On 05/30/2011 02:27 PM, Matteo Sessa wrote:
Hi all,
I'm regularly using spacewalk to issue remote commands on my systems after
configuration files deploy and I've noticed that the
/usr/share/rhn/actions/script.py library that perform the script execution
temporarily write the provided script inside /tmp/rhn-remote-script by default.
Accordingly to NSA's RHEL hardening guide [1][2] the /tmp directory should reside on a separate
filesystem and should be mounted with noexec,nosuid options. So I did, and now remote command
execution fails because of "Permission Denied" when it performs the execve call. (
Actually the script doesn't report the problem to Spacewalk and it just return with "Script
failed" (code 1), I had to debug the problem with strace ).
I understand this isn't properly a bug but rather a conflict, so I came up with
a couple of possible solutions/questions:
1 - Is there a global way of changing the temporary directory for
rhn-remote-script and if there's a suitable directory on a default install that
can host the file without raising SELinux AVCs ?
2 - Could Spacewalk provide a dedicate directory, let's say /var/spool/rhn with
proper labeling and permissions?
3 - Could spacewalk change the way a script is executed by not relying on the
shebang anymore so letting the user specify the executable ( /bin/sh for
example ) on a separate field and thus having /tmp/rhn-remote-script not
executable anymore and rather passed as an argument of the actual program?
Hi,
Unfortunately the noexec mount option does not help that much to prevent
executing scripts. It only prevents to execute stuff directly:
# /tmp/script.sh
-bash: /tmp/script.sh: Permission denied
# bash /tmp/script.sh
Hello World
Same works with python, perl etc. As soon as you execute an interpreter
and pass the actual script as a parameter, it will get executed.
For the sake of security it would be great to have the scripts written
to the proposed directory /var/spool/rhn in the future.
Rgds
Luc
_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel
