Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-30-2003, 08:42 AM
|
#1
|
Member
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328
Rep:
|
Apache user and disabling shell
Okay just wondering if the user you specify to run Apache as doesent have /bin/bash but instead /bin/false as its shell would this stop a system command sent in in the url of the browser being run on the server.
I am assuming that the annonymous user is logged in locally as the 'nobody' or 'webuser' account (limited access) that Apache runs as and thus has no access to the shell as its set to /bin/false in /etc/passwrd thus cant run a system command.
or am i completely wrong???
|
|
|
07-02-2003, 06:28 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
You need an intermediary application to interprete the URI and execute the commands, Apache itself can't do that. The interpreting application (like Perl) will be run from one of the httpd child processes, running with the privileges for the Apache UID.
The /bin/false shell means it is a system account you can't login to but that does not prohibit http(s)d's child processes to run system commands.
If you want a quick checkup on the environment variables, limits etc, Google around for env_audit.
|
|
|
07-02-2003, 03:36 PM
|
#3
|
Member
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328
Original Poster
Rep:
|
Cheers UnSpawn.
Im going to Use PHP so I'll probably turn on safe mode and global vars off. I assume this is the most secure setup for it.
Ive disabled CGI during ./configure and didnt compile Perl Support so hopefully this means that the server is relatively secure at the application level.
|
|
|
All times are GMT -5. The time now is 12:30 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|