bash velnerability
Chris Nehren
cnehren+freebsd-security at pobox.com
Thu Sep 25 19:36:03 UTC 2014
On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote:
> 1. Do not ever link /bin/sh to bash. This is why it is such a big
> problem on Linux, as system(3) will run bash by default from CGI.
I would think that this would cause other, more fundamental,
issues. FreeBSD's system don't expect /bin/sh to be bash,
and I wouldn't be surprised if they break for whatever reason.
> 2. Web/CGI users should have shell of /sbin/nologin.
> 3. Don't write CGI in shell script / Stop using CGI :)
> 4. httpd/CGId should never run as root, nor "apache". Sandbox each
> application into its own user.
And its own jail. Jails with ZFS are dirt cheap.
--
Chris Nehren
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 908 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140925/3d7828a6/attachment.sig>
More information about the freebsd-security
mailing list