[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Apache running as root . . . .

Subject: Re: [cobalt-security] Apache running as root . . . .
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sat, 9 Feb 2002 18:37:06 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Brandon,

> I was reading the docs for a shopping cart script the other day and it
> basically said if you encounter a host that allows you to browse other
> user's directories, you should "run, not walk, away - as fast as you can."

Yes, that's a good suggestion. :o)

> do you have an elegant solution to this problem?

Only the theoretical model behind one such fix: 

Block NFS to the outside world. Then export the users directories by NFS and 
mount it in a chrooted jail along with its own /tmp, it's own loopback device 
its own /usr/local/bin, /usr/bin and whatever else the user needs and 
whatever we can safely grant him.

Once logged in (by SSH or FTP) he can only see his own stuff and whatever 
else is put into his chrooted jail.

Some pretty safe linux distributions use this kind of approach, like 
Rocklinux or Kaladix.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- Re: [cobalt-security] POSSIBLE MAJOR SECURITY BREACH
  - From: Nico Meijer
- Re: [cobalt-security] Apache running as root . . . .
  - From: Michael Stauber
- Re: [cobalt-security] Apache running as root . . . .
  - From: cbtrussell

Prev by Date: Re: [cobalt-security] Apache running as root . . . .
Next by Date: Re: [cobalt-security] POSSIBLE MAJOR SECURITY BREACH
Previous by thread: Re: [cobalt-security] Apache running as root . . . .
Next by thread: Re: [cobalt-security] Apache running as root . . . .

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index