X-Received: by 10.224.36.66 with SMTP id s2mr19337378qad.6.1370455686898; Wed, 05 Jun 2013 11:08:06 -0700 (PDT) X-Received: by 10.182.111.197 with SMTP id ik5mr139995obb.40.1370455686768; Wed, 05 Jun 2013 11:08:06 -0700 (PDT) Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!p1no1577448qaj.0!news-out.google.com!10ni283qax.0!nntp.google.com!ch1no1013074qab.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.python Date: Wed, 5 Jun 2013 11:08:06 -0700 (PDT) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=79.103.41.173; posting-account=DYJQ-woAAACEPH85Au2BhUVfFTfSfVa4 NNTP-Posting-Host: 79.103.41.173 References: <20a49aac-3867-481f-96d4-c95a050781ed@googlegroups.com> <592c84d8-2e86-4480-b784-c3ccadc8360d@googlegroups.com> <06fd6c2e-0979-4d61-b75a-6d9df7c1b624@googlegroups.com> <70390d65-5313-46bf-8110-b25f5fc9f76f@googlegroups.com> <8d52505a-7252-419b-8b4f-61e5ee56a78a@googlegroups.com> <2aef9194-ef36-45db-8c77-9510d3f14ebe@googlegroups.com> <8df8a9df-dbb9-4f35-a6a3-b45aa32a848b@googlegroups.com> <1496e27c-7870-48d2-afb0-1bf626e24b5f@googlegroups.com> <83de920f-dea8-49ad-9f6e-e25d3b2d8446@googlegroups.com> <501f3d4e-bbe3-45e8-afce-96cedabe2bef@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: Subject: Re: Apache and suexec issue that wont let me run my python script From: =?ISO-8859-7?B?zenq/Ovh7/Igyu/98eHy?= Injection-Date: Wed, 05 Jun 2013 18:08:06 +0000 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable Xref: csiph.com comp.lang.python:47125 =D4=E7 =D4=E5=F4=DC=F1=F4=E7, 5 =C9=EF=F5=ED=DF=EF=F5 2013 8:47:38 =EC.=EC.= UTC+3, =EF =F7=F1=DE=F3=F4=E7=F2 Chris Angelico =DD=E3=F1=E1=F8=E5: > On Thu, Jun 6, 2013 at 3:29 AM, =CD=E9=EA=FC=EB=E1=EF=F2 =CA=EF=FD=F1=E1= =F2 wrote: >=20 > > Now about what you did to me. I wanted to tell you that I (and I am sur= e there are other people too) don't agree with what you did. I think it was= pretty rotten -- you told me it was a bad idea to give out the root passwo= rd and that was as far as you should have gone, you had no right to "prove"= it by screwing with my system. >=20 > > >=20 > > In the US there is a law called the DMCA which I think would make what >=20 > > you did illegal, even though i have you a password, because i >=20 > > clearly gave you access to help me fix a problem, not to do what you >=20 > > did. Of course US law doesn't help in this case since you i live in Gre= ece and you live in Australia... >=20 >=20 >=20 > IANAL, but I don't think the DMCA has anything to do with this. (That >=20 > is to say, I don't think it would even if everything were under US >=20 > jurisdiction, which as you say isn't the case anyway.) What I did is >=20 > no more illegal than you lending your car keys to a stranger with the >=20 > request that he lock your door for you, and him then leafing through >=20 > the contents of your car and telling your spouse what he found. If >=20 > that causes your marriage to break up, the fault was with you for >=20 > having something in your car that would break up your marriage, and >=20 > for letting a stranger poke around in there. >=20 >=20 >=20 > > I still maintain my belief that most people are good and want to help >=20 > > rather than be destructive(which to your defense you weren't entirely. = The mails you sent to my few customers though really pissed me off). >=20 >=20 >=20 > The mails to your customers stop you from pretending to them that you >=20 > know what you're doing. That's all. Now, you may be able to come back >=20 > from this by making a public change of policy (you so far have a >=20 > declared stance that you would give out the root password to someone >=20 > else in future) and apologizing profusely to your customers, but if >=20 > you can't, that is your problem and not mine. >=20 >=20 >=20 > I was programming computers for eighteen years before I got a job >=20 > doing it. Getting money for hosting people's web sites is something >=20 > that you should see as a privilege for people who can demonstrably >=20 > provide this service safely, and should not be something you strive >=20 > for while you're learning the basics of Linux. >=20 >=20 >=20 > > And of course, i have no idea, if you ahve installed some kind of a bac= kdoor utility that will grant you shell access via ssh to my system. >=20 > > I want to convince myself that you haven't done so. >=20 >=20 >=20 > I can help with that convincing. No, I did not install any sort of >=20 > backdoor. There is no way you can prove that statement, but you have >=20 > my promise and pledge that your system is safe from me. All I did was: >=20 >=20 >=20 > 1) Change the root password, storing the new one in a way that you could = find it >=20 > 2) Create the cookie file as proof of what I could do >=20 > 3) Collect email addresses from /home/*/.contactemail >=20 > 4) Inspect the index.html files in a few directories as a means of >=20 > locating the web sites concerned >=20 > 5) 'mv .bash_history .bash_history_old', and later mv it back >=20 >=20 >=20 > There is no ongoing access, and now that you've changed the root >=20 > password (btw, I hope you weren't silly enough to change it to the >=20 > same password you emailed me), the system is under your control again. >=20 > But you cannot be sure that the *other* people you've given root >=20 > access to didn't do the same. Every time i granted access to other folks when jobs done i alwaws 'passwd'= as root to avoid unwanted access. All customers are also my friends and they like me and trust me. I also fix= their computers too and use "TeamViewer" many times to help them from home= . Still, all of your doing could be avoided if isntead of fiddlign with my cl= ients, you would actually try to provide a helping had. Anyway, i should'n have given root access to you, i was a bit worried doing= so, but i was also under stress of also correcting this damn encoding issu= e and i wanted to think you would be the one that finally help solving it. I was wrong. But no matter what you say i won't lose my beleif hat if for e= xample i have given access to Steven, things could have turn into a positiv= e solution. You shouldnt have gone "that far", just to prove a point. Its not that malicious activity didn't occur to me that migth happen, i jus= t like to think that it wont. Any way, enough said.