On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote:
> The solution, like the problem, lies in the network layer. See iptables
> and similar network stack filters to provide protection against this
> vector.
>
> Seems like they (and you) are saying are Apache is not the place for the
On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote:
> On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote:
>
>> Hi,
>>
>> Today i some pages are publishing news about a apache DOS tool for
>> example (http://isc.sans.org/diary.html?storyid=6601) and http://
>> ha.ckers.org/
cp -f $i $CHROOT/$i
fi
done
else
echo "composite not found."
exit 1
fi
IDENTIFY=$(which identify | awk '{print $1}')
if [ ! -z $IDENTIFY ] && [ -x $IDENTIFY ]; then
cp -f $IDENTIFY $CHROOT/$IDENTIFY
for i in $(ldd $IDENTIFY | awk '{if ($3 == "rlib") {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo "identify not found."
exit 1
fi
HTH,
Aiko
--
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de
the chroot.
4. I removed mod_php and mod_perl and set the Apache directives "User",
"Group", "AddHandler cgi-script" and "Options +ExecCGI".
Now, every PHP-script has the permissions 700 and gets executed with its
own $UID. I feel much better now. :)
Hi *,
I use OpenBSD+Apache+Chroot for my webservices. The users can access
their vhosts by using scponly, which is chrooted into /var/www as
well.
/htdocs/www.example.net belongs to theuser:www and has the
permissions rwxr-x---.
The issue: If my users start to install a php-Filebrowser, they ar
able some users to access the www directory on my OpenBSD webserver
by scponly. Maybe you can use some parts of it.
#!/bin/sh
#
# Written by Aiko Barz
#
altroot="/var/www"
USERSHELL="/opt/sbin/scponlyc"
function checkChroot
{
##
# Hierachy
##
if [ ! -d "
LIB in $(ldd $RUBY | awk '{if ($3 == "rlib") {print $7}}'); do
cp -f $LIB $WWW/$LIB
done
# cp hints
cp -f /var/run/ld.so.hints $WWW/var/run/ld.so.hints
I have got one more script that fixes ImageMagick which is needed by
Typo3.
Bye,
Aiko
--
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de
Tomasz Pajor wrote:
> Could you please attach a patch.
Would you trust me? :)
Simply use the patch from Robert Nagy. Look at Makefile.inc and change
V= 5.1.3
into
V= 5.1.4
Now you should correct or simply remove the distinfo file. Happy
updating. :)
Bye,
Aiko
--
A
fault (11)
So, I would be really happy if your patch enters OPENBSD_3_9...
Bye,
Aiko
PS.: I tested the hardened PHP with the default apache webserver.
[1]: http://www.wordpress.org
[2]: http://www.squirrelmail.org
--
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de
[demime 1
cked the code.)
I didn't check older versions of maildrop. Maybe I could use the
ldap-port of maildrop but I'm completely on my own then. No more updates...
Bye,
Aiko
--
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de
t admins do because it's much easier to administrate. But
I like the idea of running each process with its own uid. I spent a lot
of time in making this work. cgis and cronjobs are written in c for example.
Currently, I'm figuring out if it is possible for me to write my own filter.
Bye,
the environment variables which are provided by qmail-local
($USER, $HOME). (This is safe for me because chuid gets called before
executing maildrop. I'm not happy with this solution.)
Another solution would be something like nsswitch. Are there any plans
to implement something like this?
Bye,
different kinds.
I also would like to appreciate the fast response time and the good will
to help whenever I had a problem.
To keep it short: Thnx and don't get featuritis. ;)
Bye,
Aiko
--
Aiko Barz <[EMAIL PROTECTED]>
[demime 1.01d removed an attachment of type application/pg
13 matches
Mail list logo
