On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote: > On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote: > > 1. Do not ever link /bin/sh to bash. This is why it is such a big > > problem on Linux, as system(3) will run bash by default from CGI. > > I would think that this would cause other, more fundamental, > issues. FreeBSD's system don't expect /bin/sh to be bash, > and I wouldn't be surprised if they break for whatever reason. > > > 2. Web/CGI users should have shell of /sbin/nologin. > > 3. Don't write CGI in shell script / Stop using CGI :) > > 4. httpd/CGId should never run as root, nor "apache". Sandbox each > > application into its own user. > > And its own jail. Jails with ZFS are dirt cheap.
For goodness of jail with ZFS we need fixing unionfs and devfs. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
