Re: tainting system calls correctly

As a security measure, I think taint is a little beside the point if you are handing out shell accounts via a web form.

Please say you have some layers of approval, authorization and authentication above this! :)

After Compline,
Zaxo

Comment on Re: tainting system calls correctly

Replies are listed 'Best First'.
Re: Re: tainting system calls correctly by c (Hermit) on Apr 10, 2002 at 17:18 UTC
Not really shell accounts. If you notice the shell is set to /bin/false. Plus the script is only available to clients that have signed off on a lengthy contract agreement. To boot, its available through a strictly ssl connection that requires user/pass authorization. There are additional checks within the script to restrict touching UID less than 500, passing a group to a GID that is greater than 500. I know that there are plenty of issues that still need to be addressed, but I was just curious to see exactly why i am seeing it fail in my current situation. thanks -c	[reply]

Replies are listed 'Best First'.

Re: Re: tainting system calls correctly
by c (Hermit) on Apr 10, 2002 at 17:18 UTC

There are additional checks within the script to restrict touching UID less than 500, passing a group to a GID that is greater than 500.

I know that there are plenty of issues that still need to be addressed, but I was just curious to see exactly *why* i am seeing it fail in my current situation.

thanks -c

[reply]