[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] /tmp/-v ?
- Subject: Re: [cobalt-security] /tmp/-v ?
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Sun, 27 May 2001 11:15:15 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Sun, 27 May 2001, shimi wrote:
>
> On Sun, 27 May 2001, Carrie Bartkowiak wrote:
>
> > > well, it's not a system file so in my opinion it can be erased.
> > > what I do wonder about is the owner of the file, that is, root.
> > > it isn't a customer cgi script. unless your httpd runs as root (i
> > hope
> > > not!!!!),
> >
> > When I do a 'top', I get a bunch of httpd running as root. (!?)
> > Mostly they run as httpd, but there are a number of them running as
> > root, on both RaQ4 boxes.
> > Don't blame me, I didn't do it... *grin*
> > Guess it's a Cobalt thing.
> >
> > > so it's either something the GUI did, or you did. or someone who
> > > has root did :\
> >
> > I'm thinking maybe this person used the GUI to backup their site, and
> > this was a temporary dumping station or backup buffer for it?
> > Either way, I just removed it after reading your letter and nothing
> > fell over, so I suppose I'm good to go. ;)
> > Thanks!
> >
> > CarrieB
>
> Well, I was pretty sure nothing will happen, though this looks like a
> weird filename for backup.
>
> Regarding httpd, yes, that's correct. You should have two httpd processes
> running as root (at least)
Technically, the admserv (which is basically apache) running as root is
quite flaky security - it was brought up on bugtraq with RaQs, and general
conseus I gathered from the list is that really it should run as a
seperate user, and the scripts should be made suid root (or run through
sudo, or something). Whenever the next Apache exploit is released (its
been years since the last - sooner or later something will likely turn
up), expect attackers to be able to get root on Cobalt equipment fairly
easily, because of the admin server.
Apache on RaQ's is compiled with the option "BIG_SECURITY_HOLE". That
should emphaise it.
And also - nice thing - Apache below version 1.3.19 allows directory
listing of any directory due to a bug in mod_index. Apache runs as root.
You can list any directory on the RaQ through the admin server. I mailed
Security@xxxxxxxxxx about this. The email was ignored.
Regards,
Gossi.