No executables in /tmp

Michael Halcrow mike at halcrow.us
Sat Mar 25 16:36:30 MST 2006


On Sat, Mar 25, 2006 at 02:53:12PM -0800, ross at indessed.com wrote:
> On Sat, 25 Mar 2006, Michael Halcrow wrote:
> >On Sat, Mar 25, 2006 at 10:45:08PM +0000, Jason Holt wrote:
> >>On Sat, 25 Mar 2006, Jeff Schroeder wrote:
> >>perl `cat /tmp/myscript.pl`
> >
> >I repeat: SE Linux...
> 
> Is there really a way for SE Linux to allow a user access to perl,
> but disallow access to perl scripts in /tmp/?
> ...
> Would it allow the person to cat /tmp/myscript.pl, then run "perl",
> then type the program in by hand?

I think what you really want is to prevent the user from accessing any
resources that he shouldn't, regardless of the method (a C program,
Perl, Bash commands, etc.). You could run around making scripts in
certain path locations non-executable (then you open a can of worms w/
namespaces, hard links, and so forth), or you could just write a set
of policies that say what the user should and should not be able to
manipulate on a system and sleep soundly at night.

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769

"Every man takes the limits of his own field of vision for the       
limits of the world."                                                
 - Schopenhauer 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20060325/ba1d656c/attachment.bin 


More information about the PLUG mailing list