publish a user passwd: $1000 hack reward!

2001-02-23 Thread Steve Rudd
Hi! Steve Rudd with more "disconsolate mumbling" (great term g) So if I did publish a user name and password (not that I would) that had pop 3 and ftp access with no shell access and was restricted to public html directories, is that a risk to the rest of the system? A standard public box has

Re[2]: Mac most secure servers?

2001-02-23 Thread Gaute Gullesen
On Thursday, February 22, 2001, 8:09:36 PM, andre wrote: I've used macs as servers for fairly large numbers of people working for a school district (k12 districts aren't into *nixes much yet, at least mine wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and netpresenz (ftpd).

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Peter Cordes
On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote: Hi! Steve Rudd with more "disconsolate mumbling" (great term g) So if I did publish a user name and password (not that I would) that had pop 3 and ftp access with no shell access and was restricted to public html directories, is

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Steve Rudd
Peter Cords said: If you allow execution of CGI programs from public_html, then users will be able to execute code (probably under their UID). Then you have to secure your machine against local exploits. Obviously, you should do this anyway, but if crackers can run arbitrary code (as a

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Rob Helmer
Yes. Normal users ( such as the www-data user that will execute the cgi script ) can open ports above 1024 and run whatever they want. You could do neat tricks like giving each user their own apache daemon and documentroot and everything, and using an apache or squid proxy to let the outside

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Peter Cordes
On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote: Peter Cords said: [...] Note that if you allow execution of arbitrary CGI programs, the CGI program could do anything, including start a shell listening on a TCP port, or even sshd, for someone to connect to. Allowing

Re: Separate telnet/email ssh users???

2001-02-23 Thread Ethan Benson
On Thu, Feb 22, 2001 at 10:50:57PM -0500, Bob Bernstein wrote: On Thu, 22 Feb 2001 13:43:55 -0500, Steve Rudd mumbled disconsolately: Why I could even post them on my root page and taunt hackers to try and break in with them! I could even offer a 1000 prize for anyone who can crack

publish a user passwd: $1000 hack reward!

2001-02-23 Thread Steve Rudd
Hi! Steve Rudd with more disconsolate mumbling (great term g) So if I did publish a user name and password (not that I would) that had pop 3 and ftp access with no shell access and was restricted to public html directories, is that a risk to the rest of the system? A standard public box has

Re[2]: Mac most secure servers?

2001-02-23 Thread Gaute Gullesen
On Thursday, February 22, 2001, 8:09:36 PM, andre wrote: I've used macs as servers for fairly large numbers of people working for a school district (k12 districts aren't into *nixes much yet, at least mine wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and netpresenz (ftpd). In

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Peter Cordes
On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote: Hi! Steve Rudd with more disconsolate mumbling (great term g) So if I did publish a user name and password (not that I would) that had pop 3 and ftp access with no shell access and was restricted to public html directories, is

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Steve Rudd
Peter Cords said: If you allow execution of CGI programs from public_html, then users will be able to execute code (probably under their UID). Then you have to secure your machine against local exploits. Obviously, you should do this anyway, but if crackers can run arbitrary code (as a

[gossi@OWNED.LAB6.COM: Sudo version 1.6.3p6 now available (fwd)]

2001-02-23 Thread Andres Salomon
This rather disturbs me, since I depend on sudo far too much.. - Forwarded message from Gossi The Dog [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] Approved-By: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: bugtraq@securityfocus.com Date: Fri, 23 Feb 2001

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Rob Helmer
Yes. Normal users ( such as the www-data user that will execute the cgi script ) can open ports above 1024 and run whatever they want. You could do neat tricks like giving each user their own apache daemon and documentroot and everything, and using an apache or squid proxy to let the outside get

Re: publish a user passwd: $1000 hack reward!

2001-02-23 Thread Peter Cordes
On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote: Peter Cords said: [...] Note that if you allow execution of arbitrary CGI programs, the CGI program could do anything, including start a shell listening on a TCP port, or even sshd, for someone to connect to. Allowing arbitrary