Re: newbie with www user security problem

From: Stijn Hoop (stijn_at_win.tue.nl)
Date: 08/11/05

  • Next message: Ken Hawkins: "Re: newbie with www user security problem" 
    Date: Thu, 11 Aug 2005 17:04:34 +0200
To: jimmy@inet-solutions.be

    On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be wrote:
    > If the box in question was local secure, you don't have to worry that much.

    Correct of course, but seeing as the OP admitted to not knowing a lot about
    the administration of this machine, I don't think local security was very
    high.

    > If it's a long time since you've updated your base, are sloppy with passwords
    > on the box in question, haven't updated your daemons/setuid packages in weeks,
    > then the box should be concidered a total loss.
    >
    > Just think in terms as "what are the possible things I could do if my UID were
    > 'www'"

    There might be some less obvious things, especially if the base OS is
    as far behind as the phpBB installation.

    > I for example have webservers running in chroot, on a partition that is
    > nosuid, and starred out password for the user 'www'. The thing you
    > describing happens sometimes because users do not update there phpbb's
    > either. I'm not affraid since the kiddo would have the same access than a
    > customer, which I cannot trust either. If you don't know the box IS secure,
    > it isn't, there is a lot of work involved in keeping things like this
    > "under controle".

    Totally true, and good advice for setting up access for customers / etc.

    --Stijn 

    -- 
Coughlin's law: never show surprise, never lose your cool.
		-- Cocktail

  • Next message: Ken Hawkins: "Re: newbie with www user security problem"