Hello list, netstat -ap . . tcp 0 0 localhost:1024 localhost:blackjack ESTABLISHED 321/(dnsserver) tcp 0 0 localhost:blackjack localhost:1024 ESTABLISHED 319/(squid) . . what the hell does "blackjack" mean?!? Thanx Frank
On Wed, Apr 11, 2001 at 20:32 +0200, Frank Lederer wrote:
netstat -ap . . tcp 0 0 localhost:1024 localhost:blackjack ESTABLISHED 321/(dnsserver) tcp 0 0 localhost:blackjack localhost:1024 ESTABLISHED 319/(squid) . .
what the hell does "blackjack" mean?!?
Nothing at all. It's by pure chance that port 1025(?) has an entry in /etc/services while 1024 doesn't. Get used to the -n option and don't put too much into names mainly meant for comfort or displaying purposes. /etc/services is a list of suggestions (conventions) and not a bible. :) In the above you will notice a lot of squid related processes talking to each other. It's how they cooperate to service your requests while every part does what it was designed to do. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Linux Firewalling and Port Behavior http://www.securityportal.com/closet/closet20001101.html Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
Hi all ! I hope this is the right list to discuss this, but I think it's a real security problem: What's wrong with my apache ? From a skript like: #!/usr/bin/perl print "Content-Type: text/html\n\n"; open HUGO, "/etc/httpd/httpd.conf"; while ($a = <HUGO>) { print $a; } or <?php if (!$i) $i = "/etc/passwd"; readfile($i); print $i; ?> I can publish the whole system, every config file, firewall-rules that are world-readable ... everything. and lots of files are, by default, world-readable ... I could start to make all of them NOT world readable, but isn't there another way ? Any hints ? thnx ... _____ Sent through Master Auchi Mail Systems http://www.masterauchi.com - powered by Linux -
You might want to review basic unix security.
Many files on the system HAVE to be world readable (like /etc/password, how else
can you check your UID/GID, etc?). You can also do this with server side
includes. This is why for apache you restrict cgi's to a certain dir and audit
them. Users can also do fork bombs, like wow, stupendous, amazing, you are
allowed to run potentially malicious code on a machine and it can do bad things,
this is hardly news. You might want to look into chrooting your apache server
(in which case you still need stub /etc/passwd, /etc/group, and so on files) or
using something like subdomain.
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "Matthias Auchmann"
Hi all !
I hope this is the right list to discuss this, but I think it's a real security problem:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl print "Content-Type: text/html\n\n"; open HUGO, "/etc/httpd/httpd.conf"; while ($a = <HUGO>) { print $a; }
or
<?php if (!$i) $i = "/etc/passwd"; readfile($i); print $i; ?>
I can publish the whole system, every config file, firewall-rules that are world-readable ... everything. and lots of files are, by default, world-readable ... I could start to make all of them NOT world readable, but isn't there another way ?
Any hints ?
thnx ... _____
Sent through Master Auchi Mail Systems http://www.masterauchi.com - powered by Linux
-
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 11 Apr 2001, Matthias Auchmann wrote:
Hi all !
I hope this is the right list to discuss this, but I think it's a real security problem:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl print "Content-Type: text/html\n\n"; open HUGO, "/etc/httpd/httpd.conf"; while ($a = <HUGO>) { print $a; }
or
<?php if (!$i) $i = "/etc/passwd"; readfile($i); print $i; ?>
I can publish the whole system, every config file, firewall-rules that are world-readable ... everything. and lots of files are, by default, world-readable ... I could start to make all of them NOT world readable, but isn't there another way ?
You could start disabling scripting and then designate a specific directory to allow scripting in, where only the administrator can write scripts to. So one can scrutinize scripts before they are put in production. You could also chroot your apache, but then you'll have a _lot_ to configure (and copy) I believe. - -- Groetjes vanwege... Greetings from... -- - -- Dieter Demerre *** ddemerre@acm.org -- - -- http://www.angelfire.com/de/ddemerre/ -- - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/d- s+:++ a-()>-- C+ UH P++(+) L++ E W++ N+ o K? w o V M PS+ PE- Y+ PGP+ t 5? X+ R+> tv+ b+ DI D G e+++ h+> r% z- - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOtVZ8glG34XnM6kpEQLn6ACguCWLPcXzSxXERcdEOBX8FbBadEQAoPP3 W/V4sbwXcpRkUuvBt5YyMQn1 =XvTr -----END PGP SIGNATURE-----
* Matthias Auchmann wrote on Wed, Apr 11, 2001 at 23:16 +0200:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl
I can publish the whole system, every config file, ...
