[Ilugc] Restricting Access

Binand Sethumadhavan binand at gmail.com
Wed Jun 21 15:53:04 IST 2006


On 21/06/06, Raja Subramanian <rajasuperman at gmail.com> wrote:
> Enabling global read access will allow users to copy the binary to say /tmp,
> "fix" the permissions and run the app anyway.  You probably want mode 750.
> In any case, this is not the way to restrict users from running apps.

Indeed. The user can copy the binary over from another machine and in
99 cases out of 100, it will work.

> Binand's post with restricted shells is The Right Way(tm).

Well, rbash should be carefully thought out as well. If any of the
programs you put in allowed-apps lets the user to run a shell escape
or refers to an external program, rbash can be beaten easily.

Binand


More information about the ilugc mailing list