[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-dev] Patch for displaying cwd on shell execution
From: |
Brian Shire |
Subject: |
Re: [Jailkit-dev] Patch for displaying cwd on shell execution |
Date: |
Tue, 12 Jun 2007 14:09:08 -0700 |
On Jun 12, 2007, at 12:08 AM, Olivier Sessink wrote:
so you have a single user in the jk_lsh config file that has access
to a long list of commands, each command for a different client ?
It's not so much that there is a long list of commands or a command
for each client, we could just have jk_lsh allowing execution of some
simple commandline tool. But when there's code allowing execution of
arbitrary commands jk_lsh logs it, but doesn't tell us enough detail
to know which client it's coming from, just that it's being executed
by the user running Apache.
Was also thinking of adding a way to determine more precisely
the actual script/executing code name, but not sure if I'll have
a generic way to do this that could be acceptable for a public
project.
when to determine this? in the logging? and how much more precise
do you need it? (can you give an example?)
It's just an idea at this point, but we where thinking of using an
environment variable that would be set by Apache (not the most
ideal as this isn't terribly generic). This variable would
contain a script name (let's say PHP for example) or any other
information you want really, domain, etc. the jailkit sh could
then include this in it's log output.
what about logging the complete command line? would that help? You
can have Apache add something to the command line?
I think in most cases this would require changing the core language
calling the shell execution, in our case PHP. It's possible to do
this via a patch or extension, but not very generic for jailkit's
purposes. But if jailkit always included an environment variable in
it's logs it might be a good start. It is possible that I could
configure Apache to include the currently requested URL, which may be
a nice half way point. (this really isn't high priority for me anyways).
This is mostly useful when we are having trouble tracking down a
vulnerability quickly. Rather than just knowing the directory
path (from the above patch), we'd know the exact script or URL
that was called to cause the shell exec. The ultimate would be to
have the script/filename that called the shell exec, but I don't
see a way to easily implement this for multiple languages.
so you actually want to log the parent application? Hmm I've no
idea how to find out which process the parent is, but I guess it
should be possible..
In my case I already know the parent application (Apache) based upon
the executing user. This may be useful for other people who need
this information, however.