No executables in /tmp
mike at halcrow.us
Sat Mar 25 16:36:30 MST 2006
On Sat, Mar 25, 2006 at 02:53:12PM -0800, ross at indessed.com wrote:
> On Sat, 25 Mar 2006, Michael Halcrow wrote:
> >On Sat, Mar 25, 2006 at 10:45:08PM +0000, Jason Holt wrote:
> >>On Sat, 25 Mar 2006, Jeff Schroeder wrote:
> >>perl `cat /tmp/myscript.pl`
> >I repeat: SE Linux...
> Is there really a way for SE Linux to allow a user access to perl,
> but disallow access to perl scripts in /tmp/?
> Would it allow the person to cat /tmp/myscript.pl, then run "perl",
> then type the program in by hand?
I think what you really want is to prevent the user from accessing any
resources that he shouldn't, regardless of the method (a C program,
Perl, Bash commands, etc.). You could run around making scripts in
certain path locations non-executable (then you open a can of worms w/
namespaces, hard links, and so forth), or you could just write a set
of policies that say what the user should and should not be able to
manipulate on a system and sleep soundly at night.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
"Every man takes the limits of his own field of vision for the
limits of the world."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 481 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20060325/ba1d656c/attachment.bin
More information about the PLUG