[luau] restricting directory access
Jimen Ching
jching at flex.com
Fri Apr 26 13:15:30 PDT 2002
On Thu, 25 Apr 2002, Warren Togami wrote:
>> What can a user do with a shell account without access to outside of their
>> home directory?
>Plenty. They can poke around the filesystem looking for local root
>exploits,
If they can't cd out of their home directory, unless the admin allowed
this user to install some tool that has a root exploit, I doubt this user
can do much.
> or they can use programs on the server (or upload their own) to
>use the server as an relay from which they can scan and attack other
>machines.
True, but _your_ server is safe. ;-) Seriously, if you are so uptight
that you are not willing to let a user cd out of their home directory, and
yet you allow them to upload anything they want? This completely defeats
the purpose of the cd limitation.
>SSH also introduces new problems in that any user can tunnel to any other
>location on the Internet, making it look like it came from the SSH server
>itself. This is a HUGE security risk because it is incredibly difficult to
>trace for the server administrator. There are ways of stopping people from
>doing this with iptables, but they are fairly difficult to implement and I'm
>not exactly sure how to do it at the moment.
This assumes the admin found a way to prevent the user from cd'ing out of
the home directory, but then left ssh wide open for security holes. How
ironic.
--jc
--
Jimen Ching (WH6BRR) jching at flex.com wh6brr at uhm.ampr.org
More information about the LUAU
mailing list