[Ilugc] Restricting Access
binand at gmail.com
Wed Jun 21 15:53:04 IST 2006
On 21/06/06, Raja Subramanian <rajasuperman at gmail.com> wrote:
> Enabling global read access will allow users to copy the binary to say /tmp,
> "fix" the permissions and run the app anyway. You probably want mode 750.
> In any case, this is not the way to restrict users from running apps.
Indeed. The user can copy the binary over from another machine and in
99 cases out of 100, it will work.
> Binand's post with restricted shells is The Right Way(tm).
Well, rbash should be carefully thought out as well. If any of the
programs you put in allowed-apps lets the user to run a shell escape
or refers to an external program, rbash can be beaten easily.
More information about the ilugc