[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] All folders visable on whole server

Subject: Re: [cobalt-users] All folders visable on whole server
From: "Brian Curtis" <admin@xxxxxxxxxxx>
Date: Fri Dec 8 15:39:02 2000
Organization: Pomfret Computer Technologies
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> There shouldn't be a big hoopla is over this particular script ("...the
most
> dangerous CGI script I have ever seen!!!")--anyone with a passing
knowledge
> of Perl or PHP can browse anything on your server.

This is true.  As the Cobalt system operates Apache, every virtual hosts
runs as user "httpd"?  Therefore this script gives no additional access to
any files than a shell/non-chroot'd ftp session would.  Unless you really
fsck'd up your filesystem, this script should not be able to
delete/read/modify any file on the system that a normal linux user would be
able to via any access method.

This, to me, is a Cobalt problem, not the script writer's.  I stuffed this
script on one of our "locked down" generic Linux boxes, and it couldn't do a
thing more than what I intend normal users to be able to.  A simple "quick
and dirty" hack to prevent your users from reading directories you don't
want them to is:

$ chmod o-r secret_directory

Depending on what you want to hide from prying eyes....

/   <-- this one's great for true newbies w/ shell access.  the first thing
they do when they login is "ls -l /", only to be greeted by a "Permission
Denied" error.)
/boot
/dev
/etc
/home
/root
/sbin
/<your_favorite_directory>

This allows the box itself to continue on it's merry way, while your users
with shell access or the *DREADED* admin(whatever).cgi script can't poke too
far around your machine.

I asked a long time ago why Cobalt didn't implement Apache suEXEC.  This
would allow each virtualhost to run scripts with their own uid/gid, just
like the user logging into the box.  Seems like a better way to run scripts
than via CGIWrap to me.  Oh well, that's a whole other topic.

Anyway, I wouldn't go getting your panties in a twist.  Just because one of
your users installs this script doesn't mean your box is doomed.  There's
plenty of other ways to extract information/files than some (very craftily
designed, I must say) cgi script.  Chris gave you all a very good example.

I always say, "Know who you're hosting."  Service script kiddies == don't
plan on much sleep.

--
Brian Curtis

References:
- [cobalt-users] All folders visable on whole server
  - From: Stephan P. Muecke
- Re: [cobalt-users] All folders visable on whole server
  - From: Franklin S. Werren
- Re: [cobalt-users] All folders visable on whole server
  - From: WebWorkshop

Prev by Date: Re: [cobalt-users] apache and redirects
Next by Date: Re: [cobalt-users] Qube2 Crashes without obvious cause
Previous by thread: Re: [cobalt-users] All folders visable on whole server
Next by thread: Re: [cobalt-users] All folders visable on whole server

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index