Hi Markus, Rainer Duffner wrote:
Ludwig Nussel wrote:
Markus Gaugusch wrote:
Does anyone think, that it makes sense to let have /bin/bash the following permissions? -rwx---r-x 1 root www 490716 Sep 9 18:12 /bin/bash
With that setting, anyone exploiting the webserver could not execute /bin/bash (if course the same permissions could also be applied to /bin).
Has anyone ever tried this? Does it break things? Did I find something cool? ;-)
"real cool" people do not use Blacklisting, but whitelisting. So do groupadd bashusers chown root:bashusers /bin/bash chmod 510 /bin/bash and add any allowed Bash user to the group. Or even better, as already mentioned, cache the Webserver into at least a chroot environment. So you do not need to bother about wget&co. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: rainer@ultra-secure.de, ludwig.nussel@suse.de, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you