| 1 |
On 9 Dec 2005, at 17:29, Spider (D.m.D. Lj.) wrote: |
| 2 |
|
| 3 |
> On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote: |
| 4 |
>> Hi! I thought that GCC could means a risk if all of the users of my |
| 5 |
>> system are able to run it! I talked this with a friend and he |
| 6 |
>> propossed |
| 7 |
>> to create a new group, "compiler", for example, where all the users |
| 8 |
>> who will be able to run gcc must belong to it! |
| 9 |
>> |
| 10 |
>> Wouldn't be interesting to implement this into Gentoo gcc ebuild |
| 11 |
>> as an |
| 12 |
>> USE? |
| 13 |
> |
| 14 |
> |
| 15 |
> Exactly what risk is there from an end-user running a compiler? A |
| 16 |
> compiler doesn't access any kind of restricted environment, doesn't |
| 17 |
> auytomatically create binaries with other rights than its own and is |
| 18 |
> about as "safe" a product as there can be. |
| 19 |
> |
| 20 |
> And if you think that users running their own programs is a risk, |
| 21 |
> simply |
| 22 |
> mount /home as noexec, ( make sure to impose the same limitations |
| 23 |
> on /tmp and /var/tmp as well, since users have write-access there) |
| 24 |
> |
| 25 |
> |
| 26 |
> And.. really. python, perl, awk, bash ... All of those are fully |
| 27 |
> capable |
| 28 |
> of creating and running programs. And no, I do not think you can limit |
| 29 |
> the use thereof from user accounts.: ) |
| 30 |
> |
| 31 |
|
| 32 |
Don't forget you can run a normal executable with noexec as well: |
| 33 |
|
| 34 |
/lib/ld-linux.so some_executable |
| 35 |
|
| 36 |
Which basically makes noexec on a mount completely useless. Try it: |
| 37 |
mount some partition with noexec, copy bash to it, and run it with |
| 38 |
the above. |
| 39 |
|
| 40 |
> |
| 41 |
> If you're really paranoid about execution and so on, start reading the |
| 42 |
> SELinux FAQ and create a ruleset.. The default one is probably more |
| 43 |
> lenient than you want it ;) |
| 44 |
> |
| 45 |
> //Spider |
| 46 |
> -- |
| 47 |
> begin .signature |
| 48 |
> Tortured users / Laughing in pain |
| 49 |
> See Microsoft KB Article Q265230 for more information. |
| 50 |
> end |
| 51 |
> |
| 52 |
|
| 53 |
Chris |
| 54 |
|
| 55 |
-- |
| 56 |
Chris Boot |
| 57 |
bootc@×××××.net |
| 58 |
http://www.bootc.net/ |
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
gentoo-user@g.o mailing list |
Archives