On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > 1. Do not ever link /bin/sh to bash. This is why it is such a big > problem on Linux, as system(3) will run bash by default from CGI.
I would think that this would cause other, more fundamental, issues. FreeBSD's system don't expect /bin/sh to be bash, and I wouldn't be surprised if they break for whatever reason. > 2. Web/CGI users should have shell of /sbin/nologin. > 3. Don't write CGI in shell script / Stop using CGI :) > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > application into its own user. And its own jail. Jails with ZFS are dirt cheap. -- Chris Nehren
pgp_th8N350zW.pgp
Description: PGP signature