Markus Gaugusch wrote:
Does anyone think, that it makes sense to let have /bin/bash the following permissions? -rwx---r-x 1 root www 490716 Sep 9 18:12 /bin/bash
With that setting, anyone exploiting the webserver could not execute /bin/bash (if course the same permissions could also be applied to /bin).
Has anyone ever tried this? Does it break things? Did I find something cool? ;-)
I like it :-) It's not a real protection though. Especially not against an attacker that spends time to break into your system. It might help as quick workaround in situations where a hole is not fixed yet against script kiddies or worms that cannot adapt to such surprises. You probably want to apply it to other shells and interpreters like perl or csh as well. Of course cgi scripts that rely on them would stop working. You can also use ACLs instead of the group: setfacl -m u:wwwrun:--- /bin/bash cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/