Re: Help

To: debian-security@lists.debian.org
Subject: Re: Help
From: "Karl E. Jorgensen" <karl@jorgensen.com>
Date: Sat, 4 May 2002 22:51:43 +0100
Message-id: <[🔎] 20020504215143.GB7650@e-jorgensen.freeserve.co.uk>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200205041953.g44Jr24O006643@mail-out2.cytanet.com.cy>
References: <[🔎] 20020504161325.GA5345@ids.org.au> <[🔎] Pine.LNX.4.21.0205031803140.339-100000@euler.nac.net> <[🔎] 20020504000629.GB26942@gashuffer.steve.home> <[🔎] 200205041953.g44Jr24O006643@mail-out2.cytanet.com.cy>

On Sat, May 04, 2002 at 10:53:02PM +0300, Daniel Fairhead wrote:
> > Secondly, with response to the original post, I think that there is
> > an unjustified level of paranoia by the network admin. High school
> > children are at best going to be script kiddies. Secondly, your
> > school should
> 
> [ snip ]
>
> > have an ethics agreement between the children and the school (signed
> > by parents) binding the users to a legal agreement of use.
> 
> I know I would respect that, and most kids would. If they understood
> it. I think perhaps signed by the children as well might be an idea,
> because then they would have personal responsibility to the agreement,
> and would add a certain "adult" element to it which would not be there
> if their parents only signed it.
> 
> > With that in place, I'd like to see how many of your students dare
> > try anything on your computers knowing that they can be expelled for
> > breaching the agreement.
> 
> *grins* I wouldn't! However, from the original it sounds as if C is
> worried about students scripts being run on the server... could
> students have to explicitly ask for shell permission (which would
> reduce the number of people in a "suspectable" list in case of a
> problem) and then be told that they are responsible for that user. On
> the same note, disallowing exec on the /home and on /tmp and making
> "sh"/BASH/perl/etc only able to run in interactive mode for students
> would solve that problem.

A note of caution: mounting a filesystem with the noexec option does
*not* prevent execution of programs from that filesystem. It merely
makes it slightly more cumbersome; 

    $ /bin/bash /tmp/kiddie-shell-script

[ this is not limited to interpreted scripts (perl, sh, bash etc), but
even ELF executables can be easily executed ]

Besides, I believe that dpkg (or was it some other essential debian
program) relies on being able to execute scripts in /tmp ...

Bottom line: mounting with noexec does not provide any real security;
only a minor obstacle that is easy to overcome by somebody with
relatively low skill. 

-- 
Karl E. Jørgensen
karl@jorgensen.com
www.karl.jorgensen.com
Please read http://www.pantsfullofunix.net before reporting bugs in my code.

Attachment: pgptPdP7vUqpf.pgp
Description: PGP signature

Reply to:

References:
- Re: Help
  - From: Ian Cumming <ian@ids.org.au>
- Help
  - From: Brian Furry <brian@euler.nac.net>
- Re: Help
  - From: Stephen Gran <gashuffer09@comcast.net>
- Re: Re: Help
  - From: Daniel Fairhead <ralphtheraccoon@uk2.net>

Prev by Date: Re: Re: Help
Next by Date: UNSUBSCRIBE
Previous by thread: Re: Re: Help
Next by thread: Re: Help
Index(es):
- Date
- Thread