RE: preventing a user to start a process

From: mdff (nospam_at_mgedv.net)
Date: 07/28/05

  • Next message: root: "Atencion!!" 
    To: <freebsd-isp@freebsd.org>
Date: Thu, 28 Jul 2005 12:22:46 +0200

    > > Although jailing is a good thing, I don't think it will
    > prevent unwanted
    > > processes to be spawned, if php allows it. And having writable
    > > directories mounted noexec doesn't help much either,
    > because one can
    > > just run:
    > > /usr/bin/sh /path/to/writable/dir/script.sh
    > >

    mount-man-page:
    <snip>
      noexec Do not allow execution of any binaries on the mounted
              file system. This option is useful for a server that has
              file systems containing binaries for architectures other
              than its own.
    <snap>

    tried this as root:

    # h_dir=/test; h_sh=/tmp/foo-test.sh
    # mkdir $h_dir
    # mdmfs -M -S -o noexec,async -s 16m md1 $h_dir && mount|grep $h_dir
    /dev/md1 on /test (ufs, asynchronous, local, noexec)
    # cp -p /bin/date $h_dir
    # echo "#!/bin/sh" >$h_sh
    # echo "\$SHELL -c $h_dir/date" >>$h_sh
    # $h_sh
    /test/date: Permission denied.

    so i believe this is not really dangerous (chrooted of course)

    but theres another issue, what if someone stores a malicious php-script
    that opens sockets? you don't really need to write C-deamons, if you can
    use php...
    there should be at least a firewall blocking outgoing packets from ports
    where no daemons are normally running. and restrictions on php's options
    and possibilities, too...

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: root: "Atencion!!"