SLUG Mailing List Archives
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- To: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Subject: Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- From: Rick Welykochy <rick@xxxxxxxxxxxxx>
- Date: Mon, 02 Jun 2008 15:35:01 +1000
- Cc: slug@xxxxxxxxxxx
- User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:18.104.22.168) Gecko/20080313 SeaMonkey/1.1.9
Daniel Pittman wrote:
 formmail. I say no more.
The perl language has been pretty bullet proof. I do recall
one string-based exploit in the many many years I have been using
That said, yup, scripts like formmail are written by monkeys
in the 11th level hell and sent to torment sys admins.
I was running an ISP and in my early days I stupidly allowed
some customers to upload their own perl CGI scripts to our
(only) main web server. After watching the machine being brought
down to its knees due to inexperienced coding (don't ask) I
learnt my lesson very quickly.
They only way to allow user-supplied scripts nowadays is via
some sort of virtualisation scheme with solid sandboxing. Even
then, poor coding can gobble up heaps of resources needlessly.
Rick Welykochy || Praxis Services || Internet Driving Instructor
The user's going to pick dancing pigs over security every time.
-- Bruce Schneier