On Sat, Mar 25, 2006 at 02:53:12PM -0800, [EMAIL PROTECTED] wrote: > On Sat, 25 Mar 2006, Michael Halcrow wrote: > >On Sat, Mar 25, 2006 at 10:45:08PM +0000, Jason Holt wrote: > >>On Sat, 25 Mar 2006, Jeff Schroeder wrote: > >>perl `cat /tmp/myscript.pl` > > > >I repeat: SE Linux... > > Is there really a way for SE Linux to allow a user access to perl, > but disallow access to perl scripts in /tmp/? > ... > Would it allow the person to cat /tmp/myscript.pl, then run "perl", > then type the program in by hand?
I think what you really want is to prevent the user from accessing any
resources that he shouldn't, regardless of the method (a C program,
Perl, Bash commands, etc.). You could run around making scripts in
certain path locations non-executable (then you open a can of worms w/
namespaces, hard links, and so forth), or you could just write a set
of policies that say what the user should and should not be able to
manipulate on a system and sleep soundly at night.
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
"Every man takes the limits of his own field of vision for the
limits of the world."
- Schopenhauer
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
