Date: Tue, 26 Jul 2005 01:26:28 +0200 From: Thomas Krause <freebsd-isp@chef-ingenieur.de> To: "Gustavo A. Baratto" <gbaratto@superb.net> Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process Message-ID: <42E57524.3030200@chef-ingenieur.de> In-Reply-To: <01b001c59157$806bae10$7201a8c0@guinness> References: <42E54654.1090705@chef-ingenieur.de> <01b001c59157$806bae10$7201a8c0@guinness>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Gustavo A. Baratto schrieb: > Use php safe_mode. This will prevent the execution of external commands > from php. Depending on you what you mean by "usable", this may be a > problem. I think, that is not usable on a running system - too much sites will not work. > > Or make sure php doesnt allow uploads to /tmp or /var/tmp (disable FTP > in PHP). This will prevent the ircs or any other scripts to be uploaded > in the first place. that's not the solution. The probleme is the possibility to execute commands via shell. With that, every user with access to the php files is able to do a - find / -type d -perm 1777 - mkdir /tmp/foo - fetch ... - tar xzf - run daemon (I found this on my webserver) I've searched all php-files for the system()-funktion - it's not possible for me do disable this function. Any ideas? Regards, Thomas. > > > ----- Original Message ----- From: "Thomas Krause" > <freebsd-isp@chef-ingenieur.de> > To: <freebsd-isp@freebsd.org> > Sent: Monday, July 25, 2005 1:06 PM > Subject: preventing a user to start a process > > >> Hello, >> is it possible to bar a user (www) from starting a process? >> I've a irc daemon running under the uid www. I think >> this was done by php. What would be the best way to prevent >> this (php should be remain usable)? I've installed ipfw rules, >> but this doesn't prevent the starting of the process. >> >> Kind regards, >> Thomas. >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E57524.3030200>