httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: anonymous CVS access
Date Wed, 30 Jul 1997 18:28:53 GMT
On Wed, 30 Jul 1997, Alexei Kosut wrote:

> On Wed, 30 Jul 1997, Marc Slemko wrote:
> 
> > Anyone can access the bugdb, anyone can do silly things to let people get
> > access to the system, once they have a shell they probably can get root
> > somehow.  Just a lot of little things that add up.  The Apache development
> 
> Really? I've got shells on a lot of systems... You mean to tell me I can
> get access to root on all of them? Wow. I never knew that. Please,
> explain further ;)

Certainly.  Just type "su" then enter the root password and you have root.
<g>

More seriously, the fact is that the first step in Unix security is
limiting who can access the box.  The second step is limiting what they
can do once they access the box.  The third step is using the locked safe
at the bottom of the ocean with no network concept.

On the typical Unix box I have a shell on, I can find some hole in some
progrma that will give me root.  For example, I got root (well, bin which
is 1/1000th of a step removed from root on most silly BSD systems with
most binaries owned by bin) on taz the other month from a pserver hole.
If I didn't have a shell, I couldn't have done that.  Well, not without
some access (eg. anonymous ftp upload area) to the filesystem.  That hole
is fixed now, but if I were hopelessly bored I would say it is pretty
likely I could find a buffer overflow, either known or new, in some setuid
program that would give me root.  No, it isn't easy and yes, it is beyond
most people but that isn't my concern.

Again, no slight to Brian intended.  Controlling who has access to the
machine to start with is an important first security step and that is not
being done as tightly right now (because Brian has every right to do what
he wants with his machine which, after all, isn't just for Apache) as it
could if there were a dedicated Apache development machine.


Mime
View raw message