perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Terrence Brannon <bauh...@metaperl.com>
Subject Re: setting up virtual hosts
Date Thu, 14 Jul 2005 23:34:08 GMT
Geoffrey Young <geoff@modperlcookbook.org> writes:

>>    Unfortunately, we have been hit by a [2]uselib() privilege elevation
>>    exploit. As a result, our sysadmins have decided that any CGI/mod_perl
>>    process has to run as a specific user instead of as www-data.
>
> I'll admit to not being the best SA or security-minded guy around, so maybe
> this is obvious to everyone but me.  nevertheless...  I've read through the
> exploit, but I don't follow how changing from one (single) user to other
> (multiple) users helps protect against that exploit. 

me either

> maybe there is some way to trace which specific user ended up doing
> improper root-ish things?  I guess that's a reason, though it's not
> protection.

yes, it certainly just lets us narrow down who led to it and nothing else.

> >
> so, for the betterment of all, what am I missing?

nothing, as far as I can see :)

> >
> --Geoff
>

-- 
	Carter's Compass: I know I'm on the right track when,
	   by deleting something, I'm adding functionality.


Mime
View raw message