-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El Sunday 26 January 2003 12:49, Alex escribió: > On Thursday 23 January 2003 13.45, DEFFONTAINES Vincent wrote: > > You can > > 1. Remove the users access to the ssh program > > (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group > > for allowed outgoing ssh users). > > 2. Mount /home, /tmp and any other place users might have write access on > > with the "noexec" switch, so they can only use binaries installed (and > > allowed to them) on the system. > > Will this noexec thing really work? It was a while ago, but i read that you > could use something in /usr/lib or something to still be able > to execute in noexec directories? Is the bug gone?
Not a bug. duero:~# /lib/ld-2.2.5.so Usage: ld.so [OPTION]... EXECUTABLE-FILE [ARGS-FOR-PROGRAM...] You have invoked `ld.so', the helper program for shared library executables. This program usually lives in the file `/lib/ld.so', and special directives in executable files using ELF shared libraries tell the system's program loader to load the helper program from this file. This helper program loads the shared libraries needed by the program executable, prepares the program to run, and runs it. You may invoke this helper program directly from the command line to load and run an ELF executable file; this is like executing that file itself, but always uses this helper program from the file you specified, instead of the helper program file specified in the executable file you run. This is mostly of use for maintainers to test new versions of this helper program; chances are you did not intend to run this program So, even if /tmp is noexec, you still can do something like: /lib/ld-whatever /tmp/program BTW, I didn't read this thread entirently, but did anyone suggested the use of iptables with UID match support? Cheers Pedro > > Alex > > > > -----Original Message----- > > > From: Iñaki Martínez [mailto:[EMAIL PROTECTED] > > > Sent: Thursday 23 January 2003 13:18 > > > To: Charl Matthee > > > Cc: [email protected] > > > Subject: Re: question about SSH / IPTABLES > > > > > > > > > Kaixo Charl Matthee!!! > > > > > > > If you want to use iptables then allow incoming ssh > > > > > > requests from the > > > > > > > relevant hosts and disallow outgoing ssh request from the server: > > > > > > > > iptables -A OUTPUT -j REJECT -p tcp --destination-port 22 > > > > > > But if the client jump to another port???? > > > > > > $ ssh -p 25 remote_ip > > > > > > > > > I think there is no COMPLETE solution........ > > > > > > > > > Thanks.... > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > > [EMAIL PROTECTED] - -- "Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+M+idnu53feEYxlERArsDAJwL9RdIZ70bcLRRr5uTwSx2zjvxFwCgkIdG O5p2jUo9VdeZ04J1CoJwGLY= =L8ty -----END PGP SIGNATURE-----
