Date: Tue, 26 Jul 2005 22:44:34 +0200 From: Thomas Krause <freebsd-isp@chef-ingenieur.de> To: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process Message-ID: <42E6A0B2.1030308@chef-ingenieur.de> In-Reply-To: <008901c59208$0f05d000$7201a8c0@guinness> References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com> <008901c59208$0f05d000$7201a8c0@guinness>
next in thread | previous in thread | raw e-mail | index | archive | help
Gustavo A. Baratto schrieb: > Although jailing is a good thing, I don't think it will prevent unwanted > processes to be spawned, if php allows it. And having writable > directories mounted noexec doesn't help much either, because one can > just run: > /usr/bin/sh /path/to/writable/dir/script.sh > > Since most of the times script kiddies use /tmp or /var/tmp (which are > usually noexec) to upload their scripts, the sh or perl binaries are > located in file systems that allow execution. > > So, you can either tell php not to spawn processes (safe_mode or > disable_functions), or to have all file systems in contact with php > mounted noexec (not just the writable directories). This will probably > make your life hell. Or even disallow any kind of uploads in php (which > is not very effective against code execution, as a bug in your code > could allow execution like phpBB exploit a while ago). > > If you cannot do any of these because you require the functionality, you > can write a cron'ed script that checks for processes owned by www that > are running for a certain period of time and are not the apache. You can > either kill these processes or e-mail yourself, and then you take an > action. I think, I should do so. But how to identify the process? The ircd was renamed to "sh", to make it harder to find in the process list. It should be possible with the PGID (from /var/run/httpd.pid) and the UID. Does anyone know a usable (or recyclable) script for that job? Regards, Thomas. > > Cheers > > ----- Original Message ----- From: "Adam Jacob Muller" <adam@oxeo.com> > To: "Thomas Krause" <freebsd-isp@chef-ingenieur.de> > Cc: "David Hogan" <david@fundamentalit.com>; <freebsd-isp@freebsd.org>; > "'Gustavo A. Baratto'" <gbaratto@superb.net> > Sent: Tuesday, July 26, 2005 9:59 AM > Subject: Re: preventing a user to start a process > > >> Pretty much the only "secure" option is to either >> A. run in a chroot jail >> B. run with any writable directories mounted noexec >> or if your really paranoid, do both >> >> Adam >> >> >> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: >> >>> >>> >>> David Hogan schrieb: >>> >>>>> -----Original Message----- >>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>>> isp@freebsd.org] >>>>> On Behalf Of Thomas Krause >>>>> >>>> >>>> >>>>> I've searched all php-files for the system()-funktion - it's not >>>>> possible for me do disable this function. >>>>> >>>> Can't you just use the 'disable_functions =' option in php.ini to >>>> disable >>>> the php functions that can be used to spawn processes ? >>>> You could use it to disable at least the following functions: >>>> system() >>>> exec() >>>> passthru() >>>> popen() >>>> pcntl_exec() >>>> shell_exec() >>>> >>> >>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, >>> so I need system(). >>> >>> Regards, >>> Thomas. >>> _______________________________________________ >>> freebsd-isp@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >>> >> > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E6A0B2.1030308>