Re: preventing a user to start a process
From: Gustavo A. Baratto (gbaratto_at_superb.net)
Date: 07/26/05
- Previous message: Adam Jacob Muller: "Re: preventing a user to start a process"
- In reply to: Adam Jacob Muller: "Re: preventing a user to start a process"
- Next in thread: Thomas Krause: "Re: preventing a user to start a process"
- Reply: Thomas Krause: "Re: preventing a user to start a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-isp@freebsd.org> Date: Tue, 26 Jul 2005 10:32:50 -0700
Although jailing is a good thing, I don't think it will prevent unwanted
processes to be spawned, if php allows it. And having writable directories
mounted noexec doesn't help much either, because one can just run:
/usr/bin/sh /path/to/writable/dir/script.sh
Since most of the times script kiddies use /tmp or /var/tmp (which are
usually noexec) to upload their scripts, the sh or perl binaries are located
in file systems that allow execution.
So, you can either tell php not to spawn processes (safe_mode or
disable_functions), or to have all file systems in contact with php mounted
noexec (not just the writable directories). This will probably make your
life hell. Or even disallow any kind of uploads in php (which is not very
effective against code execution, as a bug in your code could allow
execution like phpBB exploit a while ago).
If you cannot do any of these because you require the functionality, you can
write a cron'ed script that checks for processes owned by www that are
running for a certain period of time and are not the apache. You can either
kill these processes or e-mail yourself, and then you take an action.
Cheers
----- Original Message -----
From: "Adam Jacob Muller" <adam@oxeo.com>
To: "Thomas Krause" <freebsd-isp@chef-ingenieur.de>
Cc: "David Hogan" <david@fundamentalit.com>; <freebsd-isp@freebsd.org>;
"'Gustavo A. Baratto'" <gbaratto@superb.net>
Sent: Tuesday, July 26, 2005 9:59 AM
Subject: Re: preventing a user to start a process
> Pretty much the only "secure" option is to either
> A. run in a chroot jail
> B. run with any writable directories mounted noexec
> or if your really paranoid, do both
>
> Adam
>
>
> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote:
>
>>
>>
>> David Hogan schrieb:
>>
>>>> -----Original Message-----
>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-
>>>> isp@freebsd.org]
>>>> On Behalf Of Thomas Krause
>>>>
>>>
>>>
>>>> I've searched all php-files for the system()-funktion - it's not
>>>> possible for me do disable this function.
>>>>
>>> Can't you just use the 'disable_functions =' option in php.ini to
>>> disable
>>> the php functions that can be used to spawn processes ?
>>> You could use it to disable at least the following functions:
>>> system()
>>> exec()
>>> passthru()
>>> popen()
>>> pcntl_exec()
>>> shell_exec()
>>>
>>
>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I
>> need system().
>>
>> Regards,
>> Thomas.
>> _______________________________________________
>> freebsd-isp@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>>
>
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Adam Jacob Muller: "Re: preventing a user to start a process"
- In reply to: Adam Jacob Muller: "Re: preventing a user to start a process"
- Next in thread: Thomas Krause: "Re: preventing a user to start a process"
- Reply: Thomas Krause: "Re: preventing a user to start a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
