Don't give them shell access, and don't let them ftp to the server. Make them email you all the changes so you can browse for bad code. Then you can upload the changes. You will get tired of that real quick. Other than this method there is always a what if factor selinux,chroot, virtual server etc... Even if they do upload a bad script they shouldn't have perms to do anything. You could allow the apache user to rm -rf /* and nothing would happen if setup correctly.
>>> Stephen Le <[EMAIL PROTECTED]> 11/09/04 5:16 PM >>> On Mon, 8 Nov 2004 09:28:10 -0900, Christopher Swingley <[EMAIL PROTECTED]> wrote: > Make symbolic links between allowed commands and '/usr/local/rbin' > > As I said before, this is just a simple attempt to reduce priviledge. > There are undoubtably ways around it, some easier than others depending > on what's in /usr/local/rbin. This won't prevent users from executing banned commands with Perl scripts called by Apache. I'm opposed to using rbash for this reason and because some users might want to use a non-bash shell. -Stephen Le -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
