[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-dev] Patch for displaying cwd on shell execution

From: Brian Shire
Subject: Re: [Jailkit-dev] Patch for displaying cwd on shell execution
Date: Tue, 12 Jun 2007 14:09:08 -0700

On Jun 12, 2007, at 12:08 AM, Olivier Sessink wrote:

so you have a single user in the jk_lsh config file that has access to a long list of commands, each command for a different client ?

It's not so much that there is a long list of commands or a command for each client, we could just have jk_lsh allowing execution of some simple commandline tool. But when there's code allowing execution of arbitrary commands jk_lsh logs it, but doesn't tell us enough detail to know which client it's coming from, just that it's being executed by the user running Apache.

Was also thinking of adding a way to determine more precisely the actual script/executing code name, but not sure if I'll have a generic way to do this that could be acceptable for a public project.

when to determine this? in the logging? and how much more precise do you need it? (can you give an example?)
It's just an idea at this point, but we where thinking of using an environment variable that would be set by Apache (not the most ideal as this isn't terribly generic). This variable would contain a script name (let's say PHP for example) or any other information you want really, domain, etc. the jailkit sh could then include this in it's log output.

what about logging the complete command line? would that help? You can have Apache add something to the command line?

I think in most cases this would require changing the core language calling the shell execution, in our case PHP. It's possible to do this via a patch or extension, but not very generic for jailkit's purposes. But if jailkit always included an environment variable in it's logs it might be a good start. It is possible that I could configure Apache to include the currently requested URL, which may be a nice half way point. (this really isn't high priority for me anyways).

This is mostly useful when we are having trouble tracking down a vulnerability quickly. Rather than just knowing the directory path (from the above patch), we'd know the exact script or URL that was called to cause the shell exec. The ultimate would be to have the script/filename that called the shell exec, but I don't see a way to easily implement this for multiple languages.

so you actually want to log the parent application? Hmm I've no idea how to find out which process the parent is, but I guess it should be possible..

In my case I already know the parent application (Apache) based upon the executing user. This may be useful for other people who need this information, however.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]