Content-Type: multipart/alternative; boundary="----_=_NextPart_002_01C7A385.E4EA76E0" ------_=_NextPart_002_01C7A385.E4EA76E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Are you concerned with people attempting to compile/execute scripts through your web server or locally at a command prompt? If the issue is the former, then you may want to look at implementing some rules that use SCRIPT_UID or SCRIPT_USERNAME to verify the owner of a script before it executes it -=20 http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsec urity2-apache-reference.html#N10C66 =20 Here is an example rule - =20 SecRule SCRIPT_USERNAME "!^apache$" =20 In this case, ModSecurity would only allow a script to execute if the owner of the script was the "apache" user. So, in your scenario, "apache" would not be the owner of perl or sh so this should prevent execution. You would need to test this with your exact scenario however to see if it works as expected. =20 One important note about these variables - they are only available when Mod is running in embedded mode. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of BipinDas Sent: Thursday, May 31, 2007 4:43 AM To: mod-security-users@lists.sourceforge.net Subject: Re: [mod-security-users] Preventing perl script execution usingmod_security howto ?? =20 BipinDas wrote: > Dear list, > I had implemented mod_security. Working fine. I would like to > know,whether it is possible to execute perl script in /tmp directory. > If yes,can anybody tell me how can I do it. Which rule should I write > for this. >Not sure what you want here. Your subject asks how to prevent perl >script execution, but then the body asks how to execute in /tmp. >Generally perl scripts would not be executable from /tmp based on your >Apache config. >Perhaps you are attempting to prevent uploading a perl script to /tmp? >Take a look at the @inspectFile operator with example in the docs. Dear Brian I meant to prevent executing perl scripts in /tmp /var/tmp /dev/shm directories. These directories was mounted non-executable in /etc/fstab. Now we could not execute scripts like this way $./test.pl or $./test.sh. But anybody can execute/compile like this way $perl test.pl $sh test.sh. I would like to know whether mod_security is capable to prevent these type of execution or compilation. Please help --=20 =20 ------_=_NextPart_002_01C7A385.E4EA76E0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Are you concerned with people = attempting to compile/execute scripts through your web server or locally at a = command prompt?  If the issue is the former, then you may want to look at implementing some rules that use SCRIPT_UID or SCRIPT_USERNAME to verify = the owner of a script before it executes it - http://www.modsecurity.org/do= cumentation/modsecurity-apache/2.1.0/modsecurity2-apache-reference.html#N= 10C66

 

Here is an example rule = –

 

SecRule SCRIPT_USERNAME =
"!^apache$"=

 

In this case, ModSecurity would = only allow a script to execute if the owner of the script was the = “apache” user.  So, in your scenario, “apache” would not be the = owner of perl or sh so this should prevent execution.  You would need to = test this with your exact scenario however to see if it works as = expected.

 

One important note about these = variables – they are only available when Mod is running in embedded = mode.

 

--
Ryan C. = Barnett
ModSecurity Community = Manager

Breach Security: Director of Application = Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, = GSEC

Author: Preventing Web Attacks with = Apache

 

=

 

=

From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of BipinDas
Sent: Thursday, May 31, = 2007 4:43 AM
To: mod-security-users@lists.sourceforge.net
Subject: Re: = [mod-security-users] Preventing perl script execution usingmod_security howto = ??

 

BipinDas wrote:
> Dear list,
> I had implemented mod_security. Working fine. = I would like to
> know,whether it is possible to execute perl = script in /tmp directory.
> If yes,can anybody tell me how can I do it. = Which rule should I write
> for this.

>Not sure what you want here.  Your = subject asks how to prevent perl
>script execution, but then the body asks how = to execute in /tmp.

>Generally perl scripts would not be executable = from /tmp based on your
>Apache config.

>Perhaps you are attempting to prevent = uploading a perl script to /tmp?
>Take a look at the @inspectFile operator with = example in the docs.

Dear Brian
I meant to prevent executing perl scripts in /tmp /var/tmp = /dev/shm
directories. These directories was mounted non-executable in = /etc/fstab.
Now we could not execute scripts like this way $./test.pl or = $./test.sh.
But anybody can execute/compile   like this way $perl test.pl = $sh
test.sh. I would like to know whether mod_security is capable to = prevent
these type of execution or compilation.

Please help

--

------_=_NextPart_002_01C7A385.E4EA76E0--