Secure Coding mailing list archives
RE: virtual server - security
From: "Dave Paris" <dparis () w3works com>
Date: Wed, 31 Mar 2004 16:48:09 +0100
comments interspersed below... Kind Regards, -dsp
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Serban Gh. Ghita Sent: Tuesday, March 30, 2004 4:05 AM To: [EMAIL PROTECTED] Subject: [SC-L] virtual server - security Hello I am banging my head on the table every day, because i cannot find an elegant and safe solution to secure a virtual shared environment (server). Take the following facts:
[...]
-no one has acces to shell, cronjobs or stuff like that, only 21 and 80
What's the point of the exercise if you're passing plaintext passwords across on port 21? At the very least, mandate SCP/SFTP on port 22.
-you dont want anyone to get out of his 'box' (eg /home/sasha/)
use 'chroot' jails
-you want to allow php, perl or other web languages to run safely
"PHP" and "run safely" in the same sentence? Have you perused Bugtraq lately?
and in the same time will _almost_ all features. -in php (because this is the one of the most user language for web - for mostly endusers), i have options like safe_mode, but if i activate that, many functions and features will not work. i know (because i tested) that the best solution is open_basedir, but i cannot create an restriction like that for each user, or at least i dont know how to do that.
That's primarily because PHP will let you shoot yourself in the head, as opposed to most languages which will only let you shoot yourself in the foot, or at least no higher than the knee. (snide commentary... unless it's a microsoft product, which seem to aim squarely for "the jewels")
My problem is that i tested some script-kiddies local exploits (php,perl) and the system is vulnerable, the user can get out of his box and see system files (etc/passwd, other dirs).
::feigns shock::
What are the options here. Any paper or book written about this?
Yes. Near daily bugtraq reports about why PHP is a darned good idea that made a left turn into a really bad neighborhood. The manpage for SCP/SFTP/SSH. The manpage for 'chroot'.
Current thread:
- virtual server - security Serban Gh. Ghita (Mar 30)
- Re: virtual server - security Scott Nemec (Mar 30)
- RE: virtual server - security Dave Paris (Mar 31)
- RE: virtual server - security jnf (Mar 31)
- RE: virtual server - security Dave Paris (Mar 31)
- Re: virtual server - use jail(8) on FreeBSD Paco Hope (Mar 31)
- RE: virtual server - security jnf (Mar 31)
- Re: virtual server - security Fernando Schapachnik (Mar 31)
- Re: virtual server - security Louis Solomon [SteelBytes] (Mar 31)
- Re: virtual server - security Frank Peters (Mar 31)
- <Possible follow-ups>
- RE: virtual server - security Jeremy Epstein (Mar 31)
- Re: virtual server - IPS Paco Hope (Mar 31)