Date: Thu, 25 Sep 2014 15:35:55 -0400 From: Chris Nehren <cnehren+freebsd-security@pobox.com> To: freebsd-security@freebsd.org Subject: Re: bash velnerability Message-ID: <20140925193555.GB28430@satori.lan> In-Reply-To: <54244982.8010002@FreeBSD.org> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > 1. Do not ever link /bin/sh to bash. This is why it is such a big > problem on Linux, as system(3) will run bash by default from CGI. I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. > 2. Web/CGI users should have shell of /sbin/nologin. > 3. Don't write CGI in shell script / Stop using CGI :) > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > application into its own user. And its own jail. Jails with ZFS are dirt cheap. --=20 Chris Nehren --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJdBAABAgBHBQJUJG6bQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQEcD4YkAzS895rBAA nB7Jx4Y91M1F5oy0H8ZPtdf8UNePdiRLPE7LODN5Op5xr/RJF14IbbXY89eMnFfG jqjqyUtVx3DAaDb/5atHIMBy1SGdMhIQNnIwUf10d7zrhIZS55Lef/38h/EeYl4J aJ3dQb4FFXJCr28kNYa7nfzBl/dBjCoU9s+Z7hy5GilNJ6aDL+JYZu90zsg+udrT 1VwLVPv6qgTz19NtI4pup3P3kAHOy7d3MMYBzoK/Grr9szNFrisfJNuIV2Y7yF3H q/GC4qrSm7bgs7PMOmF114rF8VNGjIEZsT8jKR1bKOnm+vAxcFg1xMvMIKOTI6VM NqyUqeu/FFras6P+zp3N6jVZUau8R/FfgY/Il7ZgoMftTXIUUj7wrxNUddhRijyj ruUyMmYm+GyZtebUr46tUqKhkRKcB/arB94JNYZA8tVuFwUqIhuy4rHGz0rLqS14 YI//GzMs/3jmr9woKcs8p6IkfBh2Vhj/8YpFkmO1fUa9eCTIiRU1rV4b2DTNfXT9 Xm3w4xsCphej1cFcKKquO/0JTouWd2gsjjzElEMfB3A8lwNAtHGeAAiIL45WSZiz CWs91ZZHE6OuSZhh4isDbGXa0YlHgB5mxyiOxZM4wIr3Pah7VTCIa9NA7WZwE5lq ZL7MGNV4/lxgIq4ZYTIwxY/8AtjDAs8hs8HaOgWqJTw= =MDHf -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140925193555.GB28430>