security hole in swais, FYI

• Previous message (by thread): security hole in swais, FYI
• Next message (by thread): security hole in swais, FYI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------

yet another of these WAIS thingies.  FYI.  res.  --  pete


    
     Jonny Goldman <jonathan at Think.COM> writes:
      *    From: Marten Terpstra <Marten.Terpstra at ripe.net>
      *    Date: Tue, 01 Sep 92 15:46:22 +0200
      * 
      * We've known about this.The solution is to run swais under a chroot, wit
   h a
      * very limited bin directory.  This is how swais is run on Quake, and we'
   ve
      * had no evidence of any tampering.
    
    The version I have (b4) does not have a chroot in it. Currently we are
    running without the mail and pipe options ...
    The loss of a pipe option is no problem, the mail option is.
    
      * I've done this by using a special .cshrc, but I just thought of a way t
   hat
      * could be defeated.  Hmmm, I want users to be able to use a limited set 
   of
      * commands.  Perhaps swais needs a "secure" command list.
    
    A secure command list would be very nice, or perhaps like other programs a
    simple compile time enable/disable flag for each command. Pagers like "less
   "
    have something along these lines.
    
    Anyway, let us know if something more "safe" comes along.
    
    Cheers,
    
    -Marten

--------

• Previous message (by thread): security hole in swais, FYI
• Next message (by thread): security hole in swais, FYI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]