Hi Alfred, Thursday, April 6, 2006, 6:34:16 PM, you wrote:
AR> If they have access to any binary anywhere on the machine they could AR> exploit the machine (this holds true for any binary you ever let a third AR> party run and also have write access to). No. Users may not overwrite any binary file via FTP. They also do not have SSH access to the machine. All they have is server's console exposed via WEB with input and output and FTP access. Thus we do not allow users to run any third party binary. The third party software I did mention were the management components of our system. They are needed by us to run the servers. They are also needed in jail environment by the management system. Customers are granted access to other server files via FTP, and thanks to this vulnerability they are allowed to: Example scenario: -- 1. Upload a text file, like cpp or any other program. 2. Compile it with g++ or gcc or with any other compiler available in the system. 3. Run compiled program via the plugin system command. Can you please add an option to the server that would disable this feature ? We have tens of CSS servers running ... This would make our life so much easier. best regards, Adam Grzesko [EMAIL PROTECTED] _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
