Re: newbie with www user security problem
--4SFOXa2GPu3tIq4H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be wrote:
> If the box in question was local secure, you don't have to worry that muc=
h.
Correct of course, but seeing as the OP admitted to not knowing a lot about
the administration of this machine, I don't think local security was very
high.
> If it's a long time since you've updated your base, are sloppy with passw=
ords
> on the box in question, haven't updated your daemons/setuid packages in w=
eeks,
> then the box should be concidered a total loss.
>=20
> Just think in terms as "what are the possible things I could do if my UID=
were
> 'www'"
There might be some less obvious things, especially if the base OS is
as far behind as the phpBB installation.
> I for example have webservers running in chroot, on a partition that is
> nosuid, and starred out password for the user 'www'. The thing you
> describing happens sometimes because users do not update there phpbb's
> either. I'm not affraid since the kiddo would have the same access than a
> customer, which I cannot trust either. If you don't know the box IS secur=
e,
> it isn't, there is a lot of work involved in keeping things like this
> "under controle".
Totally true, and good advice for setting up access for customers / etc.
--Stijn
--=20
Coughlin's law: never show surprise, never lose your cool.
-- Cocktail
--4SFOXa2GPu3tIq4H
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQFC+2kCY3r/tLQmfWcRAm9bAJ92lyAyGDaWGibKPe8531yU9diGQwCgoODr
BFjCs9emTPDA1ElqugjLPYQ=
=1c74
-----END PGP SIGNATURE-----
--4SFOXa2GPu3tIq4H--
討論串 (同標題文章)
完整討論串 (本文為第 4 之 8 篇):