Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
12-29-2003, 03:07 AM
|
#1
|
|
Member
Registered: Jul 2003
Location: Japan
Distribution: Mandrake
Posts: 53
Rep: 
|
is it safe to set /var to chmod 777
hello all, i want to install bbclone in my server, the software requires /var and all subdirectories to have 777 permissions, i wonder if it will be safe do do so. thanks in advance
|
|
|
|
|
12-29-2003, 03:40 AM
|
#2
|
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
What?!?!?! That would let all users write and delete logs (/var/log)! Also, if you have named (BIND) configured, the zone files are most likely in /var/named (which could then be modified by users). Oh, and /var/run stores PID files used by daemons to keep track of whether they're already running... Oh, and /var/spool/mail and /var/spool/cron... I could go on forever. Suffice it to say: NO, that is NOT SAFE.
What the heck kind of software requires those permissions? That's insane! No correctly written software should ever require anything like that.
|
|
|
|
|
12-29-2003, 03:54 AM
|
#3
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I actually had the same response and I couldn't believe it, so I checked the install howto for bbclone and it does indeed require 777 settings for all the dirs in /var (666 for all the files). I'd have to second chorts feelings that it's crazy to do that. You'd be allowing anyone to read and edit any of the system logs as well as modify any files in webserver directories, CGI scripts etc. You should really think twice before installing that.
|
|
|
|
|
12-29-2003, 04:21 AM
|
#4
|
|
Member
Registered: Jul 2003
Location: Japan
Distribution: Mandrake
Posts: 53
Original Poster
Rep:
|
Thank you very much guys for your replys, i hope this helps other people to think twice before installing bbclone.
|
|
|
|
|
12-31-2003, 04:00 AM
|
#5
|
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Hopefully this bbclone thing isn't very popular, because that's just an instant rooted box waiting to happen. All you need is one little slip-up on the webserver that let's you write to an arbitrary file, and BOOM. You could write to any files you know are going to be executed or scanned for parameters, like if you have your named.conf in /var/named, or the if httpd.conf is in /var/www somewhere, or any number of other things. Oh, the most blatantly obvious would just be to write to roots crontab. That would just be INSTANT total ownage. Just from one, tiny slip-up any where... httpd would be the most obvious, but perhaps even a malicious mail message could exploit it, depending on what agent is being used to read the mail spool.
Someone should report this junk to BugTraq. That is definitely not software that anyone should be installing.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:28 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
