LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-30-2003, 08:42 AM   #1
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
Apache user and disabling shell


Okay just wondering if the user you specify to run Apache as doesent have /bin/bash but instead /bin/false as its shell would this stop a system command sent in in the url of the browser being run on the server.

I am assuming that the annonymous user is logged in locally as the 'nobody' or 'webuser' account (limited access) that Apache runs as and thus has no access to the shell as its set to /bin/false in /etc/passwrd thus cant run a system command.

or am i completely wrong???
 
Old 07-02-2003, 06:28 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You need an intermediary application to interprete the URI and execute the commands, Apache itself can't do that. The interpreting application (like Perl) will be run from one of the httpd child processes, running with the privileges for the Apache UID.
The /bin/false shell means it is a system account you can't login to but that does not prohibit http(s)d's child processes to run system commands.

If you want a quick checkup on the environment variables, limits etc, Google around for env_audit.
 
Old 07-02-2003, 03:36 PM   #3
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Cheers UnSpawn.

Im going to Use PHP so I'll probably turn on safe mode and global vars off. I assume this is the most secure setup for it.

Ive disabled CGI during ./configure and didnt compile Perl Support so hopefully this means that the server is relatively secure at the application level.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling single user when booting carcassonne Linux - Security 6 07-21-2005 02:55 PM
Disabling proxy in apache server himanshuabc Linux - Networking 0 09-12-2004 01:53 PM
where is "user apache" shell log? mikejrm Linux - Security 2 09-05-2003 03:29 AM
disabling user accounts via command line n1wil Linux - Security 3 07-25-2003 05:11 PM
user interaction disabling? dafri Linux - General 2 07-20-2003 05:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration