On 9 Dec 2005, at 17:29, Spider (D.m.D. Lj.) wrote:
On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote:
Hi! I thought that GCC could means a risk if all of the users of my
system are able to run it! I talked this with a friend and he
propossed
to create a new group, "compiler", for example, where all the users
who will be able to run gcc must belong to it!
Wouldn't be interesting to implement this into Gentoo gcc ebuild
as an
USE?
Exactly what risk is there from an end-user running a compiler? A
compiler doesn't access any kind of restricted environment, doesn't
auytomatically create binaries with other rights than its own and is
about as "safe" a product as there can be.
And if you think that users running their own programs is a risk,
simply
mount /home as noexec, ( make sure to impose the same limitations
on /tmp and /var/tmp as well, since users have write-access there)
And.. really. python, perl, awk, bash ... All of those are fully
capable
of creating and running programs. And no, I do not think you can limit
the use thereof from user accounts.: )
Don't forget you can run a normal executable with noexec as well:
/lib/ld-linux.so some_executable
Which basically makes noexec on a mount completely useless. Try it:
mount some partition with noexec, copy bash to it, and run it with
the above.
If you're really paranoid about execution and so on, start reading the
SELinux FAQ and create a ruleset.. The default one is probably more
lenient than you want it ;)
//Spider
--
begin .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end
Chris
--
Chris Boot
[EMAIL PROTECTED]
http://www.bootc.net/
--
gentoo-user@gentoo.org mailing list