Yes, if you want to shot yourself in the foot, you can do this :)
I could start to make all of them NOT world readable, but isn't there another way ?
If you don't want the world to be able to read it, this is a possibility. Otherwise just don't put such a script on your server. If you don't want the world to read such files, don't allow this tool. If you have user on this server, you might want to disable CGI/... execution. BTW, for CGI you should use suExec. It's a pitty but suexec works not with PHP3/4 out of the box. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
I will not put such a script on my server, but I'm afraid others will do it. The problem is, yes, I have a lot of users. And I can't read every file they use. I use suexec, but most of them run php and not perl or some other cgi-script. _____ Sent through Master Auchi Mail Systems http://www.masterauchi.com - powered by Linux -----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Donnerstag, 12. April 2001 11:09 An: Suse-Security Betreff: Re: [suse-security] Apache Problem * Matthias Auchmann wrote on Wed, Apr 11, 2001 at 23:16 +0200:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl
I can publish the whole system, every config file, ...
Yes, if you want to shot yourself in the foot, you can do this :)
I could start to make all of them NOT world readable, but isn't there another way ?
If you don't want the world to be able to read it, this is a possibility. Otherwise just don't put such a script on your server. If you don't want the world to read such files, don't allow this tool. If you have user on this server, you might want to disable CGI/... execution. BTW, for CGI you should use suExec. It's a pitty but suexec works not with PHP3/4 out of the box. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Ok, it might be time for you to read the apache config file and learn about
"Options ExecCGI". Then you may want to learn about chroot. Then you may want to
go to www.wirex.com and learn about subdomain. They you may want to get a brick
and... ermm.. nevermind.
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "Matthias Auchmann"
I will not put such a script on my server, but I'm afraid others will do it.
The problem is, yes, I have a lot of users. And I can't read every file they use.
I use suexec, but most of them run php and not perl or some other cgi-script.
_____
Sent through Master Auchi Mail Systems http://www.masterauchi.com - powered by Linux
-----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Donnerstag, 12. April 2001 11:09 An: Suse-Security Betreff: Re: [suse-security] Apache Problem
* Matthias Auchmann wrote on Wed, Apr 11, 2001 at 23:16 +0200:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl
I can publish the whole system, every config file, ...
Yes, if you want to shot yourself in the foot, you can do this :)
I could start to make all of them NOT world readable, but isn't there another way ?
If you don't want the world to be able to read it, this is a possibility. Otherwise just don't put such a script on your server. If you don't want the world to read such files, don't allow this tool. If you have user on this server, you might want to disable CGI/... execution. BTW, for CGI you should use suExec. It's a pitty but suexec works not with PHP3/4 out of the box.
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, 12 Apr 2001 12:49:09 +0200, you wrote:
I will not put such a script on my server, but I'm afraid others will do it.
The problem is, yes, I have a lot of users. And I can't read every file they use.
It is unsecure letting untrusted people to upload cgi's directly to your cgibin directory. This is known. As somebody pointed out you could try to: 1) Create a special upload directory where people can put his/her cgi's. This directory hasn't got cgiexec privileges at all. Then you should review these uploaded cgi's and copy them to the real cgibin directory, if they are not dangerous 2) Put apache in a chroot jail. Option 1 is more secure (if you're good auditing cgi's) but you need the extra work of auditing. Option 2 is less secure but automatic. Obviosly, option 1+2 combined would be the most secure method :-) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello all I ran suseharden on a new SuSE 7.0 installation which runs as a web server. The web server has mod_php, mod_ssl and mod_pl installed. Problem is, the restriction on virtual memory bites httpd. After a bit, web pages stop appearing, and the log shows mmap failed, unable to allocate memory (or something similar) (php shows out of memory). For now I have increased the soft ulimit -v from 50M (which seems HUGE) to 80M, and the problem has gone away. However, the server shows httpd running as three processes, each of a little over 50M. Am I doing something horribly wrong (ie. should I have compiled a minimal mod_php?) Is this something to do with the configuration of the SuSE packages, or am I mistaking threads for processes? (Someone is bound to point out that /etc/profile is only active when a login session begins. Problem is if you run rchttpd restart it then gets a lower ulimit ... ) &:-)
participants (8)
-
Andrew McGill -
Dieter Demerre -
Frank Lederer -
Gerhard Sittig -
Kurt Seifried -
Matthias Auchmann -
RoMaN SoFt / LLFB!! -
Steffen Dettmer