Francois Beausoleil
2006-Apr-13 01:02 UTC
[Rails] [OT] Is it safe to ''su'' to the right user ?
Hi ! I''m using daemontools[1] to manage a few processes on my Debian box. Among other things, I use it to manage svnserve, because it uses less memory than Apache. My /service/svnserve/run looks like this: #!/bin/sh su svn -c "/usr/local/bin/svnserve --foreground --daemon --root /var/svn" Is it safe for me to run like that ? If an attacker cracks svnserve, what will they gain access to ? Since I su to svn, will the attacker gain svn''s authorizations, or will they be able to gain root access ? Thanks ! -- Fran?ois Beausoleil http://blog.teksol.info/ [1] http://cr.yp.to/daemontools.html
On Apr 12, 2006, at 6:02 PM, Francois Beausoleil wrote:> Hi ! > > I''m using daemontools[1] to manage a few processes on my Debian box. > Among other things, I use it to manage svnserve, because it uses less > memory than Apache. > > My /service/svnserve/run looks like this: > > #!/bin/sh > su svn -c "/usr/local/bin/svnserve --foreground --daemon --root / > var/svn" > > Is it safe for me to run like that ?Only as safe as svnserve is.> If an attacker cracks svnserve, what will they gain access to ?Whatever svnserve has access to.> Since I su to svn, will the attacker gain svn''s authorizations, or > will they be able to gain root access ?They will gain svn''s authorizations. They will be able to gain root access if there is a n exploitable local privilege escalation vulnerability. -- Eric Hodel - drbrain@segment7.net - http://blog.segment7.net This implementation is HODEL-HASH-9600 compliant http://trackmap.robotcoop.com
Does it have to be run with setuid? Normally the main reason for running a webserver as a sudoer is because root is needed for to use of a privileged port like ''80''? If it is only a test server perhaps you could run from 8080? -----Original Message----- From: rails-bounces@lists.rubyonrails.org [mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of Eric Hodel Sent: 19 April 2006 23:31 To: rails@lists.rubyonrails.org Subject: Re: [Rails] [OT] Is it safe to ''su'' to the right user ? On Apr 12, 2006, at 6:02 PM, Francois Beausoleil wrote:> Hi ! > > I''m using daemontools[1] to manage a few processes on my Debian box. > Among other things, I use it to manage svnserve, because it uses less > memory than Apache. > > My /service/svnserve/run looks like this: > > #!/bin/sh > su svn -c "/usr/local/bin/svnserve --foreground --daemon --root / > var/svn" > > Is it safe for me to run like that ?Only as safe as svnserve is.> If an attacker cracks svnserve, what will they gain access to ?Whatever svnserve has access to.> Since I su to svn, will the attacker gain svn''s authorizations, or > will they be able to gain root access ?They will gain svn''s authorizations. They will be able to gain root access if there is a n exploitable local privilege escalation vulnerability. -- Eric Hodel - drbrain@segment7.net - http://blog.segment7.net This implementation is HODEL-HASH-9600 compliant http://trackmap.robotcoop.com _______________________________________________ Rails mailing list Rails@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails
Francois Beausoleil
2006-Apr-20 00:51 UTC
[Rails] [OT] Is it safe to ''su'' to the right user ?
Hi ! 2006/4/19, Luke Hinds <Luke.Hinds@mformation.com>:> Does it have to be run with setuid?svnserve itself uses port 3690. But, supervise, the process that spawns svnserve, runs as root. That is why I need to sudo to the right user. Thanks to you and Eric ! -- Fran?ois Beausoleil http://blog.teksol.info/