Date: Fri, 26 Sep 2014 16:38:03 +0400 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Chris Nehren <cnehren+freebsd-security@pobox.com> Cc: freebsd-security@freebsd.org Subject: Re: bash velnerability Message-ID: <20140926123803.GA30925@zxy.spb.ru> In-Reply-To: <20140925193555.GB28430@satori.lan> References: <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <20140925193555.GB28430@satori.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote: > On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > > 1. Do not ever link /bin/sh to bash. This is why it is such a big > > problem on Linux, as system(3) will run bash by default from CGI. > > I would think that this would cause other, more fundamental, > issues. FreeBSD's system don't expect /bin/sh to be bash, > and I wouldn't be surprised if they break for whatever reason. > > > 2. Web/CGI users should have shell of /sbin/nologin. > > 3. Don't write CGI in shell script / Stop using CGI :) > > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > > application into its own user. > > And its own jail. Jails with ZFS are dirt cheap. For goodness of jail with ZFS we need fixing unionfs and devfs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140926123803.GA30925>