I really don't see why one should prohibit listening on a port!
if you don't want users other than root doing anytig, remove
all accounts but root. but then all your programs will run as
root. so you are finally in a worst state of affairs.
ok, the guy could write to /tmp. but heh, he could connect on your
webserv and "run" a cgi script! you're not going to disable connnections
to your web server or disable your cgis?
ok the guy could run inetd. but if they can write a file, they could run
"rm -rf /". yes, that fails, but running inetd also failed, no?
so what's the problem? they can also run "pwd". as long as
it doesn't hurt, let'em do whatever they want...
the real problem here is that they did something they were not
supposed to do, use the cgi script to write a specific inetd.conf
file. so, fix the cgi script. yes, it's a hard job to audit all cgis,
but heh, there's probably one that allows him to delete the
whole httpd files, given that the cgis are executed with the credentials
of the server, and that the files are (generally) owned by the server.
cheers,
mouss
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
