[ILUG] restricting file upload size, additional info
Gareth 'bigbro' Eason
bigbro at skynet.ie
Fri Dec 8 16:50:19 GMT 2006
> Otherwise connect via sftp client. Users can upload, download and
> delete. Openssh configured to disable chown/chmod (we set default umask
> on our end) so we don't let users set their own permissions either (they
> showed an unfortunate tendency toward installing things with world write!)
That's kind of what I was expecting - but is it possible to break out
of passwd to a shell? What about a buffer overflow dropping you to a
shell? I don't know of any vulns in passwd at the moment, so perhaps
it's quite safe.
The file upload / download is more my area of interest. When your
customers log in, are they constrained to their own area of disk? While
disk space is not an issue for my application, a customer being able to
speculatively and curiously try and download files from /home/$string/ -
or get a directory listing of ../.. or similar is a trap.
How does your system deal with these kinds of issues? Or does it?
More information about the ILUG