Re: limiting user access

To: debian-user@lists.debian.org, debian-policy@lists.debian.org
Subject: Re: limiting user access
From: Anthony Towns <aj@azure.humbug.org.au>
Date: 13 Feb 1998 10:34:57 +1000
Message-id: <[🔎] 87oh0cjqa6.fsf@azure.humbug.org.au>
In-reply-to: Nathan E Norman's message of Thu, 12 Feb 1998 11:25:27 -0600 (CST)
References: <Pine.BSI.3.95.980212112059.23295N-100000@ns1.midco.net>

(sent to both debian-user and debian-policy, please be careful with
replies)

Nathan E Norman <finn@midco.net> writes:

> On Thu, 12 Feb 1998, Paul Miller wrote:
> : hmm... how would that stop users from running programs they copied onto my
> : server? 
> Mount the /home partition noexec.  In fact, make sure any user writable
> partition is mounted noexec.  If your users can copy files to /usr, then
> you've got a fairly big problem.

But what about /var? /var/tmp should be world writable (albeit sticky)
according to the FSSTND, but at least a couple of packages use /var
for executable files, notably dpkg (/var/lib/dpkg/info/*), and the
distributed-net client (/var/lib/distributed-net/distributed-net).

(a couple of programs also mistakenly mark data files as executable:
/var/qmail/users/assign (qmail) and /tmp/vi.recover/vi.[something]
(nvi))

In any case, this solution would work fine if you're able to separate
/var and /var/lib, making /var noexec, and ensuring there are no user
writable directories withing /var/lib.

Is it worth considering a policy change that no system executables
should be placed withing /var?

BTW, if /var was noexec, it remains possible to have something like
/var/lib/distributed-net/distributed-net -> /usr/bin/distributed-net,
and still be able to cd /var/lib/distributed-net; ./distributed-net,
which, I believe should solve that packages concern that it's .ini
file must be `argv[0]'.ini.

> Note that this doesn't keep the user from running shell scripts, or perl
> scripts, or any other interpreted scripts, unless you limit access to
> interpreters (including shells). 

(and note that in most cases they could just as easily run the
interpretor and type the program in themselves anyway. Certainly, I've
done the same on one of the uni accounts I use. If you don't want
users to run scripts (why?), you'll need to get rid of their access to
the interpretors, presumably by running in a chroot environment...)

> Of course, you could mount the /home
> directory read-only, but that limits its utility.

And the /tmp and /var/tmp directories as well. Which kinda limits
their utility too.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.

      ``It's not a vision, or a fear. It's just a thought.''

Reply to:

Follow-Ups:
- Re: limiting user access
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: Re: new policy topic --- syslog() [was Re: syslog facilities]
Next by Date: Re: limiting user access
Previous by thread: Re: what to do with `namespace-pollution'
Next by thread: Re: limiting user access
Index(es):
- Date
- Thread