No executables in /tmp

Hans Fugal hans at fugal.net
Mon Mar 27 15:13:53 MST 2006


On Sat, 25 Mar 2006 at 17:36 -0600, Michael Halcrow wrote:
> On Sat, Mar 25, 2006 at 02:53:12PM -0800, ross at indessed.com wrote:
> > On Sat, 25 Mar 2006, Michael Halcrow wrote:
> > >On Sat, Mar 25, 2006 at 10:45:08PM +0000, Jason Holt wrote:
> > >>On Sat, 25 Mar 2006, Jeff Schroeder wrote:
> > >>perl `cat /tmp/myscript.pl`
> > >
> > >I repeat: SE Linux...
> > 
> > Is there really a way for SE Linux to allow a user access to perl,
> > but disallow access to perl scripts in /tmp/?
> > ...
> > Would it allow the person to cat /tmp/myscript.pl, then run "perl",
> > then type the program in by hand?
> 
> I think what you really want is to prevent the user from accessing any
> resources that he shouldn't, regardless of the method (a C program,
> Perl, Bash commands, etc.). You could run around making scripts in
> certain path locations non-executable (then you open a can of worms w/
> namespaces, hard links, and so forth), or you could just write a set
> of policies that say what the user should and should not be able to
> manipulate on a system and sleep soundly at night.

So SE Linux is what he needs, not what he wants. It's good to hear this
clarification because I was thinking either you had fallen off your
rocker or that SE Linux had some very deep magic indeed if it could
prevent you from running a script that is (was?) in /tmp.

-- 
Hans Fugal ; http://hans.fugal.net
 
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20060327/1feec031/attachment.bin 


More information about the PLUG mailing list