On Sun, 28 Apr 2002 01:50, Joerg Jaspert wrote:
> > Someone who breaks it will only be able to run "ls" and can't write to
> > any file. The only raised priviledge level of the FTP server is the
> > ability to log to syslog.
> Hmm, muddleftpd is out then. It has its own logging :)
I could easily change the policy to allow it to create files under /var/log,
have them automatically transition to a new type that is only writable by the
FTP server and then only allow it append access (not write, truncate, or
delete). That would be about 5 minutes work.
> > One of my future plans is to write some sample exploitable programs and
> > exploit programs for them, then I can demonstrate how such programs allow
> > root exploits on unprotected systems but don't allow anything on SE
> > systems.
> Hmm, sounds nice.
> This Linuxtag has a very good site: I get a full configured Debian SE
> System. (And i kill you if you rm -rf / that on 9. Juni ! ) :))
If I wanted to be nasty I'd leave you with only the root password, without a
password for the sysadm_r role you can't do anything (root on SE Linux has
less privs than a regular user on a regular Linux machine). ;)
-- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void.
-- To UNSUBSCRIBE, email to email@example.com with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
This archive was generated by hypermail 2.1.3 : Sun Apr 28 2002 - 02:47:51 CEST