Mac OS X Security Competition Ends in 30 Minutes
"No, you don't understand how CGI access works. Nor do you understand about jails. Nor do you understand about running previously approved/audited/secure CGI vs. letting users install their own. Nor do you understand about running httpd (or whatever) as a chrooted user who only has read/write access to a very limited (and secure) space."
In fact I do. And less than 1% of those servers have anything like that setup. Because people won't pay for completely useless webhosting (suprise!).
"Not sure where you got the whole nologin idea from. Not sure why you're talking about linux misconceptions. The "subject at hand" was an OSX server where they allowed ssh, which is certainly a whole lot more access than CGI on a jailed or chrooted suid nobody http account - even with CGI access."
But its exactly the same amount of access as > 99% of webhosting companies give you. Which is what I said.
"Like I said: there are thousands of OSX machines on the net right now. Acting as servers. One of them vended ssh access and got hacked. The other thousands are doing just fine."
Like I said, supplying web hosting for people is something anyone should reasonably expect to be able to do with a unix machine. OS X has lots of local root exploits which make it impossible to safely provide web hosting for people (serving up only static files is not webhosting anyone will pay for). Pretending local root exploits don't matter because "people shouldn't have shell access" is rediculous. There's legitimate reasons to have local users. And besides that, local root exploit + remote non-priviledged exploit = remote root.