Re: Preventing users from uploading their own binaries?
I mount all user writable filesystems no exec, this makes it more
difficult for users to execute there own programs:
$ mount
/dev/ida/c0d0p1 on / type ext3 (rw,errors=remount-ro)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/ida/c0d0p5 on /tmp type ext3 (rw,noexec,nosuid,nodev)
/dev/ida/c0d0p6 on /usr type ext3 (rw)
/dev/ida/c0d0p7 on /var type ext3 (rw,noexec,nosuid,nodev)
/dev/ida/c0d0p8 on /home type reiserfs (rw,noexec,nosuid,nodev)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
This breaks apt so you have to add a bit to your apt config to remount
the filesystems exec before installing any packages:
$ cat /etc/apt/apt.conf.d/99localsec
DPkg
{
Pre-Invoke { "mount /tmp -o remount,exec; mount
/var -o remount,exec" };
Post-Invoke { "mount /tmp -o remount,noexec; mount
/var -o remount,noexec" };
};
There are still ways to circumvent this via shared libraries, but it
makes is more difficult:
http://lists.debian.org/debian-devel/2003/05/msg01463.html
Hope this helps.
Dustin Lundquist
Peter Holm wrote:
Hi,
could anybody please give me a hint on how it is possible to disallow
users uploading their own statically linked binaries and execute
$anything on a server?
I am using a pretty basic woody with scponly (no ftp) and want them to
have some things like rsync, but nothing else.
It is a user account with an apache documentroot in it. So php
restrictions are set.
BTW: how do I prevent perl executing any binary on the server? Ok, I
make this another thread...
Thanks for your attention,
Peter
Reply to: