Re: binary execute restrictions
On Jan 13, 2004, at 9:04 PM, Lowell Gilbert wrote: I suspect that a restricted shell isn't going to be appropriate in this case. Restricted shells are useful for avoiding shooting yourself in the foot, but they're really not intended to be secure. You're probably right that my suggestion is only a partial solution, but using a restricted shell and chroot()ing these users to a home directory that isn't owned/writable by that UID should come pretty close to solving the Original Poster's problem. It might also be the case that the OP might be better off not generating normal user accounts, but using application-specific user databases (such as found in software like Cyrus) to give controlled access to a particular service. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: binary execute restrictions
On Tue, Jan 13, 2004 at 03:52:49AM +0100, Jefferson San Juan wrote:
How do I restrict normal users from executing their own compiled executable
binary files?
I use FreeBSD 4.9.
This is actually a very difficult problem: FreeBSD is designed to let
people run executables, not to stop them doing that...
Put all of the user home directories on a separate partition which you
mount with the noexec flag.
Make sure that the users have no write access to anywhere outside
their home directories. This includes the various world writable
temporary directories /tmp, /var/tmp, etc. However, not permitting
users to write files in /tmp or /var/tmp will lead to much wailing and
gnashing of teeth, because a lot of applications are going to break.
Investigate setting the TMPDIR environment variable either from
/etc/login.conf or else from /etc/csh.login (for tcsh(1) users) or
/etc/profile (for bash(1) or sh(1) users) to ameliorate that. If you
set TMPDIR=${HOME}/tmp each user can have their own private temporary
area under their home directory. Note however that this only has an
advisory effect: not all applications will obey $TMPDIR.
You can mount the shared temporary directories noexec -- which will
work exceeedingly well 99.9% of the time. Investigate mounting /tmp
as a memory filesystem -- see mount_mfs(8) -- as a good way to do
that. Symlink other shared temporary areas to your memory filesystem
if you don't want to have more than one. Nb. One occasion doing this
will definitely cause problems is when you are updating your system by
'make installworld' -- however that is a sufficiently uncommon event
that you can feasibly do a temporary remount of /tmp without noexec in
that case.
Even so, a determined user could probably still work out ways to get
an executable executed, but they'd have to put some effort into
working out how.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
Re: binary execute restrictions
On Jan 12, 2004, at 9:52 PM, Jefferson San Juan wrote: How do I restrict normal users from executing their own compiled executable binary files? Give them a restricted shell which limits the commands they can run to ones you specify. See man zshall for one example, although other restricted shells exist which might come closer to what you want than ZSH particularly: RESTRICTED SHELL When the basename of the command used to invoke zsh starts with the letter `r' or the `-r' command line option is supplied at invocation, the shell becomes restricted. Emulation mode is determined after stripping the letter `r' from the invocation name. The following are disabled in restricted mode: o changing directories with the cd builtin o changing or unsetting the PATH, path, MODULE_PATH, module_path, SHELL, HISTFILE, HISTSIZE, GID, EGID, UID, EUID, USERNAME, LD_LIBRARY_PATH,LD_AOUT_LIBRARY_PATH, LD_PRELOAD and LD_AOUT_PRELOAD parameters o specifying command names containing / o specifying command pathnames using hash o redirecting output to files o using the exec builtin command to replace the shell with another command o using jobs -Z to overwrite the shell process' argument and envi- ronment space o using the ARGV0 parameter to override argv[0] for external com- mands o turning off restricted mode with set +r or unsetopt RESTRICTED -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: binary execute restrictions
Charles Swiger [EMAIL PROTECTED] writes: On Jan 12, 2004, at 9:52 PM, Jefferson San Juan wrote: How do I restrict normal users from executing their own compiled executable binary files? Give them a restricted shell which limits the commands they can run to ones you specify. See man zshall for one example, although other restricted shells exist which might come closer to what you want than ZSH particularly: I suspect that a restricted shell isn't going to be appropriate in this case. Restricted shells are useful for avoiding shooting yourself in the foot, but they're really not intended to be secure. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
binary execute restrictions
How do I restrict normal users from executing their own compiled executable binary files? I use FreeBSD 4.9. - Jefferson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
