[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Web Server permissions - [Ignore Post]
- Subject: Re: [cobalt-developers] Web Server permissions - [Ignore Post]
- From: "Ryan Verner [xfesty]" <vernerr@xxxxxxxxxxx>
- Date: Sun Aug 26 07:48:19 2001
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
Hey...
Ignore this post, I sent it like a week ago, but my ISP's mail servers have
been _wierd_ and this only just got sent, along with about 50 other messages
to other mailing lists on threads which are long dead <g>.
It was indeed late and I had ran the script as the admin user. *slaps
forehead*
Sorry :-)
Ryan.
----- Original Message -----
From: "Ryan Verner [xfesty]" <vernerr@xxxxxxxxxxx>
To: <cobalt-developers@xxxxxxxxxxxxxxx>
Sent: Friday, August 24, 2001 1:01 AM
Subject: [cobalt-developers] Web Server permissions
> Just a query..
>
> Out of curosity, I just did this (user is eggdrop, does not have
> administrator privledges). In a home users folder I just dropped in short
> script, and chmod +x 'ed it.
>
> #!/bin/sh
> printf "Content-type: text/plain\n\n"
> ps aux | grep eggdrop
>
> Apache seems to be configured on the XTR's so any files with a .cgi
> extension will execute. This is normal.
>
> BUT:
>
> admin 3512 0.0 0.0 1212 452 ? S 08:20 0:00 grep
eggdrop
>
> The .cgi script is running as admin, and not the user?
>
> This is a concern, I'm sure that the boxes could be exploited, i.e. write
a
> script to read something out the admin home folder, to run a program,
etc...
>
> Am I incorrect in this? (Its late, heh).
>
> Ryan Verner
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
>