Tugger the SLUGger!SLUG Mailing List Archives

Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)


Daniel Pittman wrote:

[2]  formmail.  I say no more.

The perl language has been pretty bullet proof. I do recall
one string-based exploit in the many many years I have been using
it.

That said, yup, scripts like formmail are written by monkeys
in the 11th level hell and sent to torment sys admins.

I was running an ISP and in my early days I stupidly allowed
some customers to upload their own perl CGI scripts to our
(only) main web server. After watching the machine being brought
down to its knees due to inexperienced coding (don't ask) I
learnt my lesson very quickly.

They only way to allow user-supplied scripts nowadays is via
some sort of virtualisation scheme with solid sandboxing. Even
then, poor coding can gobble up heaps of resources needlessly.


cheers
rickw



--
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

The user's going to pick dancing pigs over security every time.
     -- Bruce Schneier