Date: Thu, 11 Aug 2005 17:04:34 +0200 From: Stijn Hoop <stijn@win.tue.nl> To: jimmy@inet-solutions.be Cc: freebsd-security@freebsd.org, Ken Hawkins <ken@rosewoodblues.com> Subject: Re: newbie with www user security problem Message-ID: <20050811150434.GD26471@pcwin002.win.tue.nl> In-Reply-To: <1123772050.42fb669291ae3@webmail.boxke.be> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be>
next in thread | previous in thread | raw e-mail | index | archive | help
--4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be wrote: > If the box in question was local secure, you don't have to worry that muc= h. Correct of course, but seeing as the OP admitted to not knowing a lot about the administration of this machine, I don't think local security was very high. > If it's a long time since you've updated your base, are sloppy with passw= ords > on the box in question, haven't updated your daemons/setuid packages in w= eeks, > then the box should be concidered a total loss. >=20 > Just think in terms as "what are the possible things I could do if my UID= were > 'www'" There might be some less obvious things, especially if the base OS is as far behind as the phpBB installation. > I for example have webservers running in chroot, on a partition that is > nosuid, and starred out password for the user 'www'. The thing you > describing happens sometimes because users do not update there phpbb's > either. I'm not affraid since the kiddo would have the same access than a > customer, which I cannot trust either. If you don't know the box IS secur= e, > it isn't, there is a lot of work involved in keeping things like this > "under controle". Totally true, and good advice for setting up access for customers / etc. --Stijn --=20 Coughlin's law: never show surprise, never lose your cool. -- Cocktail --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC+2kCY3r/tLQmfWcRAm9bAJ92lyAyGDaWGibKPe8531yU9diGQwCgoODr BFjCs9emTPDA1ElqugjLPYQ= =1c74 -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050811150434.GD26471>