Nick Cleaton <n...@cleaton.net> writes: > I made this, it might be interesting to anyone looking to implement > something like rssh, or to un-retire rssh itself: it allows you to > execute a program but trap any calls to libc exec* syscall wrappers that > the program might make:
> https://github.com/ncleaton/libcallfilt > It provides a second line of defense if you've tried to block all of the > options that could exec arbitrary things but you may have missed > something. Thank you -- that's an interesting option! BTW, you probably want to add posix_spawn, posix_spawnp, and execveat. (Although a nice property of this approach is that it doesn't rely on finding every possible system call, only covering the ones that the legitimate program you're trying to spawn might use.) -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> _______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
