On Sat, May 04, 2002 at 10:53:02PM +0300, Daniel Fairhead wrote: > > Secondly, with response to the original post, I think that there is > > an unjustified level of paranoia by the network admin. High school > > children are at best going to be script kiddies. Secondly, your > > school should > > [ snip ] > > > have an ethics agreement between the children and the school (signed > > by parents) binding the users to a legal agreement of use. > > I know I would respect that, and most kids would. If they understood > it. I think perhaps signed by the children as well might be an idea, > because then they would have personal responsibility to the agreement, > and would add a certain "adult" element to it which would not be there > if their parents only signed it. > > > With that in place, I'd like to see how many of your students dare > > try anything on your computers knowing that they can be expelled for > > breaching the agreement. > > *grins* I wouldn't! However, from the original it sounds as if C is > worried about students scripts being run on the server... could > students have to explicitly ask for shell permission (which would > reduce the number of people in a "suspectable" list in case of a > problem) and then be told that they are responsible for that user. On > the same note, disallowing exec on the /home and on /tmp and making > "sh"/BASH/perl/etc only able to run in interactive mode for students > would solve that problem. A note of caution: mounting a filesystem with the noexec option does *not* prevent execution of programs from that filesystem. It merely makes it slightly more cumbersome; $ /bin/bash /tmp/kiddie-shell-script [ this is not limited to interpreted scripts (perl, sh, bash etc), but even ELF executables can be easily executed ] Besides, I believe that dpkg (or was it some other essential debian program) relies on being able to execute scripts in /tmp ... Bottom line: mounting with noexec does not provide any real security; only a minor obstacle that is easy to overcome by somebody with relatively low skill. -- Karl E. Jørgensen firstname.lastname@example.org www.karl.jorgensen.com Please read http://www.pantsfullofunix.net before reporting bugs in my code.
Description: PGP signature