "people" here does include myself, too).
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150827/660dea87/attachment.bin>
More information about the freebsd-security
mailing list