RE: execute permissions in /tmp
> On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote:
> > If the user can read files in /tmp, they can execute the
> code in them.
>
> even if the user is a "nobody" that owns no files or
> directories and grsecurity, selinux or the like prevents
> him/her to execute directly code from world writeable directories?
>
> (I do not know, so I ask)
Grsecurity has a "trusted path execution" option.
Paste from config help :
CONFIG_GRKERNSEC_TPE:
If you say Y here, you will be able to choose a gid to add to the
supplementary groups of users you want to mark as "untrusted."
These users will not be able to execute any files that are not in
root-owned directories writeable only by root. If the sysctl option
is enabled, a sysctl option with name "tpe" is created.
Vincent
Reply to: