On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote: > Example, uid 80 can bind to tcp port 80. It leads us to build more static and more complicated systems. We're just trying to provide new situations where bugs can exist and what we're trying to achieve isn't worthy... > You start the httpd as that > user, and drop privileges by setting your uid to nobody (or apache, or > whatever). If the user exploits the daemon, it will be uid nobody (or > whatever), and in the worst case scenario, he will have uid 80, and > never uid 0. Are you sure? I think that our new user changes nothing and there's still a possibility of priviledges expansion from user nobody to a root (if you've exploited apache with a remote exploit, and you have a shell as user nobody you're able to try to exploit something locally and get UID==0). Am I right ? -- [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ] [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 14:19:44 PDT