Re: newbie with www user security problem
From: Stijn Hoop (stijn_at_win.tue.nl)
Date: Thu, 11 Aug 2005 17:04:34 +0200 To: firstname.lastname@example.org
On Thu, Aug 11, 2005 at 04:54:10PM +0200, email@example.com wrote:
> If the box in question was local secure, you don't have to worry that much.
Correct of course, but seeing as the OP admitted to not knowing a lot about
the administration of this machine, I don't think local security was very
> If it's a long time since you've updated your base, are sloppy with passwords
> on the box in question, haven't updated your daemons/setuid packages in weeks,
> then the box should be concidered a total loss.
> Just think in terms as "what are the possible things I could do if my UID were
There might be some less obvious things, especially if the base OS is
as far behind as the phpBB installation.
> I for example have webservers running in chroot, on a partition that is
> nosuid, and starred out password for the user 'www'. The thing you
> describing happens sometimes because users do not update there phpbb's
> either. I'm not affraid since the kiddo would have the same access than a
> customer, which I cannot trust either. If you don't know the box IS secure,
> it isn't, there is a lot of work involved in keeping things like this
> "under controle".
Totally true, and good advice for setting up access for customers / etc.
-- Coughlin's law: never show surprise, never lose your cool. -- Cocktail
- application/pgp-signature attachment: stored