[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Re: email forwarding

Subject: RE: [cobalt-users] Re: email forwarding
From: "Ian McCabe" <idmccabe@xxxxxxxxxxxxxxxx>
Date: Fri Dec 14 15:56:06 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Not a problem Chris,

I needed to know the answer to this for real, so your explanation provides a
clear example of why not to, so thanks for that Chris.......

In our situation we do not offer Telnet or SSH access to our server so that
covers one thing, but are virtual site users able to excecute say, cgi
scripts with paths outside of their own path?

Scarry movie time I think lol

Ian

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Chris Demain
Sent: 14 December 2001 18:05
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Re: email forwarding


> This is a legitimate question for you Chris.
>
> Does it really matter about providing 777 permissions on files which are
> effectively outside of the public_html area, I always thought that it did
> not matter as it was not accessible, but if you know otherwise please tell
> all because I do need to know if this is the case......
>
> If I am wrong in thinking it doesnt matter about too much permissions
> outside of public_html area, sorry one and all for saying that should be
> safe and secure enough.....!!
>
> Ian

Ian,
It is a good practice to be secure-by-default and only give the smallest
amount of permissions which will work.  It may not be a from-the-browser
security hole, but it could spell disaster if someone has telnet/ssh access.
The fact that it's world writable + world executible means I can echo
arbitrary code into the file, and then run the file!

$ echo "malicious code" > /path/to/777'd/file
$ sh /path/to/777'd/file
# Whee!
Of course, it's not this easy ... but it's certainly easier than if it
_doesn't_ have those permissions.

This is compounded in set-gid/uid situations.

While it may have been good enough for a fix to the problem, there's nothing
safe about 777 permissions, as a rule.

Sorry if it came accross as an accusation, I just wanted to give warning
about the dangers.  If it doesn't need execution privs, don't give them,
unless all users must be able to write to it, don't give world write, etc.

</rant> ;)
-Chris

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] Re: email forwarding
  - From: Chris Demain

Prev by Date: Re: [cobalt-users] Logcheck
Next by Date: Re: [cobalt-users] CD ISO Locations?
Previous by thread: RE: [cobalt-users] Re: email forwarding
Next by thread: RE: [cobalt-users] Re: email forwarding

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index