Re: Preventing users from uploading their own binaries?

[Dustin Lundquist <dlundquist@opticfusion.net>]

I mount all user writable filesystems no exec, this makes it more 
difficult for users to execute there own programs:
	$ mount
	/dev/ida/c0d0p1 on / type ext3 (rw,errors=remount-ro)
	proc on /proc type proc (rw)
	devpts on /dev/pts type devpts (rw,gid=5,mode=620)
	tmpfs on /dev/shm type tmpfs (rw)
	/dev/ida/c0d0p5 on /tmp type ext3 (rw,noexec,nosuid,nodev)
	/dev/ida/c0d0p6 on /usr type ext3 (rw)
	/dev/ida/c0d0p7 on /var type ext3 (rw,noexec,nosuid,nodev)
	/dev/ida/c0d0p8 on /home type reiserfs (rw,noexec,nosuid,nodev)
	usbdevfs on /proc/bus/usb type usbdevfs (rw)
This breaks apt so you have to add a bit to your apt config to remount 
the filesystems exec before installing any packages:
	$ cat /etc/apt/apt.conf.d/99localsec
	DPkg
	        {
	                Pre-Invoke      { "mount /tmp -o remount,exec; 	mount 
/var -o remount,exec" };
	                Post-Invoke     { "mount /tmp -o remount,noexec; 	mount 
/var -o remount,noexec" };
	        };

There are still ways to circumvent this via shared libraries, but it 
makes is more difficult:
	http://lists.debian.org/debian-devel/2003/05/msg01463.html

Hope this helps.


Dustin Lundquist


Peter Holm wrote:
> Hi,
>
> could anybody please give me a hint on how it is possible to disallow
> users uploading their own statically linked binaries and execute
> $anything on a server? 
>
> I am using a pretty basic woody with scponly (no ftp) and want them to
> have some things like rsync, but nothing else. 
>
> It is a user account with an apache documentroot in it. So php
> restrictions are set. 
>
> BTW: how do I prevent perl executing any binary on the server? Ok, I
> make this another thread...
>
> Thanks for your attention, 
>
> Peter