'at' command and apache user
Robert Cates
robert at kormar.de
Fri Jun 17 18:12:39 UTC 2011
On 06/17/2011 01:56 PM, Tim wrote:
> Ed Greshko:
>>> Depending on the type of web pages you serve you may find there to be a
>>> buffer overflow vulnerability which gives an attacker a shell and allows
>>> them to execute arbitrary commands as "apache".
>>>
>>> I smell "danger Will Robinson"!
> Gary Stainburn:
>> You do have a valid point, but this is a non-public low-risk server used for
>> internal admin stuff.
> Though that may lead to complacency, and someone may find a way to cause
> you problems that you hadn't thought of. You are probably far better
> finding a way to run your command as some other user, triggered by your
> risky apache user.
>
> Generally, risky users are prevented from being able to run things for
> good reasons; and you're best not to shred your security blankets for
> the sake of convenience, now.
>
Thank you Ed, thank you Tim! I completely agree. Bad/risky practice
can easily carry over at some point to the danger zone, and I think it's
especially important to stress this view/point on mailing lists not that
somebody later will think this is a solution to their problem,
jeopardizing a productive system.
More information about the users
mailing list