On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote: > Hi! Steve Rudd with more "disconsolate mumbling" (great term <g>) > > So if I did publish a user name and password (not that I would) that had > pop 3 and ftp access with no shell access and was restricted to public html > directories, is that a risk to the rest of the system? A standard public > box has hundreds of public users and passwords, so there is really very > little difference between the $1000 contest of publishing the user name and > passwd and not. > > Is this not secure? > > Steve
If someone finds a bug in your pop3 or ftp server daemon, and the bug is in code that only runs after a user has logged in, then the only people at risk will be those with anonymous FTP services, or silly people who publish usernames and passwords :-> You always want to have multiple layers of security. One of these layers is usually a bit of obscurity. The people who say "security by obscurity is bad" mean that it is bad when it is the _only_ security measure. Keeping things secret makes you a harder target, so crackers will be more likely to give up before finding anything they can crack. In theory, as long as you have everything set up to not trust the contents of a user's public_html at all, you should be ok. If you allow execution of CGI programs from public_html, then users will be able to execute code (probably under their UID). Then you have to secure your machine against local exploits. Obviously, you should do this anyway, but if crackers can run arbitrary code (as a non-priviledged user), then you will have to act really fast to stop yourself from getting cracked whenever a new local exploit is discovered. Note that if you allow execution of arbitrary CGI programs, the CGI program could do anything, including start a shell listening on a TCP port, or even sshd, for someone to connect to. Allowing arbitrary CGI is equivalent to giving public shell access. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
