Q: A question of security vulnerability

Jim Choate ravage at einstein.ssz.com
Sat May 10 07:12:57 PDT 2003


On Sat, 10 May 2003, Thomas Shaddack wrote:

> For a limited set of specific tasks, there is a workaround. Have a
> directory to which the user has write access, have a script run every
> minute or every 5 minutes or so from crontab that checks if there is a
> file with specified name there, and if so, do an action and erase the
> file.
>
> I solved the problem when one of our programmers needed to occassionally
> restart Apache to which he did not have the rights. Instead of messing
> with sudo and taking the risk, he now just has to do "touch
> /var/cmd/apacherestart" and in next couple minutes it gets done.
>
> This trick can be used even for passing commands, which then can be put
> into the file (echo "commands" > /var/cmd/whatevercommandfile) and the
> script then reads them from there (and checks the syntactical validity
> of the arguments to prevent eventual attack through this route).

I've used that sort of approach as well.

With regard to the sh wrapper I mentioned earlier, I like chroot for that
sort of stuff. One approach is that when the user executes the sh -c the
sh wrapper creates a well know chroot sequence and perhaps copies
information from the live file system into the chroot jail. Let's the
user makes modes, and when the "foo" command quits the script can then
evaluate the results (for example greping for changes to itself in all
files in the chroot jail. Assuming it looks ok it can cp the changes back
to the live filesystem and away you go.

> Should be bulletproof.

I -never- make that claim ;)


 --
    ____________________________________________________________________

      We are all interested in the future for that is where you and I
      are going to spend the rest of our lives.

                              Criswell, "Plan 9 from Outer Space"

      ravage at ssz.com                            jchoate at open-forge.org
      www.ssz.com                               www.open-forge.org
    --------------------------------------------------------------------





More information about the cypherpunks-legacy mailing list